Consider sugar and salt—both are “spices” of a kind, and since they’re both often in the form of fine white grain, they look similar as well. So similar in fact, you might mistakenly switch one in for the other, setting yourself up for quite the surprise at first bite.
Though not spices, both HIPAA and HITRUST address regulatory compliance for healthcare organizations to some degree, and so they too are often thought to be interchangeable. As providers of both services for years now—HIPAA attestations and HITRUST certifications—we’re going to explain why they aren’t, saving you the possibility of that “surprise at first bite.”
To start, HIPAA is a law while HITRUST (and its CSF) is a control framework, but in this article, we’re going to get into the other key differences between these two while also answering the common question of “if I have one, do I have the other?”
If you’re a healthcare organization unsure of which direction to choose or what’s appropriate/applicable for you, read on to find more clarity in your direction moving forward.
What is HIPAA?
An acronym for the Health Insurance Portability and Accountability Act of 1996, HIPAA is a U.S. law that mandates the privacy and security of protected health information (or PHI). It contains three rules applicable organizations must follow regarding Privacy, Security, and Breach Notification.
- Covered Entities: Healthcare providers, plans, and clearinghouses
- Business Associates: Any organization contracted by covered entities or other Business Associates to perform work including ePHI on their behalf
If you fall under this umbrella, you’re expected to adhere to the three types of security safeguards:
That includes complying with the organizational requirements and policies and procedures and documentation requirements. Each of these features a series of standards and specifications to address risks associated with the confidentiality, integrity, and availability of PHI.
HIPAA also includes an evaluation standard that requires periodic technical and nontechnical evaluations to ensure compliance; however, there is no official designation of compliance with HIPAA—rather, you can report their compliance by only providing a completed risk assessment and control documentation.
For those that do not comply, HIPAA is enforced by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which will investigate possible violations and issue penalties—both financial and otherwise.
What is HITRUST?
While HIPAA is a federal act that sets compliance standards, HITRUST is an organization that first established its CSF—a security risk and compliance framework—in 2009. And though HITRUST was initially created to support healthcare industries with specific devotion to the protection of ePHI and PHI, it has since evolved beyond that and can now suit organizations of any industry.
That’s because the HITRUST CSF brings together several compliance frameworks, including:
- PSI; and
- ISO, as well as some requirements unique to HITRUST.
The HITRUST CSF includes control categories, control objectives, and control specifications. (which may contain multiple levels of control components) spread over multiple Assessment Domains. To become HITRUST certified, you must meet the appropriate scoring levels for each assessment domain. (This will depend on if you choose an i1 or r2 certification.)
Yes, when going through the assessment process, you can tailor your requirements based on unique factors such as your type of organization, size, systems, and appropriate legal regulations. Speaking of which, HITRUST also offers a self-assessment option if you’d prefer to do the work internally.
However, it’s recommended that even if you’re not opting for one of the certifiable assessments—the i1 or the r2—your self-assessment could still benefit enormously from the expertise of a qualified CSF assessor organization.
To help you get the most out of your effort, these third parties can help identify the strengths and weaknesses of your information security program and to make recommendations about how to address any issues—and, of course, you’ll establish an early relationship with them should you also need/wish to progress to a certifiable assessment.
As many organizations do, you might consider HITRUST an attractive compliance option, as the CSF and its combined, comprehensive, and prescriptive nature allows for the finding of efficiencies and meeting multiple compliance initiatives through a single audit.
The Difference Between HIPAA and HITRUST
We’ve established that there’s a relationship between HIPAA and HITRUST. Both also share a common objective of safeguarding healthcare information and ePHI. But there are still at least 3 key differences between the two—some of which we’ve already alluded to—and we’ll lay them out here.
HIPAA has defined (often steep) penalties for security breaches, including fines and sometimes even criminal penalties, depending on the violation.
Failure to meet the required HITRUST standard has no direct federal liability.
(You could still face contractual or commercial consequences—a customer taking their business elsewhere, for instance.)
While you can undergo a HIPAA attestation to assess your compliance with the 3 HIPAA rules, there’s no certification body or path for HIPAA.
HITRUST offers 2 certifications:
Because the HIPAA Security Rule was originally intended to apply to a wide range of organizations from small clinics to large hospital chains, the requirements are often considered subjective and vague—for instance, the audit logs requirement.
This can make it sometimes (or often) necessary to also rely on ISO or NIST assessments to achieve total reassurance in compliance.
With the more prescriptive and risk-based HITRUST CSF, requirements are adjusted based on your specific risks.
“If I’m HITRUST Certified, Does That Mean I’m HIPAA Compliant?”
Because HITRUST CSF is so holistic and makes HIPAA considerations, this question often comes up.
And while it’s true that HITRUST offers measurable criteria and objectives for applying appropriate administrative, technical, and physical safeguards that are also covered by HIPAA’s Security Rule, being HITRUST compliant only proves you’ve met some of the HIPAA-mandated requirements.
Implemented correctly, HITRUST certification should allow you to demonstrate you are taking reasonable steps to operate in line with HIPAA, but it’s important to remember that HITRUST—due to the aforementioned vague language in the HIPAA requirements—may not cover all of the specifications of the HIPAA Security Rule. It’s also never been formally endorsed by OCR.
So no, you’re not automatically HIPAA compliant if you become HITRUST certified. Still, HITRUST is widely accepted as a good approach for evaluating risk and it can provide a path for reaching full HIPAA compliance.
Moving Forward with Compliance
It’s a common misconception that, because HIPAA and HITRUST have relevancy for healthcare organizations, they’re interchangeable or so closely related that if you’re good with one, you’re good with the other. But now you understand their foundational and other key differences, so you can decide whether sugar or salt is right for your compliance recipe.
As you take further steps towards whichever project is better suited to your needs, read our other content that can provide in-depth insight on different facets, as well as tips for getting ready and finding what you need:
- Do You Need a HITRUST External Assessor?
- HIPAA Risk Analysis and Risk Management Program Considerations: Common Pitfalls
- How to Scope Your HITRUST Assessment: 5 Components to Consider
And of course, if you find you have further questions or would like to explore whether Schellman is the right firm to provide you with either of these services, please feel free to contact us so that we can schedule a conversation—our team of experts would be happy to address any concerns you have.
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.