What is the HITRUST Common Security Framework (CSF)?

According to HITRUST: “The HITRUST CSF is a framework that normalizes security and privacy requirements for organizations, including federal legislation (e.g., HIPAA), federal agency rules and guidance (e.g., NIST), state legislation (e.g., California Consumer Privacy Act), international regulation (e.g., GDPR), and industry frameworks (e.g., PCI, COBIT). It simplifies the myriad requirements by providing a single-source solution tailored to the organization’s needs. The CSF is the only framework built to provide scalable security and privacy requirements based on the different risks and exposures of each unique organization.”

What Is the Difference Between HIPAA & HITRUST?

One of the main differences between HIPAA and HITRUST is that HIPAA is a regulatory framework, and an organization cannot become “HIPAA certified.”

How Does a Readiness Assessment Work Compared to An Actual Assessment?

The readiness assessment is designed to help evaluate how closely an organization’s control environment aligns with the HITRUST CSF. There is no certification available with a readiness assessment.

What Is the Benefit of HITRUST? Why Get a HITRUST Certification?

Reassure Your Clients and Customers; Simplify Your Audit Process; Pick a Framework That Matches YOUR Business; Get BETTER!; and Stop Guessing.

How Do I Get HITRUST Certified?

The essence of the process is simple and mostly traditional, you can start with a readiness assessment, either guided by your audit firm or with your internal teams, and move forward with a validated assessment by engaging HITRUST and an external firm authorized to validate assessments.

Is HITRUST Only for Healthcare?

HITRUST has historically had a healthcare focus, but the last iterations of the CSF have moved to be much more general and comprehensive.

What is HITRUST vs HIPAA? Understanding the Differences

Q: So - What Does HITRUST Get Me That HIPAA Doesn’t?

HITRUST offers a certification and a validated assessment. Depending on the certification, it lasts one or two years, and allows your organization to say “It’s not just us telling you we’re doing it right, an external assessor and HITRUST have validated this.” HIPAA, while comprehensive in the protection of a subset of assets, can be narrow in scope and a significant subset of the HIPAA security rule controls that apply to non-provider organizations aren’t “enforced” except as a result of a breach, if at all. HITRUST provides a time-bound, validated, comprehensive assurance to you, your executives, and your customers.

In previous articles, we’ve covered what HITRUST is and how to get HITRUST certified, but one very frequent question is, “What’s the difference between HIPAA vs HITRUST?”

While they both relate to information security, and HITRUST initially began as part of HIPAA, they’re very different concepts. Let’s dive in.

What Is the Difference Between HIPAA vs HITRUST?

HIPAA deals specifically, and only, with the handling of protected health information (PHI) and is only applicable to covered entities (providers, insurance companies, etc.) and their business partners.

HITRUST initially began as a healthcare industry control, attempting to fill gaps left by HIPAA protocols. However, it’s expanded beyond that to be a flexible tool that measures the security posture of any sized company, in any industry.

Simply put, the main difference between HIPAA and HITRUST is that HIPAA is a regulatory framework that applies only to healthcare, whereas HITRUST is a standardized information security assessment and certification that applies to all industries and markets.

HIPAA

HIPAA is a series of regulatory standards that outlines the permitted use and disclosure of PHI. It makes the protection of your PHI a civil right.

An organization can perform a HIPAA self-assessment to demonstrate compliance, however, having an impartial third party conduct the audit and provide a report grants a much greater assurance of compliance to business partners and regulating agencies. During a HIPAA compliance assessment, the third-party auditor will determine if you are compliant with HIPAA requirements, generally regarding HIPAA security, breach notification, and privacy rules.

After any HIPAA gaps identified as a result of the audit are remediated, an organization should be HIPAA compliant.

HITRUST

HITRUST provides an industry-agnostic information security framework that allows for validation assessment and certification. It combines the security frameworks of HIPAA, NIST, PCI, CMMC, and ISO, along with its own unique framework that includes industry best practices. Depending on your choice of assessment and your selection of controls, your examination can validate as much as you need.

In other words, HITRUST incorporates dozens of control frameworks into a standardized and consistent set of controls, which can address the majority of information security concerns for the majority of environments and industries.

HITRUST has a variety of programs for smaller firms and startup or venture-backed organizations, which can reduce the cost of getting certification. For these higher-risk companies, HITRUST certification can provide a competitive edge that helps grow the business.

Depending on the certification, HITRUST lasts one or two years and provides validation that confirms your business’ security posture, processes, and the successful implementation of controls to protect data and data subjects.

HITRUST vs HIPAA in Healthcare

PHI is some of the most personal, private, and sensitive information processed in regard to people. Safeguarding it is not just an ethical and business necessity, it’s a legal requirement. While approaches to this vary, HIPAA is the law of the land.

The following are national, international, and state regulations that apply to the healthcare industry:

Trying to make sure you are compliant with all of these regulations takes a lot of time and money. It can be difficult to know where to focus efforts and challenging to know when enough has been done.

HITRUST has historically had a healthcare focus, but the newest iterations of the common security framework (CSF) have moved to be much more general and comprehensive. Of the 35+ frameworks utilized to build the HITRUST CSF, only a few are specifically aimed at healthcare.

With the ability to scope your controls, HITRUST can be applicable to virtually any market, audience, or product. HITRUST can be used for healthcare, but it can also be used to demonstrate a commitment to information security for any organization.

If I’m HIPAA Compliant, Do I Still Need HITRUST Certification?

HIPAA, while comprehensive in the protection of a subset of assets, can be narrow in scope. A significant subset of the HIPAA security rule controls that apply to non-provider organizations aren’t enforced, except as a result of a breach. This leaves gaps in information security protocols, which may cause damage to partner and customer trust.

HITRUST certification can be used to address those gaps, and other specific security concerns, and the results of a HITRUST assessment can be used to further strengthen your security posture.

Prove Your Commitment to Security with Linford & Co

Contact us to further discuss how Linford & Co can help your organization gain HITRUST certification or meet your HIPAA audit and compliance needs.

This article was originally published on 9/15/2020 and was updated on 5/24/2023.

Brian Sandenaw

Brian has over 2 decades of experience in System Administration and Information Security, having worked at all levels of Government (City, County, State, and Federal) and with companies ranging from startup to Fortune-20. He transitioned to auditing in 2018 and has delivered audits and attestations as varied as SOC 1 and 2, HITRUST, FISMA, FERPA, PCI, CSA-star and HIPAA. With Linford and Co, he focuses primarily on HITRUST and SOC 2.