When it comes to protecting patient health information, there are two leading compliance frameworks: HIPAA and HITRUST CSF.
While both help standardize how healthcare organizations should achieve information security, HIPAA and HITRUST CSF serve separate purposes.
HIPAA is a federal law that sets the standard for protecting sensitive patient data in the US. HITRUST CSF, on the other hand, is a set of prescriptive controls organizations can use to meet a variety of information security regulations.
Learn how these two healthcare frameworks compare to one another, and which one is required for your own information security compliance.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is an act of the US Congress that oversees the privacy and security of protected health information (PHI).
Examples of PHI include an individual’s health status, insurance provider, medical result, payment method, or other information that an be used as a personal identifier.
By creating rules focused on privacy, security, and breach notification, HIPAA aims to give individuals the right to their health information.
All organizations in the US that classify as a covered entity or business associate of a covered entity are expected to be HIPAA compliant. Covered entities include:
While HIPAA doesn’t have a certification body or official certifications, it’s enforced by the US Department of Health and Human Services’ Office for Civil Rights (OCR).
Organizations that fail to comply with required periodic technical and nontechnical evaluations or are found to be in violation of HIPAA will incur penalties and lose public trust.
HITRUST is a privately held company that created its own compliance framework called HITRUST CSF, which stands for “Common Security Framework.”
The company combines multiple security and privacy regulations into a prescriptive framework that can be used by any organization that handles sensitive data. Currently, its regulations include:
With its all-in-one approach, HITRUST CSF lets organizations select the compliance requirements for their specific industry, size, and systems.
HITRUST CSF serves as a guide to attain HIPAA or any other type of compliance. Through the HITRUST MyCSF portal, organizations can complete a self-assessment, which is similar to a scoping exercise, and select their preferred degree of assurance, validation, and certification.
The portal will then recommend the administrative, technical, and physical controls required for compliance and then assign a HITRUST assessor to perform an audit.
With HITRUST CSF’s comprehensive approach, organizations are better able to familiarize themselves and prepare for upcoming compliance requirements.
A significant difference between HIPAA vs. HITRUST is that the former is a US law and the latter is a private compliance framework solution.
HIPAA creates standards for how healthcare organizations can use a patient’s information and requires patient notification in the event of a data breach.
HITRUST offers a framework to determine compliance with HIPAA, as well as several other regulations and standards. While HITRUST can check an organization’s privacy and security controls, it is not intended as a replacement for HIPAA compliance.
Both HIPAA and HITRUST help healthcare organizations protect sensitive patient information from being used or disclosed without their consent.
HITRUST additionally covers a long list of other regulations, but can be customized specifically for healthcare organizations to attain HIPAA compliance.
Security protection costs are different for every organization. Generally, the less data that’s collected, transmitted, and stored, the lower the overall costs.
HIPAA doesn’t call for any direct payments to be determined as compliant, aside from the fee for an external auditor selected by the organization. In cases of non-compliance and violations, however, HIPAA penalties can be quite expensive.
As a company-rendered service, HITRUST typically costs more, with estimates ranging from $60,000–120,000 per year for a startup. However, the company’s straightforward process can end up saving time and resources. There are also no penalties or fines, although failing an assessment will result in the loss of your HITRUST accreditation.