HIPAA vs. HITRUST CSF - Which Makes Sense for My Organization?
NOTE: Schellman has since updated guidance on this topic in 2022.
Organizations must make important and budget-impacting decisions when determining how to achieve and report compliance with healthcare industry regulations and information protection standards. Organizations need to understand the different choices they have and the specific requirements that apply in order to determine the ideal approach and progression towards maintaining compliance and information security. Two prominent standards in use today are the HIPAA Security Rule and the HITRUST Common Security Framework (HITRUST CSF). Here we will briefly explore some of the similarities and differences between these standards.
HIPAA Security Rule
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996 with the Security Rule in place as a methodology to safeguard electronic Protected Health Information (ePHI). HIPAA applies to healthcare providers, plans, and clearinghouses, (known as covered entities), as well as any organization contracted by covered entities to perform work including ePHI (known as business associates). The HIPAA Security Rule is based on three types of security safeguards (physical, technical, and administrative), as well as Organizational Requirements and Policies and Procedures and Documentation Requirements. Each have a series of standards and specifications to address risks associated with the confidentiality, integrity, and availability of ePHI data. Within the HIPAA Security Rule, certain specifications are required and others are addressable. An organization can choose not to implement addressable specifications if there is a valid business reason, however the reasoning must be documented for each control that is not implemented. There is no official designation of compliance, so an organization can report their compliance by only providing a risk assessment and control documentation, for example in the form of an attestation report issued by a CPA firm, such as Schellman, evidencing the evaluation of HIPAA Security Rule controls in place.
- Administrative, technical, and physical safeguards
- Organizational requirements and Policies and Procedures and Documentation requirements
- Healthcare providers, plans, and clearinghouses (covered entities)
- Any organization contracted by covered entities to perform work including ePHI on their behalf (business associates)
The first version of the Health Information Trust Alliance Common Security Framework (HITRUST CSF) was released in March 2009 and was developed to provide organizations with a framework specifically devoted to the protection of ePHI and PHI data in the healthcare industry, while also allowing for the adoption of health information systems and exchanges. Under HITRUST, the CSF incorporates security controls and requirements based on those from multiple standards and regulations, as well as some unique to HITRUST, into a certifiable framework of security controls that scales according to the type, size, and complexity of the organization and its systems. These requirements, synced into a single set of controls, are mapped to their sources for compliance purposes. Efficiencies are achieved by implementing this combined framework due to the comprehensive and prescriptive nature of the CSF control set, allowing organizations to simultaneously meet multiple compliance initiatives based on a single audit. The HITRUST CSF includes 14 control categories, 49 objectives, and 149 total control specifications (which may contain multiple levels of control components). At least 64 of these control specifications are required to be in place and operating effectively for an organization to become HITRUST certified.
HITRUST offers a self-assessment option for organizations looking to conduct an assessment internally; however organizations are well served to obtain the expertise of a qualified CSF assessor organization, such as Schellman, to identify the strengths and weaknesses of their information security program and to make recommendations about how to address any issues.
- HIPAA Security Rule
- Payment Card Industry Data Security Standard (PCI DSS)
- Control Objectives for Information and Related Technology (COBIT)
- National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
- International Organization for Standardization (ISO)
- Federal Trade Commission (FTC) Red Flags Rule
- Centers for Medicare and Medicaid Services Addressable Risk Safeguards (CMS ARS)
- State requirements
- Multiple other standards
- Health plans / insurance plans
- Hospitals and medical facilities
- Doctor’s offices
- Health information exchanges
- Biotech companies
- IT service providers (data centers, etc)
HIPAA and HITRUST assessments share the common objective of safeguarding healthcare information and ePHI. Performing a security assessment around HIPAA Security Rule controls and addressing any resulting audit recommendations can evidence the organization’s compliance with HIPAA requirements, however the HIPAA Security Rule was originally intended to apply to a wide range of organizations from a small clinic to a large hospital chain, which led to the subjective and vague nature of the requirements to be HIPAA compliant without also relying on ISO or NIST assessments.
With the more prescriptive and risk-based HITRUST assessment and certification process, requirements are adjusted based on the specific risks of the organization and focus on common causes of information breaches within the healthcare industry. The HITRUST approach also considers compliance with other regulations, allowing organizations to take a comprehensive approach towards meeting compliance and information security objectives. The HITRUST CSF’s implementation specifications scale is based on several key factors and allows organizations of varying sizes to leverage the CSF as a guide to develop an effective approach to information security. HITRUST represents a certifiable framework that incorporates and maps requirements of existing frameworks and standards and current regulations, while taking an efficient and risk-based approach to information security and protecting ePHI.
About JOE MCDERMOTT
Joe McDermott, a HITRUST technical lead with Schellman, has over 8 years of auditing and compliance experience. Prior to joining Schellman Joe worked at a national technology and risk advisory consulting firm where he specialized in healthcare auditing, software implementation and project management.