In previous articles, we’ve covered what HITRUST is and how to get HITRUST certified, but one very frequent question is, “What’s the difference between HIPAA vs HITRUST?”
While they both relate to information security, and HITRUST initially began as part of HIPAA, they’re very different concepts. Let’s dive in.
What Is the Difference Between HIPAA vs HITRUST?
HIPAA deals specifically, and only, with the handling of protected health information (PHI) and is only applicable to covered entities (providers, insurance companies, etc.) and their business partners.
HITRUST initially began as a healthcare industry control, attempting to fill gaps left by HIPAA protocols. However, it’s expanded beyond that to be a flexible tool that measures the security posture of any sized company, in any industry.
Simply put, the main difference between HIPAA and HITRUST is that HIPAA is a regulatory framework that applies only to healthcare, whereas HITRUST is a standardized information security assessment and certification that applies to all industries and markets.
HIPAA
HIPAA is a series of regulatory standards that outlines the permitted use and disclosure of PHI. It makes the protection of your PHI a civil right.
An organization can perform a HIPAA self-assessment to demonstrate compliance, however, having an impartial third party conduct the audit and provide a report grants a much greater assurance of compliance to business partners and regulating agencies. During a HIPAA compliance assessment, the third-party auditor will determine if you are compliant with HIPAA requirements, generally regarding HIPAA security, breach notification, and privacy rules.
After any HIPAA gaps identified as a result of the audit are remediated, an organization should be HIPAA compliant.
HITRUST
HITRUST provides an industry-agnostic information security framework that allows for validation assessment and certification. It combines the security frameworks of HIPAA, NIST, PCI, CMMC, and ISO, along with its own unique framework that includes industry best practices. Depending on your choice of assessment and your selection of controls, your examination can validate as much as you need.
In other words, HITRUST incorporates dozens of control frameworks into a standardized and consistent set of controls, which can address the majority of information security concerns for the majority of environments and industries.
HITRUST has a variety of programs for smaller firms and startup or venture-backed organizations, which can reduce the cost of getting certification. For these higher-risk companies, HITRUST certification can provide a competitive edge that helps grow the business.
Depending on the certification, HITRUST lasts one or two years and provides validation that confirms your business’ security posture, processes, and the successful implementation of controls to protect data and data subjects.
HITRUST vs HIPAA in Healthcare
PHI is some of the most personal, private, and sensitive information processed in regard to people. Safeguarding it is not just an ethical and business necessity, it’s a legal requirement. While approaches to this vary, HIPAA is the law of the land.
The following are national, international, and state regulations that apply to the healthcare industry:
Trying to make sure you are compliant with all of these regulations takes a lot of time and money. It can be difficult to know where to focus efforts and challenging to know when enough has been done.
HITRUST has historically had a healthcare focus, but the newest iterations of the common security framework (CSF) have moved to be much more general and comprehensive. Of the 35+ frameworks utilized to build the HITRUST CSF, only a few are specifically aimed at healthcare.
With the ability to scope your controls, HITRUST can be applicable to virtually any market, audience, or product. HITRUST can be used for healthcare, but it can also be used to demonstrate a commitment to information security for any organization.
If I’m HIPAA Compliant, Do I Still Need HITRUST Certification?
HIPAA, while comprehensive in the protection of a subset of assets, can be narrow in scope. A significant subset of the HIPAA security rule controls that apply to non-provider organizations aren’t enforced, except as a result of a breach. This leaves gaps in information security protocols, which may cause damage to partner and customer trust.
HITRUST certification can be used to address those gaps, and other specific security concerns, and the results of a HITRUST assessment can be used to further strengthen your security posture.
Prove Your Commitment to Security with Linford & Co
Contact us to further discuss how Linford & Co can help your organization gain HITRUST certification or meet your HIPAA audit and compliance needs.
This article was originally published on 9/15/2020 and was updated on 5/24/2023.
Brian has over 2 decades of experience in System Administration and Information Security, having worked at all levels of Government (City, County, State, and Federal) and with companies ranging from startup to Fortune-20. He transitioned to auditing in 2018 and has delivered audits and attestations as varied as SOC 1 and 2, HITRUST, FISMA, FERPA, PCI, CSA-star and HIPAA. With Linford and Co, he focuses primarily on HITRUST and SOC 2.