HIPAA and HITRUST are acronyms that sound alike, and are related. However, the two terms, HIPAA and HITRUST, embody different things. So what is the difference between HIPAA and HITRUST? HIPAA is a law and HITRUST is an organization.
Under the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA), covered entities and business associates must develop administrative, physical, and technical safeguards, to maintain the confidentiality, availability, and integrity of electronic protected health information (ePHI).
As such, HIPAA imposes legal requirements.
HITRUST is an acronym for the Health Information Trust (HITRUST) Alliance. The Alliance is an independent testing organization. HITRUST offers what is known as the “HITRUST CSF®,” a security framework that provides organizations with a comprehensive and flexible approach to HIPAA compliance and risk management. “CSF” stands for “common security framework.”
The HITRUST CSF framework allows organizations to address both security risk and compliance. The framework also provides for tailoring of security measures, based on unique organizational factors such as type of organization, size, systems, and regulatory requirements.
HITRUST CSF, therefore, is a framework that an organization can use to meet the legal requirements of HIPAA.
An organization, by implementing all applicable HITRUST CSF requirements, has, in the process, addressed each and every standard and implementation in the HIPAA Security Rule.
HITRUST is a private organization. HITRUST offers certification (HITRUST Certification) for the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). NIST is a federal government agency, that offers a cybersecurity framework.
The NIST Cybersecurity Framework is a set of standards and best practices that help organizations improve security, manage cybersecurity risk, and protect critical infrastructure. The NIST framework can be used to implement the requirements of the Security Rule.
Through using the HITRUST CSF program, healthcare organizations can assess whether they have met the requirements in each of the NIST categories.
Since following the CSF program allows an organization to meet the NIST framework requirements, and since the NIST framework, in turn, can be used to implement the requirements of the HIPAA Security Rule, by undergoing a CSF assessment, healthcare organizations can assess whether they are compliant with both the NIST Cybersecurity Framework AND the HIPAA Security Rule.
Covered entities and business associates can address their HIPAA cybersecurity compliance obligations under the Security Rule by working with Compliancy Group.
Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA cybersecurity issues so they can get back to confidently running their business.