November 11, 2019


Grant Barrick

Vice President of Marketing

Healthcare is complex and can seem overwhelming, but it doesn’t have to be. Whether you’re an industry professional or not, it is commonly felt that more time is spent understanding the healthcare conundrum versus solving it. That’s where Datica comes in. We have set out to investigate the underlying logic behind the astounding regulatory maze of this field and distill the information to those searching for it. Why spend your time mastering the problem when you could be discovering the innovative solutions?

What does HITRUST mean?

Many people fail to realize that the Health Information Trust Alliance, known simply as HITRUST, is not a framework at all, but an organization comprised of healthcare industry leaders who regard information security as a fundamental component to data systems and exchanges.

The HITRUST organization, in partner with other technology and information security leaders, created and maintains the Common Security Framework (CSF). HITRUST is not a new set of standards. The HITRUST CSF® is a system that helps organizations comply with HIPAA and other regulations such as PCI, NIST, and ICO through a detailed, yet flexible and efficient approach for regulatory and compliance management. The most widely used security framework in the U.S. healthcare industry today, the HITRUST CSF is continually updated and improved. An interim release of HITRUST CSF v9.1 will incorporate the EU General Data Protection Regulation (GDPR) and map the CSF’s privacy and security requirements to the AICPA Trust Services Criteria for Privacy, according to the HITRUST Alliance.

What does HIPAA mean?

The Health Insurance Portability and Accountability Act (HIPAA) is United States legislative act that was signed into law in August, 1996. In 2013, HIPAA was expanded with the HIPAA Omnibus Rule to implement additional guidelines in accordance with the guidelines set forth in the HITECH Act. HIPAA outlines requirements for healthcare organizations and their business associates related to ensuring the security of sensitive patient data.

What is the HITRUST Common Security Framework?

The HITRUST CSF maps the CSF controls to specific HIPAA standards and specifications. Many specifications are mapped to multiple CSF controls. Each CSF control has multiple levels with varying requirements, so that organizations can implement the most relevant requirements for each control based on systems, organizational considerations, and regulatory risk factors.

Organizations wanting to comply with HITRUST have three options, known as Degrees of Assurance:

  • Self-Assessment: Companies can perform a self-assessment using the myCSF tool. This assessment helps to identify areas in compliance with HITRUST as well as areas for improvement.

  • CSF Validated: This is a step often taken after an organization has completed the self-assessment and implemented corrective actions to rectify any non-compliance issues identified. A third-party, HITRUST-approved CSF Assessor verifies the information gathered through the assessment with an onsite visit. HITRUST issues a Validated Report after reviewing the validated assessment.

  • CSF Certified: This Degree of Assurance requires the most time and effort. It’s a step above CSF Validated, with HITRUST reviewing and certifying the organization’s information and the CSF Assessor’s validation, after which a HITRUST CSF Certification is granted for a period of two years.

What is the difference between HITRUST and HIPAA?

HITRUST and HIPAA are both two hot topics in healthcare but what is the difference?

  • HITRUST builds on HIPAA. It takes HIPAA, a non-standardized and non-prescriptive compliance framework, and creates a standardized compliance framework, assessment, and certification process for the healthcare industry.
  • HITRUST “harmonizes” HIPAA with other compliance frameworks such as PCI and NIST. HITRUST also adapts requirements for certification to the risks of an organization based on organizational, system, and regulatory factors.
  • As opposed to HIPAA, which has defined penalties for security breaches, the enforcement of HITRUST is dependent on the healthcare industry itself, typically covered entities like hospitals and payers, requiring HITRUST CSF Certification of vendors.
  • Having been through both HIPAA audits and a Certified CSF Assessment, it is safe to say that HITRUST CSF Certification is a much more rigorous process, with a higher burden of proof put on the organization trying to achieve certification, than a HIPAA audit.
  • Achieving HITRUST CSF Certification requires significantly more time, effort, and resources than a HIPAA audit. Being HITRUST CSF Certified should be seen as a more significant badge for security and compliance than completing a HIPAA audit.


HITRUST vs. HIPAA is not an either-or consideration. Because HIPAA is a set of standards, and the HITRUST CSF provides a prescriptive set of controls that meet the requirements of not only HIPAA, but other security standards such as PCI and NIST. As such, HITRUST is a valuable resource for risk management and compliance for organizations that handle sensitive data. Rather than a HITRUST vs. HIPAA scenario, the two go hand in hand.

It’s not possible for healthcare organizations to become HIPAA-certified, as there is no official certification process or accreditation. An external audit is the best way to ensure HIPAA compliance. When partnering with third-party organizations, covered entities have business associates sign a Business Associate Agreement that’s essentially a promise that they’ve implemented the right security controls to protect sensitive data. As a certifiable framework with controls mapped to every HIPAA standard and specification, HITRUST CSF certification provides a more reliable and consistent way for covered entities to ensure that their business associates are, in fact, compliant. Several major healthcare payors already require their business associates to comply with the HITRUST CSF. Certification adds a dose of confidence and a layer of trust.

Why is HITRUST important?

Why does HITRUST matter? Well, as healthcare is becoming further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become a progressively emphasized, yet convoluted, matter. Navigating the tortuous labyrinth of federal, state, and third-party security mandates has become a feat that can quickly consume an organization’s resources. If that isn’t enough, getting through all the twists, turns and pitfalls to achieve compliance is only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner.

With all considerations, isn’t it obvious that the industry needs a system that is clear, standard, and secure? Thankfully, that’s exactly what HITRUST has established in order to put the trust in data security.

HITRUST isn’t easy, and it shouldn’t be. The experience we’ve gained as a company and the extensive testing of our technology brings great value to our customers.

For more information on HITRUST, check out the Datica Academy or Datica Blog. Additional questions? Contact one of our experts today.

tag HITRUST HIPAA Compliance Healthcare Cloud


What is a HITRUST CSF Self-Assessment?

Grant Barrick

Vice President of Marketing

Here’s what you need to know about the HITRUST CSF Self-Assessment, how it works, and how to determine if the self-assessment option is sufficient for your organization.

event-note November 11, 2019

What Are HITRUST Requirements?

Grant Barrick

Vice President of Marketing

The healthcare regulatory landscape is complex. The HITRUST CSF is a framework designed and created to streamline regulatory compliance. Companies that implement HITRUST CSF controls and strive to meet HITRUST requirements are better equipped for audits and lower their regulatory risk, but what are those...

event-note November 11, 2019

Who is HITRUST CSF Certified?

Grant Barrick

Vice President of Marketing

The HITRUST certification is the highest Degree of Assurance a company can obtain. The HITRUST certification is increasingly required of business associates by some entities, such as health insurance providers, in order to ensure that business associates have the adequate security controls and protections in...

event-note November 11, 2019

What is the HITRUST Framework?

Grant Barrick

Vice President of Marketing

Most don't realize HITRUST is not a framework at all, but an organization comprised of healthcare industry leaders. Let's dive into the HITRUST CSF Framework, developed by the HITRUST organization, in partner with other technology and information security leaders.

event-note November 11, 2019