What is the Difference Between HIPAA and HITRUST?

What is the difference between HIPAA and HITRUST? That is a great question and something we are frequently asked when working with our healthcare clients and today we will walk through the differences at a high level.

What is HIPAA?

HIPAA stands for Health Insurance Portability and Accountability Act. In response to HIPAA of 1996, the U.S. Department of Health and Human Services (HHS) published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. 

How do you become HIPAA Compliant?

Maintaining compliance means implementing security controls and developing policies/procedures to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). In addition to HIPAA, organizations need to consider the HIPAA Privacy Rule (2000) and the HIPAA Security Rule (2003) which were released as additional requirements. We go into more detail on becoming and maintaining HIPAA compliance in a previous post.

What is HITRUST?

HITRUST is the Health Information Trust Alliance. It was founded in 2007 to support organizations in all sectors, but especially health organizations, reach information risk management and compliance objectives. In collaboration with privacy, information security, and risk management leaders from the public and private sectors, HITRUST develops, maintains, and provides broad access to its widely-adopted common risk and compliance management frameworks.

The “HITRUST approach,” along with HITRUST certification, gives vendors and covered entities a way to demonstrate compliance to HIPAA requirements based on a standardized framework. The ultimate goal of HITRUST certification is for businesses to effectively manage data, information risk, and compliance. 

What is the Difference Between HIPAA and HITRUST?

HITRUST is a compliance framework created by a private alliance of security industry experts and includes many aspects of HIPAA Security and Privacy Rules whereas HIPAA is a law which was enacted in 1996 by lawmakers and is enforced by the US Department of Health and Human Services (HHS). All organizations that handle PHI must comply with HIPAA. 

HITRUST does not replace HIPAA, but it can provide measurable criteria and objectives for applying “appropriate administrative, technical, and physical safeguards.” Being HITRUST compliant does not necessarily make you HIPAA compliant, but it can provide a path for reaching HIPAA compliance.