Navigating HIPAA compliance and HITRUST certification can be difficult. Numerous solutions purport to provide one certification or the other, but what does that mean for you and your business? In this article, we’ll cover what HIPAA and HITRUST are, what HITRUST certification and HIPAA compliance mean under each standard, and how each benefits the healthcare industry as a whole.
(NOTE: If you’re looking for industry-leading compliance consulting, our free tool below matches you with a top-rated vendor that can meet your budget and requirements, whatever the framework.)
A Quick Intro to HIPAA
HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. When most people refer to HIPAA, they are colloquially referring to those Acts enforcing regulations that protect individuals’ Protected Health Information, or PHI. Those HIPAA regulations provide three rules to keep patient data safe and guide healthcare organizations’ behavior.
The HIPAA Privacy Rule outlines how covered healthcare companies, health insurers, and healthcare providers, collectively dubbed Covered Entities, can use and process PHI. It also dictates specific requirements for Business Associates and subcontractor organizations that receive and use Protected Health Information to support Covered Entity operations.
The HIPAA Security Rule outlines what Covered Entities must do to enforce a baseline data security framework for PHI. It also imposes baseline information risk management requirements for Covered Entities and Business Associates.
Finally, the HIPAA Breach Notification Rules provide guidelines for when and how a Covered Entity must provide notice of a PHI breach. Since health records are irreplicable and unchangeable, the HIPAA requires organizations to provide notice to affected individuals so that they can take steps to safeguard their data.
HIPAA also provides enforcement action for the Centers for Medicare and Medicaid Services, or CMS. CMS, which is a part of the U.S. Department of Health and Human Services is required to be notified of all breaches of PHI and may engage in follow-up audits of Covered Entities and their Business Associates and even fine those organizations.
One of the things I’ll talk a lot about in this article is HIPAA compliance. I’ll even mention HIPAA certification. I want to be very clear about a couple of things:
- There is no such thing as formal HIPAA certification. Organizations are free to represent themselves as HIPAA certified, but the designation is meaningless–and in my opinion, materially misleading. CMS does not endorse, operate, or recognize any certification program for HIPAA. HIPAA certification as a designation implies that there is some canonical and objective standard against which an organization was measured, which isn’t the case.
- HIPAA compliance equals regulatory compliance. Where a Covered Entity or Business Associate is HIPAA compliant, it is meeting its HIPAA regulatory obligations. There are many ways to achieve and maintain compliance and HIPAA provides great flexibility in doing so. Ultimately, CMS wants to see healthcare organizations achieve HIPAA compliance, regardless of how they choose to do so.
A Quick Intro to HITRUST
Unlike HIPAA, HITRUST certification is a recognized and increasingly commonplace information security certification. The Health Information Trust Alliance (HITRUST Alliance) was formed in 2007 to drive measurable criteria for data protection and to address information risk management. The HITRUST common security framework, or HITRUST CSF, is the benchmark by which the HITRUST Alliance does so.
The HITRUST CSF framework drives detailed administrative, technical, and physical safeguards to enable organizations to effectively manage data and comply with other information security standards.
Concerning organizational compliance obligations, the HITRUST CSF is designed to incorporate verifiable best-in-breed security measures. It provides a secure and comprehensive minimum baseline for quality safeguards. the HITRUST CSF also maps to other compliance frameworks by design, including ISO and NIST standards and HIPAA.
HIPAA mapping makes the HITRUST CSF well-suited to protect healthcare data and especially health organizations. It expressly doesn’t replace HIPAA but provides verifiable standards to meet HIPAA requirements with a focus on the HIPAA Security Rule. In that way, HITRUST helps guide the implementation of extremely technical standards, regularly conducts their mandated HIPAA self-assessment, and verifiably demonstrates HIPAA compliance–specifically to the HIPAA security rule.
The HITRUST certification process is tiered into the i1 and r2 certifications. i1 assessments are self-conducted and self-represented evidence-based assessments, meaning an organization assesses itself and reports that assessment to the HITRUST Alliance. The r2 certification is an assessment conducted by an independent third party that validates an organization’s compliance with the technical safeguards elaborated in the HITRUST CSF.
The Benefits of HIPAA vs HITRUST
HIPAA and HITRUST seek to meet two very different but complementary market needs.
HIPAA is a law in the United States. Meaning: if your organization meets the definition of Covered Entity or Business Associate and transacts PHI as covered by the law, you must maintain HIPAA compliance. It’s not optional. Egregious failure to comply means that your organization will be fined and could be ordered to cease using PHI.
If your organization doesn’t qualify for HIPAA coverage, I wouldn’t recommend arbitrarily complying with HIPAA. It doesn’t get your organization anything, there’s no formal certification program, and there are other more comprehensive verifiable standards that will be more impressive to clients and customers.
HITRUST is a security framework that can apply to all industries but was developed with the healthcare industry in mind. The HITRUST certification standard framework is powerful and can provide a great degree of verifiable security where standards certification is lacking, like with HIPAA and the NIST standards.
Think of the overlap of HIPAA and HITRUST like a Venn Diagram. Some organizations will comply with one or another. Some will comply with both. What makes sense for your organization ultimately comes down to your security goals, the current stage of your security journey, and whether or not you need to comply with HIPAA.
How Long Does Each Certification Take?
HIPAA compliance is effectively measured by 25 objectives scattered between 45 CFR §§ 164.300, et seq. and 45 CFR §§ 164.500, et seq. If you have comprehensive document management systems and a clear delineation of administrative, technical, and physical safeguards then your self-assessment will be a breeze. If you don’t have those things, then it can take substantially longer to fully document your HIPAA compliance.
Expect to spend a week to a few months documenting your HIPAA standing.
HITRUST compliance requires validating each of the HITRUST CSF standard framework controls. It will take longer the first time you’re assessed, compared to updating the assessment down the line.
Still, expect to spend two to three months on a HITRUST assessment once you’ve implemented your controls.
Like HIPAA, if you have your evidence and documentation in one place, the audit will be easier and quicker.
How Often Must Each Be Renewed?
HIPAA self-assessments are required “periodically.” How often you conduct them is up to you. Too much time between assessments may fail to capture critical environmental changes. Many security assessment vendors recommend annual reviews and I think that’s solid guidance.
HITRUST i1 assessments are valid for one year. HITRUST r2 assessments are valid for two years.
HIPAA vs HITRUST Penalties
HITRUST has no penalties for noncompliance. It’s an optional framework certification and is entirely voluntary.
HIPAA allows CMS to levy civil monetary penalties for HIPAA violations. Those penalties, outlined at 45 CFR § 160.404, can be up to $50,000 per violation not to exceed $1.5 million for identical violations within a calendar year.
Different Numbers of Controls
HIPAA and HITRUST have vastly different numbers of security controls. That’s because HIPAA provides a baseline for organizations of all sizes and sophistication levels and HITRUST CSF provides a framework based on organizational size, all of which are sophisticated enough to approach the HITRUST CSF.
- HIPAA has 25 different control objectives spread across physical, administrative, and technical safeguards.
- HITRUST has 156 control specifications among 49 objectives and 14 control categories.
Differences in Cost
A HIPAA Security Risk Assessment conducted internally to gauge organizational compliance with HIPAA is free. The standards are publicly available and internal staff can conduct the assessment.
A HIPAA Security Risk Assessment conducted by a neutral, third party, can cost hundreds of thousands of dollars for very large healthcare organizations. Small-to-midsize organizations should expect to pay in the thousands for a HIPAA Security Risk Assessment.
HITRUST certification is significantly more involved. Organizations should expect the assessment to cost in the high tens to hundreds of thousands of dollars.
NOTE: If you’re considering a HIPAA security risk assessment, see our list of top HIPAA consultants here.
HIPAA vs HITRUST: Which Should Your Organization Pursue?
The decision to pursue HIPAA vs. HITRUST is a difficult one for many organizations. Ultimately, you know your organization’s security posture and needs best, but here are some considerations for which to pursue.
Every organization that is either a Covered Entity or Business Associate and deals with PHI as specified in HIPAA must be HIPAA compliant. If you think you will become a Covered Entity or Business Associate, but aren’t currently one of those, then you should think about prospective HIPAA compliance.
Any organization that wants a verifiable set of security controls implementation should consider HITRUST as an option. It compares well to other certifiable standards like ISO 27001. Despite not having the same historical provenance as some of those standards, it’s no less respected in the information security world.
Vendors wishing to sell to the healthcare industry should very strongly consider HITRUST r2 certification. It’s an easy way to telegraph your attention to detail, security posture, and regulatory compliance. If you have a HITRUST r2 certification, healthcare institutions will understand–and appreciate–your commitment to their unique needs.
I also think that all healthcare providers should evaluate HITRUST certification. I think it telegraphs to vendors and patients that you take security and regulatory compliance very seriously and want to go above and beyond to demonstrate that. While it can be seen as superfluous for healthcare organizations, I think it demonstrates a commitment to patient safety and security that is presently unique among healthcare institutions.