HITRUST vs HIPAA: The Key To Protecting Healthcare Data

If you’re the IT manager, CIO, or information security officer for a healthcare organization, you do all you can to maintain a high measure of security for your company’s sensitive healthcare data.

Providing regular assurances to third-party stakeholders and patients helps instill and reinforce confidence in your organization, which is essential to stay competitive in the healthcare industry.

Not only do you need to consider your organization’s information security compliance in relation to stakeholders, but you also need to stay in compliance with certain federal and governmental regulations, rules, and laws.

Both HIPAA and HITRUST® offer guidelines and strategies to keep up with the latest healthcare industry regulations that help keep your information secure not only for your organization’s benefit but also for the benefit of any third parties and patients.

What Does HIPAA Protect?

HIPAA was enacted by the United States Congress in 1996. It further defines health insurance reform under Title IV. Title III extends tax-related provisions for medical care. Title I provides health insurance protection during job changes. Title V covers provisions on company-owned life insurance.

Yet HIPAA is primarily known for Title II, which sets the national standards to protect electronic healthcare transactions and to safeguard electronic protected health information (ePHI).

Organizations that operate as healthcare providers, healthcare plans, clearinghouses, or any other sort of covered business that works with sensitive data in or related to the healthcare industry are subject to HIPAA regulations.

The act is broken up into two main parts: the Security Rule and Privacy Rule. HIPAA’s Security Rule addresses the protection of medical records and other personal health information that is created, received, used, and stored in terms of physical, technical, and administrative measures.

The HIPAA Privacy Rule sets limitations and gives individuals more control over how their personal information, in all forms (electronic, paper, and spoken), is utilized.

What Does HITRUST Protect?

The HITRUST framework operates on the principle that information security is an integral part of the modern healthcare industry’s increasing use of technology to collect, organize and store healthcare data.

It was built by a collaborative body of leaders in healthcare, technology, business, and information security. These cybersecurity pioneers were driven by the idea that healthcare and business can be greatly improved by the free exchange of information, yet data protection is paramount to maintaining patient and third-party stakeholder trust.

HITRUST vs HIPAA – What Is the Difference

HIPAA, in itself, is a set of regulations; it’s not a framework within which organizations can work to maintain optimal data protection. In contrast, the HITRUST CSF offers anyone handling sensitive healthcare data a comprehensive framework of information, controls, and tools to achieve high levels of security to stay in compliance with confidence.

Compliance Challenges for Healthcare Organizations

There are a lot of challenges related to compliance with multiple regulations and authoritative sources. Today’s threat landscape continues to change on a daily basis, so it’s important for covered entities and business associates to stay updated on the potential for breaches and other risks that impact the healthcare industry. The fast pace of disruptive technology and changing regulations make for continually challenging compliance efforts.

If you manage data security for your organization, you are also aware of the hefty investment of time and resources required to effectively manage compliance. This is complicated by the limited guidance and inconsistent expectations present in the compliance process.

Regulations, including HIPAA, are often open to interpretation by all professionals involved—from CISOs to auditors. They lack clear guidance, and this leads to inconsistent application and implementation across organizations.

Whenever there is a high level of subjective judgment and interpretation involved in a process, implementation requires a lot of manpower and oversight. Finally, third-party risk management can be difficult because so much of the risk lies outside of the covered entity’s control.

What’s the Advantage of HITRUST?

HITRUST CSF works to resolve these issues and overcome these challenges. It brings together updates on multiple regulations and laws from various entities that cover information security in the healthcare industry, including HIPAA.

It provides the basis for a repeatable compliance process and comprehensive risk management program, addressing everything from network protection and vulnerability to physical and environmental security.

Not only is the HITRUST CSF comprehensive, but it is also prescriptive and corrective, offering you ways to make necessary corrections to maintain the HITRUST CSF certification, which is an indicator of compliance and a reflection of your organization’s commitment to the highest standards of information security.

Each of the five levels of maturity in the HITRUST approach follows a comprehensive trajectory. Each of the progressive levels—Policy, Procedures, Implementation, Measurement, and Management—contains practical considerations and prescriptive steps for improvement based on the previous level to ensure organizational, systemic, and regulatory risk factors are addressed.

HITRUST is aligned with HIPAA rules and security controls. It measures and monitors the effectiveness of implementation by your organization. It provides recognizable assurance to internal and external stakeholders, including demonstrating compliance with HIPAA.

It improves efficiency in the compliance process by eliminating the need for multiple assessments and reports. HITRUST also better prepares organizations for audits and thorough security assessments.



Author: Robert Godard
Robert is the senior technology auditor who has been working with I.S. Partners for more than 9 years. He holds a Bachelor of Science degree in Finance and Accounting and is a CPA, CISA and HITRUST CCSFP. His specialty is in audits of IT Controls and Infrastructure, Financial Statements, SOC 1 and SOC 2 audits, HIPAA and HITRUST CSF Assessments, Model Audit Rule (MAR), including evaluating business process as well as IT General Controls surrounding the reporting of financial information.