Teaching The Difference Between HIPAA AND HiTrust

Healthcare organizations are required to protect their clients’ data. To do this, they must be HIPAA and HiTRUST compliant. The US Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. It provides guidelines on protection and security standards for businesses in the healthcare industry.

On the other hand, The Health Information Trust Alliance (HITRUST) is a non-profit organization that established the Common Security Framework (CSF). This framework governs the creation, access, storage, and exchange of sensitive or regulated data by healthcare companies. The CSF established by HiTRUST includes a set of controls aimed at harmonizing the core requirements of several standards and regulations.


There is a misconception that the functions of HiTRUST and HIPAA overlap and that the two are at odds. This isn’t true because the two frameworks complement each other. Whereas HIPAA is a legislative act that outlines standards for compliance by healthcare companies, HiTRUST is an organization whose objective is to help you attain those standards.

The CSF that is developed and sustained by HiTRUST coordinates standards stipulated by HIPAA and organizations such as PCI and NIST. When you make HIPAA compatible with any other frameworks and guidelines, it will be easier for your company to achieve compliance.

Often, entities in the healthcare industry perceive health information security as a burdensome requirement. Today’s technological landscape has made data protection and risk management critical for healthcare organizations. HIPAA and HiTRUST guides covered entities on how they can adhere to information security regulations.

HIPAA And HiTRUST Certification Process

HIPAA seeks to protect patients’ medical records. It does this by providing guidelines relating to access to information stored by healthcare providers. To prove that your company is HIPAA compliant or not, it needs to undergo the certification process. Without this, you will be violating some of the laws that are set forth by HIPAA.

The continued uptake of technology in the healthcare sector sometimes makes security compliance to seek like a strict and unnecessary burden. This explains why IT risk management and maintaining compliance is a struggle for many healthcare organizations. The burden of staying compliant is highlighted by the fact that you must train staff on compliance with HIPAA and HiTRUST guidelines.

Previously, healthcare providers were required to verbally commit themselves or sign business associate agreements indicating that they are HIPAA compliant. Some organizations would only provide attestation documents such as SOC reports to demonstrate compliance.

This was proof that the organizations had adequate data security controls in place. HiTRUST certification can be achieved in two ways. You can either choose to use the myCSF tool to undertake a self-assessment or hire an accredited assessor.

HIPAA And HiTRUST Compliance Costs

HIPAA and HiTRUST compliance have varying costs with the latter costing more. Nonetheless, both come with a robust set of requirements compared to other compliance frameworks and standards. For instance, an ordinary HiTRUST validated assessment can contain more than 400 control requirements. Also, the maturity of individual control needs to get assessed at five maturity levels. An assessor may be forced to go through up to 2,500 pieces of evidence to warrant a validated assessment.

Likewise, HiTRUST compliance costs are high because accessors are required to pay an annual subscription fee to maintain their certification status. A validated HiTRUST assessment can cost up to $250,000 annually depending on the size of your organization. On the other hand, HIPAA compliance costs 1,040 annually.

HIPAA and HiTRUST Noncompliance

Failure to comply with HIPAA and HiTRUST can lead to severe financial repercussions for healthcare providers. Therefore, it’s advisable to have a compliance strategy in place. This will help you pinpoint and correct possible areas of vulnerability. HIPAA noncompliance can attract fines of up to $160,000 per violation. Currently, egregious HIPAA breaches and violations are handled by the Office of Civil Rights.

The cost of HIPAA noncompliance varies from one state to another. In Texas, for instance, the Texas Health Security Authority (THSA) enacted House Bill 300, which mandates healthcare companies to secure sensitive patient health information. It also sets civil penalties ranging from $5,000 to $250,000 for every noncompliance violation.

If you own or manage a healthcare organization, you must comply with the HIPAA and HiTRUST frameworks. In this regard, you should regularly undertake risk analysis so that you develop a pragmatic set of information security controls. For your organization to be considered compliant, you must prove that all standards and implementation specifications get addressed.

HiTRUST and HIPAA certification and compliance are mandatory for healthcare organizations. Both frameworks provide guidelines on various information security standards. The significance of these frameworks is attested to by the fact that they have expanded beyond the healthcare sector to other regulated industries. Irrespective of the size of your organization, you should understand these frameworks since it is the first step towards creating a pragmatic security and compliance program.

Leave a comment