HIPAA vs. HITRUST: What’s the difference?

Explore the differences between the two compliance frameworks that govern healthcare organizations

September 27, 2022

Blue and violet gradient.

When it comes to protecting patient health information, there are two leading compliance frameworks: HIPAA and HITRUST CSF. 

While both help standardize how healthcare organizations should achieve information security, HIPAA and HITRUST CSF serve separate purposes.

HIPAA is a federal law that sets the standard for protecting sensitive patient data in the US. HITRUST CSF, on the other hand, is a set of prescriptive controls organizations can use to meet a variety of information security regulations.

Learn how these two healthcare frameworks compare to one another, and which one is required for your own information security compliance.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an act of the US Congress that oversees the privacy and security of protected health information (PHI).

Examples of PHI include an individual’s health status, insurance provider, medical result, payment method, or other information that an be used as a personal identifier.

By creating rules focused on privacy, security, and breach notification, HIPAA aims to give individuals the right to their health information.

Process for HIPAA compliance

All organizations in the US that classify as a covered entity or business associate of a covered entity are expected to be HIPAA compliant. Covered entities include:

  • Health plans: Includes health insurance companies, company health plans, etc.
  • Healthcare clearinghouses: Any entity that processes nonstandard health information received from another entity into a standard format
  • Healthcare providers: Includes doctors, dentists, clinics, pharmacies, etc.

While HIPAA doesn’t have a certification body or official certifications, it’s enforced by the US Department of Health and Human Services’ Office for Civil Rights (OCR).

Organizations that fail to comply with required periodic technical and nontechnical evaluations or are found to be in violation of HIPAA will incur penalties and lose public trust.

What is HITRUST?

HITRUST is a privately held company that created its own compliance framework called HITRUST CSF, which stands for “Common Security Framework.”

The company combines multiple security and privacy regulations into a prescriptive framework that can be used by any organization that handles sensitive data. Currently, its regulations include:

  • Federal legislation (e.g., HIPAA)
  • Federal agency rules and guidance (e.g., NIST)
  • State legislation (e.g., California Consumer Privacy Act) International regulation (e.g., GDPR)
  • Industry frameworks (e.g., PCI, COBIT)

With its all-in-one approach, HITRUST CSF lets organizations select the compliance requirements for their specific industry, size, and systems.

Process for HITRUST CSF

HITRUST CSF serves as a guide to attain HIPAA or any other type of compliance. Through the HITRUST MyCSF portal, organizations can complete a self-assessment, which is similar to a scoping exercise, and select their preferred degree of assurance, validation, and certification.

The portal will then recommend the administrative, technical, and physical controls required for compliance and then assign a HITRUST assessor to perform an audit.

With HITRUST CSF’s comprehensive approach, organizations are better able to familiarize themselves and prepare for upcoming compliance requirements.

Differences between HIPAA vs. HITRUST

A significant difference between HIPAA vs. HITRUST is that the former is a US law and the latter is a private compliance framework solution.

HIPAA creates standards for how healthcare organizations can use a patient’s information and requires patient notification in the event of a data breach.

HITRUST offers a framework to determine compliance with HIPAA, as well as several other regulations and standards. While HITRUST can check an organization’s privacy and security controls, it is not intended as a replacement for HIPAA compliance.

Similarities between HIPAA vs. HITRUST

Both HIPAA and HITRUST help healthcare organizations protect sensitive patient information from being used or disclosed without their consent.

HITRUST additionally covers a long list of other regulations, but can be customized specifically for healthcare organizations to attain HIPAA compliance.

Costs of HIPAA vs. HITRUST

Security protection costs are different for every organization. Generally, the less data that’s collected, transmitted, and stored, the lower the overall costs.

HIPAA doesn’t call for any direct payments to be determined as compliant, aside from the fee for an external auditor selected by the organization. In cases of non-compliance and violations, however, HIPAA penalties can be quite expensive.

As a company-rendered service, HITRUST typically costs more, with estimates ranging from $60,000–120,000 per year for a startup. However, the company’s straightforward process can end up saving time and resources. There are also no penalties or fines, although failing an assessment will result in the loss of your HITRUST accreditation.

Learn more about gaining compliance by downloading our eBook about the ISO 27001 journey. You can also request a demo for OneTrust’s Certification Automation tool.

You may also like


Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Learn more


Privacy Automation

US privacy laws on the horizon: Which states will be next?

Join our live webinar as OneTrust DataGuidence and privacy experts examine new privacy legislation in Indiana, Montana, Tennessee, Florida, and Texas.

June 15, 2023

Learn more

Regulation Book

Privacy Management

Colorado Privacy Act law book

The Colorado Privacy Act (CPA) comes into force on July 1. Get the law's official text right at your fingertips.

May 30, 2023

Learn more