HIPAA & HITRUST Compliance – The Difference Explained


Photo source: pexels.com

HIPAA Compliance | HITRUST Compliance | Risk Management | HITRUST CSF

Proper navigation through these compliance directives is vital to your business and future growth. Improper execution can lead to fines, bad press, and possible shutdown.

HIPAA vs. HITRUST: Purpose

HIPAA’s purpose of ensuring covered entities protect PHI and notify individuals if their information is breached.

“The HITRUST Approach provides organizations a comprehensive information risk management and compliance program to provide an integrated approach that ensures all programs are aligned, maintained and comprehensive to support an organization’s information risk management and compliance objectives.”

HITRUST focuses on mitigating the information risks facing an organization. It also enables businesses to provide their customers with different degrees of assurance through self-assessment, CSF validation, and finally, CSF certification.


Estimating costs can be complicated when you are dealing with a security framework, as there are so many variables to consider. Due to this, the smaller and more sophisticated your organization is, the fewer variables will need auditing, thus, keeping your costs low.

HIPAA vs. HITRUST: Noncompliance Penalties 

HIPAA penalties can be quite steep, depending on the violation. HITRUST doesn't have penalties unless you fail an audit, wherein your HITRUST accreditation would be lost.

Similarities Between HIPAA vs. HITRUST

HIPAA and HITRUST are both relevant to the healthcare industry. As such, HITRUST controls cover requirements from HIPAA’s Security Rule.

What Is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act of 1996) isn't just another acronym, it is a U.S. law. HIPAA oversees the privacy and security of protected health information (PHI). PHI includes all personal identifiers: names, telephone numbers, license plates, etc. 

HIPAA only applies to certain organizations, or what it calls “covered entities” and their business associates. 

Here are some examples:

  • Health insurers (health insurance companies, company health plans, etc.)
  • Healthcare providers (doctors, clinics, dentists, chiropractors, pharmacies, etc.)
  • Healthcare clearinghouses (entities that process nonstandard health information which they receive from another entity into a standard format)

Essentially, if the organization/entity handles PHI, you're going to need to be HIPAA compliant. Why? Because HIPAA is enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR), there are steep penalties for violations. The law contains three rules: Privacy, Security, and Breach Notification Rules. Together, they protect and give individuals rights to their health information.

Health Insurance Portability & Accountability

Why Choose HIPAA?

HIPAA is the law. If your organization or website handles sales in the healthcare sector, then your site or online store must be HIPAA compliant. Failure to do so could result in hefty fines and irreparable damage to your reputation.

What is the Process of HIPAA Certification?

There’s no certification body for HIPAA. As such, it isn’t auditable or certifiable unless you retain a certified public accountant (CPA) that specializes in SOC 2 + HIPAA audits to evaluate your systems. While the OCR does enforce the law and penalize organizations for noncompliance, it doesn’t hand out certifications.

Covered entities and their business associates are expected to follow HIPAA’s privacy, security, and breach notification rules. That said, the law’s security rule includes an evaluation standard that requires organizations to perform periodic technical and nontechnical evaluations to ensure compliance. 


Health Information Trust Alliance (HITRUST) created its own cybersecurity standard to help organizations manage information risk, data and compliance. You may know it as HITRUST CSF (Common Security Framework).

HITRUST takes other standards like HIPAA, PCI DSS, GDPR, and more, to formulate their comprehensive audit to ensure compliance is met and the integrity of personal data is not compromised and is fully protected. 

HITRUST specializes in healthcare organizations. 


Why Should HITRUST Be Used?

HITRUST CSF has a number of benefits:

1) the framework includes requirements from key standards and regulations, and it can simplify future compliance efforts. 

2) HITRUST offers measurable criteria and objectives for applying appropriate administrative, technical and physical safeguards that are also covered by HIPAA. By being HITRUST compliant, an organization can definitely prove it has met some HIPAA-mandated requirements

It’s important to note that HITRUST doesn’t replace HIPAA. Remember, HIPAA is the law. However, it is widely accepted as a good approach for evaluating risk.

What is the Process of HITRUST Certification

To become compliant, you have to purchase access to HITRUST’s MyCSF portal. This is done by completing a self-assessment, and then HITRUST provides you with the controls. Once the controls are implemented, the HITRUST assessor will begin the audit. The final step is the HITRUST Alliance certifies the assessment in question, and if it passes the audit, the official HITRUST certification is issued. 

What are the Differences Between HIPAA vs HITRUST?

One is a law (HIPAA), while the other is a security standard HITRUST). 

What is HITRUST Compliance?

The Health Information Trust Alliance (HITRUST) is a security framework for online stores and other websites that deal with healthcare sales. Meeting the guidelines set out by the framework ensures that relevant businesses are compliant with rules governing the access and protection of patient data. Compliance is just one benefit of following the HITRUST framework. Online stores benefit from having a strong security framework to ensure valued customer information is safe and private.

How is HITRUST different from HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a US regulation governing the way companies protect patient data. Failure to comply with these regulations can lead to fines and possible lawsuits.

HITRUST is an organized attempt to standardize how companies secure protected health information (PHI). Using the HITRUST security framework helps online stores ensure they’re HIPAA and PCI-compliant by safeguarding the sensitive personal data that gets collected throughout the purchase cycle.

Who needs to follow the HITRUST framework?

If your online store deals with PHI, there isn’t a stronger or more tested security schema to follow as you move forward, making your business HIPAA compliant.

You may not know that if you're PCI compliant, you could be ready for a HITRUST audit. The ultimate goal is to protect the sensitive information your online store/website collects about your customers. 

How Do You Become HITRUST compliant?

HITRUST compliance requires:

Securing mobile devices of employees with access data to the data

Controlling who can access what information and when

Requiring a strong password creation program to protect access

Implementing extra security measures like encryption, firewalls, antivirus programs, etc.

Strong security policies for mitigating risk and troubleshooting data breaches quickly and thoroughly

The ability to remotely wipe data from employee devices in case of a breach or the employee is having their employment terminated either voluntarily or involuntarily.

Having a strong security framework like HITRUST is a wise business decision.

How do you certify your online store / website as being HITRUST compliant?

HITRUST certification requires an assessment of your online store. A third-party auditor is hired to verify the online store/website meets the compliance guidelines. Both HITRUST and the auditor review your assessment. If all requirements are met, your online store/website will be HITRUST-certified.

Will I need anything else besides the HITRUST Implemented 1-year Validated Assessment?

Yes, for proper HITRUST compliance, it is highly recommended for a refreshed NIST SP 800-53 revision 4 mappings and the inclusion of NIST SP 800-53 revision 4 as a selectable compliance factor. Your assigned specialist can provide these for you.