HIPAA vs. HITRUST: The Key Variations
What is HIPAA?
HIPPA, or the Health Insurance Portability and Accountability Act, is a federal law that addresses regulatory compliance for healthcare organizations. HIPAA sets the standard for protecting sensitive patient data and applies to any company that deals with protected health information (PHI).
HIPAA requires healthcare organizations and their business associates to implement administrative, physical, and technical safeguards to preserve and secure the privacy, availability, and integrity of PHI and electronic PHI (ePHI). HIPAA incorporates requirements from several industry standards and federal regulations including, but not limited to, the ISO, NIST, and PCI DSS.
This can make complying with HIPAA a struggle since it really is a collection of security controls from many other frameworks. HIPAA privacy and security compliance are strictly enforced by the Office for Civil Rights (OCR) and can result in substantial penalties if there is a violation.
What is HITRUST?
HITRUST, short for the Health Information Trust Alliance is a not-for-profit organization founded in 2007 that was originally developed to help safeguard sensitive information such as ePHI.
It was built with the intent to provide an additional option for the healthcare industry to address information risk management across a matrix of third-party assurance assessments.
To assist further, HITRUST established the HITRUST Common Security Framework (CSF). The CSF includes a prescriptive set of requirements that work to harmonize multiple standards including ISO, NIST, PCI DSS and of course, HIPAA, among others. Essentially, it attempts to fill any voids that these regulations might not address.
The HITRUST CSF was developed to help healthcare companies and their partners achieve HIPAA compliance more easily and efficiently. In healthcare specifically, the HITRUST CSF provides organizations with a way to show evidence of compliance with HIPAA-mandated security controls. HITRUST takes the requirements of HIPAA and builds on them, incorporating them into a framework based on security and risk.
What’s the Difference Between HIPAA and HITRUST?
Both HITRUST and HIPAA address regulatory compliance for healthcare organizations, so they are often thought to be interchangeable. However, there are key differences between the two.
HIPAA is a U.S. law that includes a set of safeguards that covered entities and businesses associates must follow to protect sensitive health data. HITRUST CSF is a certifiable security and privacy framework with a list of prescriptive controls and/or necessary essentials that an organization can use to help meet the legal requirements of HIPAA and demonstrate HIPAA compliance.
All in all, HITRUST does not replace HIPAA, but it can provide measurable criteria and objectives for applying the appropriate technical, administrative, and physical safeguards to health information.