HIPAA vs. HITRUST: What’s the difference?
HIPAA vs. HITRUST: What’s the differen...

HIPAA vs. HITRUST: What’s the difference?

Explore the differences between the two compliance frameworks that govern healthcare organizations

OneTrust

clock4 Min Read

Featured Image

When it comes to protecting patient health information, there are two leading compliance frameworks: HIPAA and HITRUST CSF.

While both help standardize how healthcare organizations should achieve information security, HIPAA and HITRUST CSF serve separate purposes.

HIPAA is a federal law that sets the standard for protecting sensitive patient data in the US. HITRUST CSF, on the other hand, is a set of prescriptive controls organizations can use to meet a variety of information security regulations.

Learn how these two healthcare frameworks compare to one another, and which one is required for your own information security compliance.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an act of the US Congress that oversees the privacy and security of protected health information (PHI).

Examples of PHI include an individual’s health status, insurance provider, medical result, payment method, or other information that an be used as a personal identifier.

By creating rules focused on privacy, security, and breach notification, HIPAA aims to give individuals the right to their health information.

Process for HIPAA compliance

All organizations in the US that classify as a covered entity or business associate of a covered entity are expected to be HIPAA compliant. Covered entities include:

  • Health plans: Includes health insurance companies, company health plans, etc.
  • Healthcare clearinghouses: Any entity that processes nonstandard health information received from another entity into a standard format
  • Healthcare providers: Includes doctors, dentists, clinics, pharmacies, etc.

While HIPAA doesn’t have a certification body or official certifications, it’s enforced by the US Department of Health and Human Services’ Office for Civil Rights (OCR).

Organizations that fail to comply with required periodic technical and nontechnical evaluations or are found to be in violation of HIPAA will incur penalties and lose public trust.

What is HITRUST?

HITRUST is a privately held company that created its own compliance framework called HITRUST CSF, which stands for “Common Security Framework.”

The company combines multiple security and privacy regulations into a prescriptive framework that can be used by any organization that handles sensitive data. Currently, its regulations include:

  • Federal legislation (e.g., HIPAA)
  • Federal agency rules and guidance (e.g., NIST)
  • State legislation (e.g., California Consumer Privacy Act) International regulation (e.g., GDPR)
  • Industry frameworks (e.g., PCI, COBIT)

With its all-in-one approach, HITRUST CSF lets organizations select the compliance requirements for their specific industry, size, and systems.

Process for HITRUST CSF

HITRUST CSF serves as a guide to attain HIPAA or any other type of compliance. Through the HITRUST MyCSF portal, organizations can complete a self-assessment, which is similar to a scoping exercise, and select their preferred degree of assurance, validation, and certification.

The portal will then recommend the administrative, technical, and physical controls required for compliance and then assign a HITRUST assessor to perform an audit.

With HITRUST CSF’s comprehensive approach, organizations are better able to familiarize themselves and prepare for upcoming compliance requirements.

Differences between HIPAA vs. HITRUST

A significant difference between HIPAA vs. HITRUST is that the former is a US law and the latter is a private compliance framework solution.

HIPAA creates standards for how healthcare organizations can use a patient’s information and requires patient notification in the event of a data breach.

HITRUST offers a framework to determine compliance with HIPAA, as well as several other regulations and standards. While HITRUST can check an organization’s privacy and security controls, it is not intended as a replacement for HIPAA compliance.

Similarities between HIPAA vs. HITRUST

Both HIPAA and HITRUST help healthcare organizations protect sensitive patient information from being used or disclosed without their consent.

HITRUST additionally covers a long list of other regulations, but can be customized specifically for healthcare organizations to attain HIPAA compliance.

Costs of HIPAA vs. HITRUST

Security protection costs are different for every organization. Generally, the less data that’s collected, transmitted, and stored, the lower the overall costs.

HIPAA doesn’t call for any direct payments to be determined as compliant, aside from the fee for an external auditor selected by the organization. In cases of non-compliance and violations, however, HIPAA penalties can be quite expensive.

As a company-rendered service, HITRUST typically costs more, with estimates ranging from $60,000–120,000 per year for a startup. However, the company’s straightforward process can end up saving time and resources. There are also no penalties or fines, although failing an assessment will result in the loss of your HITRUST accreditation.

 

Learn more about gaining compliance by downloading our eBook about the ISO 27001 journey. You can also request a demo for OneTrust’s Certification Automation tool.

You Might Also Be Interested In


JANUARY 25, 2023

Your guide to celebrating Data Privacy Day 2023

JANUARY 17, 2023

Speak-up culture toolkit: Leveraging disclosure data to drive a speak-up culture

JANUARY 13, 2023

Addressing UK app Code of Practice requirements with OneTrust

JANUARY 12, 2023

Ultimate guide to the EU CSRD ESG regulation for businesses

JANUARY 11, 2023

Continuous improvement: The leading indicator for successful compliance programs

JANUARY 10, 2023

Build trust, promote your program in the Third-Party Risk Exchange

JANUARY 9, 2023

Building trust in a zero trust world

JANUARY 9, 2023

Consent management by the numbers: 2022 DMA report summary

BackToTop
Onetrust All Rights Reserved