HITRUST vs HIPAA: What You Need to Know

In Security by Nikola TodevLeave a Comment

 HITRUST vs HIPAA: What You Need to Know

Security rules surrounding the healthcare industry and its technology can seem overwhelmingly complicated and strict, but the Health Information Trust Alliance (HITRUST) is becoming a viable and simplified option for both vendors and covered entities. Even with HITRUST, healthcare providers still have some questions. What exactly is HITRUST, how does it differ from HIPAA, and how can healthcare organizations leverage this framework?

The Health Information Trust Alliance is the organization that created and maintains ongoing changes to the Common Security Framework (CSF). HITRUST is responsible for the effort to bring a certifiable, universal framework that includes all HIPAA, PCI, ISO, and NIST compliance regulations.

What is HITRUST?

The HITRUST CSF is a healthcare cybersecurity framework that includes both federal and state regulations. The goal for HITRUST’s cybersecurity framework is to set a comprehensive baseline for healthcare security controls. Creating a normalized and universally recognized framework, HITRUST provides organizations with clarity and consistency for compliance with healthcare security requirements.

Organizations can become HITRUST-certified by having a third-party auditor come onsite to validate the use of specific controls; those controls may vary based on the company’s size and complexity, and include requirements such as proper access control, security policy, asset management, incident management, and business continuity management.

With ongoing improvements, the HITRUST CSF has become the most popular and widely adopted security framework in the U.S. healthcare industry. It’s important for the healthcare industry to understand the difference between HITRUST and the Health Insurance Portability and Accountability Act (HIPAA) as they are closely related, but not interchangeable.


By now, the healthcare industry is familiar with HIPAA regulations and their purpose—to ensure confidentially, integrity, and availability of any data created, received, maintained, or transmitted, while simultaneously protecting data against threats. For six years in a row, data breaches in the healthcare industry have increased in frequency, impact, and cost. That said, it’s clear that HIPAA is a regulatory baseline for data protection, but does not offer comprehensive security for today’s evolving threats.

The rise in breaches are, in part, due to HIPAA’s unclear standards on appropriate protections of data and devices that contain sensitive data. Organizations implement controls that are insufficient and don’t adequately link to applicable risk assessments because of HIPAA’s vague guidelines. Organizations rarely have the internal expertise and oversight to cover all of HIPAA’s required and “optional” measures. However, HITRUST closes the gap and provides clear standards for data protection.

“Within the HIPAA Security Rule, certain specifications are required and others are addressable. An organization can choose not to implement addressable specifications if there is a valid business reason, says Joe McDermott, a HITRUST technical lead with Schellman.

HITRUST CSF was developed in conjunction with healthcare employees to address their needs. It aids organizations by providing an efficient framework for logical and physical security needs that go beyond  HIPAA compliance. The HITRUST CSF integrates many existing requirements from HIPAA and other data protection frameworks to create a universal protection standard void of any inconsistencies. HIPAA is still a valuable tool and should not be ignored, but HITRUST is prescriptive approach to meeting HIPAA security requirements.

 HITRUST vs HIPAA: What You Need to Know

Benefits of a HITRUST-Certification

Despite claims, there is no such thing as a HIPAA certification. No formal process or certification exists today. However, it is possible to become HITRUST certified. Through a third-party assessment, HITRUST can verify your organization has met all industry-defined certification requirements of the CSF certification offers your organization multiple benefits. Choosing an IT provider that is HITRUST certified allows you to offload the responsibilities and cost of becoming certified, while letting you take advantage of best-in-class security measures—including policies, procedures, and technology.

With a certified IT provider, your organization saves time and money in preparation for an audit. The audit process is simplified, since you’ll already have much of the documentation and reports need to prove your compliance efforts.

The Takeaway

The increase in data breaches throughout the healthcare industry has given rise to new concerns over compliance and regulations—and for good reason. HIPAA regulations describe essential practices for protecting sensitive data, but without the ability to become ‘HIPAA certified,’ organizations must guess on HIPAA compliance. To a degree, the lack of an industry-standard cybersecurity framework leaves the choice and extent of data cybersecurity measures up to the covered entity (CE) and (BA) business associate.

HITRUST CSF provides organizations with a universal, industry-designed cybersecurity framework to eliminate any confusion over regulations and compliance issues. Through the incorporation of various other frameworks, the HITRUST CSF offers comprehensive data protection. Choosing a HITRUST-certified IT provider delivers peace of mind needed when handling sensitive data.

Additional Resources on This Topic:

Understanding and Leveraging the CSF
HIPAA vs. HITRUST CSF-Which Makes Sense for My Organization
HITRUST Certification—Is Your Client Requesting It?

Photo Credit: DelphHealf Flickr via Compfight cc

This article was first published on OnRamp.

Nikola Todev has more than 18 years of experience leading infrastructure and security design, as well as operations for high performance financial and telco services. He is in charge of OnRamp’s information security strategy, practices, and implementation.

Leave a Comment