What is the difference between HIPAA and HITRUST?

HIPAA, or the Health Insurance Portability and Accountability Act, is a well-known acronym in the healthcare industry. It’s a law protecting patient medical records including a privacy right identifying who has access to protected health information (PHI). Healthcare workers are legally bound to meet HIPAA regulations, and patients routinely see paperwork educating them on HIPAA compliance and their rights when it comes to the protection of their personal information. In short, HIPAA is everywhere.

HITRUST, on the other hand, isn’t the well-known healthcare acronym that HIPAA is. The Health Information Trust Alliance (HITRUST) is also not a law. While HIPAA is a federal act that sets compliance standards, HITRUST is an organization that has established a common security framework (CSF) to help companies reach HIPAA standards and beyond. The HITRUST CSF is certifiable and brings together several compliance frameworks like HIPAA, NIST, PSI, and ISO. This certifiability is the difference between HITRUST and being HIPAA compliant.

HIPAA includes physical, technical, and administrative safeguards which outline the policies, procedures, and requirements that healthcare entities must adhere to. HIPAA compliance, although punishable by law if not followed, can be difficult to track and enforce. In fact, in the past, healthcare organizations were  simply expected to sign a form stating they’d taken the right measures to put data security controls into place to protect PHI. Although HIPAA enforcement laws have since improved, it’s still arguably a risk assessment process in which a standard is subjectively deemed as met or not.

HITRUST certification demands more objectivity. In fact, the CSF framework and HITRUST assessment and certification have 19 different domains that are necessary to address:

  1. Healthcare Data Protection & Privacy
  2. Information Protection
  3. Wireless Protection
  4. Transmission Protection
  5. Network Protection
  6. Endpoint Protection
  7. Portable Media Security
  8. Mobile Device Security
  9. Third Party Security
  10. Physical & Environmental Security
  11. Configuration Management
  12. Vulnerability Management
  13. Password Management
  14. Incident Management
  15. Risk Management
  16. Access Control
  17. Audit Logging & Monitoring
  18. Education, Training & Awareness
  19. Business Continuity Management & Disaster Recovery

The HITRUST CSF provides a comprehensive risk management framework optimized specifically for the healthcare industry, including mapping of the required implementation specifications from the HIPAA Security Rule. For organizations with specific risk factors, the HITRUST CSF provides a solution that addresses the additional required controls to meet compliance.

By integrating controls from several applicable frameworks and best practice standards, along with tailoring the requirements specifically to the needs of healthcare organizations, HITRUST speaks to most of an organization’s risk analysis, one of the tenet requirements of HIPAA, and one of the most often cited issues in audits conducted by the Office for Civil Rights (OCR).

As noted by HITRUST Alliance, healthcare professionals can use HITRUST for direction on relevant industry security and privacy issues, as well as for specific information about how to integrate an organizational information protection program.

Feel like you need more clarity on the difference between HIPAA and HITRUST? We can help.  As a leading medical data management firm offering HealthData Archiver®, a long-term PHI storage solution, Harmony Healthcare IT knows how to navigate risk analysis.

Jul 25 2019

Ready to learn more?

Contact us today to learn more about our healthcare data management solutions.

First Name *
Last Name *
Email *

Healthcare IT tips, guides, news & more delivered to your inbox

Sign me up