HIPAA vs HITRUST
In the context of complying with HIPAA, HITRUST is one of the most commonly adopted Cyber Security Frameworks (CSFs) alongside the likes of NIST SP 800-66r2, ISO/IEC 27001, and AICPA’s System and Organization Controls 2 (SOC 2). In addition to supporting compliance with HIPAA, HITRUST supports compliance with many other federal and state laws, and can be customized to support compliance with some local or industry specific regulations.
The HITRUST Alliance is a collaboration between several high profile organizations in the healthcare, technology, and information security industries. In 2007, the Alliance released the first HITRUST Cyber Security Framework (CSF) in response to the increasing number of threats to healthcare data and the increasing number of federal and state compliance requirements (i.e., HIPAA, the Texas Medical Records Privacy Act, etc.).
Since 2007, the Alliance has updated the Framework and expanded the control categories and implementation specifications in response to changes to “authoritative sources” (i.e., NIST, ISO, etc.) and new rules and regulations. The latest version of the HITRUST CSF (v11.2.0 – released October 2023) consists of fourteen control categories and up to 156 implementation specifications depending on the nature of an organization’s activities. The fourteen control categories are:
- Information Security Management Program
- Access Control
- Human Resources Security
- Risk Management
- Security Policy
- Organization of Information Security
- Compliance
- Asset Management
- Physical and Environmental Security
- Communications and Operations Management
- Information Systems Acquisition, Development, and Maintenance
- Information Security Incident Management
- Business Continuity Management
- Privacy Practices
HIPAA HITRUST Assessments and Certifications
The HITRUST CSF provides organizations with the opportunity to be assessed and certified on compliance with the Framework by a HITRUST-approved assessor. Because it is a voluntary Framework that – at the highest level – can take up to two years to complete, HITRUST offers a selection of assessment and certification options.
- HITRUST Essentials (e1) provides “entry level assurance” that an organization has business critical security controls in place that map to the CISA’s Cyber Essentials, NIST 171’s basic requirements, and HICP for small healthcare organizations.
- HITRUST Implemented (i1) is a more thorough assessment that certifies an organization’s security controls align with the requirements of the HIPAA Security Rule, NIST SP 800-171, and HICP for medium-sized organizations.
- HITRUST Risk-Based (r2) is the highest level of assessment and certification that demonstrates an organization’s expanded approach to risk management and compliance with standards such as NIST SP 800-53, FedRAMP, and GDPR.
In addition, organizations that subscribe to the MyCSF platform also get access to the Reporting Pack for HIPAA. The Pack compiles information collected during an r2 assessment to map HIPAA requirements to the completed parts of the HITRUST assessment and produce reports on the state of an organization’s HIPAA compliance. Although the reports do not count as HITRUST certification, they can be used internally to identify compliance gaps and plan remedial actions.
Selecting the Right Framework for Your Healthcare Organization
Healthcare organizations have to comply with multiple rules and regulations – some of which may be specific to their location or to the area of healthcare in which they operate. To help support compliance with multiple rules and regulations, the HIPAA HITRUST CSF includes a number of “selectable compliance factors” that can be included in an r2 assessment – for example, VA Directive 6500, the FTC Red Flags Rule, and PHIPA Compliance.
However, while the HITRUST CSF covers the security angle of compliance very well, it does not cover every angle of compliance. There are no references to OSHA compliance, nor to CMS’ conditions of participation in Medicare and Medicaid – despite many OSHA standards and CMS conditions being closely related to HIPAA regulations, and some being more relevant to healthcare activities than many HITRUST CSF implementation specifications.
As a result, healthcare organizations are advised not to regard a HITRUST certification as proof of compliance with any mandatory requirements. While being able to demonstrate compliance with a recognized cyber security framework can mitigate the penalties for a data breach, a security certificate will not be of any value if the organization is cited for an OSHA violation or fails to meet the conditions for participation in Medicare.
