HITRUST or HIPAA?

[3 min read]

Many organizations know that they need to operate in line with HIPAA to protect sensitive data but they have also heard about HITRUST CSF certification. As the next step in their data security and compliance journey, customers often ask us about becoming HITRUST certified. Ostendio has extensive experience helping many companies build their data security and risk management programs in line with over 100 standards and regulations, including  HITRUST. Let’s look at the differences between HITRUST and HIPAA and what’s right for your business.

HITRUST Certification started as a framework for the healthcare industry has now expanded to include other regulated industries. Continual changes to cybersecurity, cloud technology, regulations, and other factors can make the road to achieving HITRUST Certification seem like an arduous journey.

Many small and midsized companies struggle with understanding the framework and with building a security and compliance program that satisfies potentially hundreds of HITRUST control requirements. As the security landscape becomes more complex, staying secure and compliant is becoming increasingly difficult.

What is HITRUST?

According to HITRUST, the Common Security Framework (CSF) takes applicable parts of existing standards and regulations such as ISO 27001/2, SOC II, SSAE 16, the NIST Cybersecurity Framework, and the OCR HIPAA Audit protocols, and presents it as a “common” framework – hence the name Common Security Framework. The CSF is intended to be a  risk-based framework as opposed to a compliance-based framework.

Structurally, the HITRUST CSF contains 14 control categories, comprising 49 control objectives and 156 control specifications (version 9.4) which need to be met in order for a company to obtain certification. The additional number of controls which need to be met is based on a number of factors including geographical, company size, and annual revenue.

HITRUST requires clients to use its software application, myCSF, to complete the certification process. The application is broadly a static document repository used to upload and cross-reference your collected evidence so it can be reviewed by an accredited HITRUST assessor.

HIPAA vs HITRUST

One of the major differences between HIPAA and HITRUST is that HIPAA is a Federal law, whereas HITRUST is a framework. HITRUST integrates the requirements of the HIPAA Security Rule in its framework, along with other controls.

HIPAA does not have a certification - no organization can say that they are ‘HIPAA Certified’ as there is no such thing. One critique of the HIPAA Security Rule is that its language is often vague, making it hard to know how to comply with its requirements. HITRUST tries to remediate this with a clearer and more prescriptive set of controls and an end-goal of certification. HITRUST also claims that with their framework, you can “assess once and report many” - which means that a HITRUST Certification can be used as the building block to attain other certifications and reports such as a SOC II or NIST 800-53.   

Another difference between the two is that HIPAA has defined penalties for security breaches whereas HITRUST does not. The Office for Civil Rights (OCR) is responsible for enforcing HIPAA Privacy and Security Rules, and for fining companies for data breaches as appropriate.. HITRUST is a commercial framework and so failure to meet the required standard has no direct federal liability.  Consequences, if any, are limited to the contractual or commercial drivers that initiated the requirement for HITRUST certification e.g. a vendor may not purchase services.

If I’m HITRUST certified, am I also HIPAA compliant?

No. While HITRUST does provide you with a framework that should allow you to meet the requirements of HIPAA, HITRUST certification does not guarantee that you are “HIPAA compliant”. However, implemented correctly, HITRUST certification should allow you to demonstrate you are taking reasonable steps to operate in line with HIPAA and as such can be used as an effective framework to demonstrate that the majority of the HIPAA regulations are being met.  It is important to note that HITRUST, in theory, may not cover all of the specifications of the HIPAA Security Rule and has never been formally endorsed by OCR. However, according to an OCR spokesperson, “We certainly encourage covered entities and business associates to build strong compliance programs internally. Many of these credentialing/accreditation programs can help them do so. OCR considers mitigation and aggravating factors when determining the amount of a civil monetary penalty, and these include the entity’s history of prior compliance. An entity with a strong compliance program in place, with the help of a credentialing/accreditation program or on its own, would have that taken into account when determining past compliance.”

Are you considering HITRUST Certification but not sure where to begin? Contact us for a complimentary meeting with one of our security and compliance consultants who will answer all of your HITRUST questions.