HIPAA & HITRUST Compliance – The Difference Explained

HIPAA (Health Insurance Portability and Accountability Act of 1996) isn't just another acronym, it is a U.S. law. HIPAA oversees the privacy and security of protected health information (PHI). PHI includes all personal identifiers: names, telephone numbers, license plates, etc. 

HIPAA only applies to certain organizations, or what it calls “covered entities” and their business associates. 

Here are some examples:

• Health insurers (health insurance companies, company health plans, etc.)
• Healthcare providers (doctors, clinics, dentists, chiropractors, pharmacies, etc.)
• Healthcare clearinghouses (entities that process nonstandard health information which they receive from another entity into a standard format)

Essentially, if the organization/entity handles PHI, you're going to need to be HIPAA compliant. Why? Because HIPAA is enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR), there are steep penalties for violations. The law contains three rules: Privacy, Security, and Breach Notification Rules. Together, they protect and give individuals rights to their health information.

HIPAA is the law. If your organization or website handles sales in the healthcare sector, then your site or online store must be HIPAA compliant. Failure to do so could result in hefty fines and irreparable damage to your reputation.

There’s no certification body for HIPAA. As such, it isn’t auditable or certifiable unless you retain a certified public accountant (CPA) that specializes in SOC 2 + HIPAA audits to evaluate your systems. While the OCR does enforce the law and penalize organizations for noncompliance, it doesn’t hand out certifications.

Covered entities and their business associates are expected to follow HIPAA’s privacy, security, and breach notification rules. That said, the law’s security rule includes an evaluation standard that requires organizations to perform periodic technical and nontechnical evaluations to ensure compliance. 

Health Information Trust Alliance (HITRUST) created its own cybersecurity standard to help organizations manage information risk, data and compliance. You may know it as HITRUST CSF (Common Security Framework).

HITRUST takes other standards like HIPAA, PCI DSS, GDPR, and more, to formulate their comprehensive audit to ensure compliance is met and the integrity of personal data is not compromised and is fully protected. 

HITRUST specializes in healthcare organizations. 

HITRUST CSF Framework

HITRUST CSF has a number of benefits:

1) the framework includes requirements from key standards and regulations, and it can simplify future compliance efforts. 

2) HITRUST offers measurable criteria and objectives for applying appropriate administrative, technical and physical safeguards that are also covered by HIPAA. By being HITRUST compliant, an organization can definitely prove it has met some HIPAA-mandated requirements

It’s important to note that HITRUST doesn’t replace HIPAA. Remember, HIPAA is the law. However, it is widely accepted as a good approach for evaluating risk.

To become compliant, you have to purchase access to HITRUST’s MyCSF portal. This is done by completing a self-assessment, and then HITRUST provides you with the controls. Once the controls are implemented, the HITRUST assessor will begin the audit. The final step is the HITRUST Alliance certifies the assessment in question, and if it passes the audit, the official HITRUST certification is issued. 

One is a law (HIPAA), while the other is a security standard HITRUST). 

The Health Information Trust Alliance (HITRUST) is a security framework for online stores and other websites that deal with healthcare sales. Meeting the guidelines set out by the framework ensures that relevant businesses are compliant with rules governing the access and protection of patient data. Compliance is just one benefit of following the HITRUST framework. Online stores benefit from having a strong security framework to ensure valued customer information is safe and private.

The Health Insurance Portability and Accountability Act (HIPAA) is a US regulation governing the way companies protect patient data. Failure to comply with these regulations can lead to fines and possible lawsuits.

HITRUST is an organized attempt to standardize how companies secure protected health information (PHI). Using the HITRUST security framework helps online stores ensure they’re HIPAA and PCI-compliant by safeguarding the sensitive personal data that gets collected throughout the purchase cycle.

If your online store deals with PHI, there isn’t a stronger or more tested security schema to follow as you move forward, making your business HIPAA compliant.

You may not know that if you're PCI compliant, you could be ready for a HITRUST audit. The ultimate goal is to protect the sensitive information your online store/website collects about your customers. 

HITRUST compliance requires:

Securing mobile devices of employees with access data to the data

Controlling who can access what information and when

Requiring a strong password creation program to protect access

Implementing extra security measures like encryption, firewalls, antivirus programs, etc.

Strong security policies for mitigating risk and troubleshooting data breaches quickly and thoroughly

The ability to remotely wipe data from employee devices in case of a breach or the employee is having their employment terminated either voluntarily or involuntarily.

Having a strong security framework like HITRUST is a wise business decision.

HITRUST certification requires an assessment of your online store. A third-party auditor is hired to verify the online store/website meets the compliance guidelines. Both HITRUST and the auditor review your assessment. If all requirements are met, your online store/website will be HITRUST-certified.

Yes, for proper HITRUST compliance, it is highly recommended for a refreshed NIST SP 800-53 revision 4 mappings and the inclusion of NIST SP 800-53 revision 4 as a selectable compliance factor. Your assigned specialist can provide these for you.