HITRUST and HIPAA: What’s the Difference?

When it comes to the healthcare industry, security of protected health information (PHI) is imperative. There are several safeguards that companies can put in place to help prevent authorized disclosure and breaches. The topics of HITRUST and HIPAA, two primary frameworks in the healthcare industry, will be discussed in the following article.

HITRUST, also known as the Healthcare Information Trust Alliance, was founded for the primary use of healthcare organizations. Since its founding, HITRUST has expanded into various public and private industries. HITRUST provides a baseline common security framework for companies, including the opportunity to add other regulatory frameworks, and provides certification following a validated assessment.

The Health Insurance Portability and Accountability Act (HIPAA), created in 1996, was designed to help protect patient health information. This Act is governed by the U.S. Department of Health and Human Services (US HHS). HIPAA can apply to health plans, health care clearinghouses, health care providers and business entities. Within this act there are various rules; these include the Privacy Rule, Security Rule and Breach Notification. Earlier this year, proposed updates to the Security Rule were presented and public comments are set to be discussed in the coming months (read the Fact Sheet). Changes to the rule are expected to be rolled out sometime during 2025, depending on the degree of changes.

For HITRUST and HIPAA, there are several similarities and differences.

Similarities

1. Goals – The goal of both HIPAA and HITRUST is to protect health information. HITRUST can also be expanded to other criteria.
2. Focus – The focus of both HIPAA and HITRUST are on the healthcare industry, with HITRUST branching into other industries in recent years.
3. Requirements – When it comes to controls or requirements, both frameworks have administrative, technical, and physical safeguards. HITRUST can include HIPAA on the HITRUST framework for an r2 assessment.

Differences

1. Regulatory vs. Compliance – HIPAA compliance is mandatory by federal law; HITRUST certification can be required by certain customers and can include certain regulatory laws and requirements.
2. Industry – HIPAA is specific to healthcare entities and business associates who maintain PHI, while HITRUST can apply to several types of businesses.
3. Process – HIPAA can be done as a self-assessment or by contracting with a third-party auditor or consultant. HITRUST provides a formalized certification process with differing levels of assurance and criteria.

As seen above, both HITRUST and HIPAA have several similarities and differences. Both can provide guidelines for creating a cybersecurity program and protecting user data, including patient data. Also, a benefit of HITRUST is HIPAA can be layered on using the r2 certification, which can provide an added level of assurance that requirements are considered.

McKonly & Asbury is a HITRUST-approved third party assessor that can perform HITRUST readiness assessments and external validated assessments (e1, i1, and r2). McKonly & Asbury is also experienced in aiding clients in identifying and implementing the controls needed to pass a HIPAA compliance audit. For more information on these services and more, be sure to visit our HITRUST and HIPAA assessment pages, and please contact our team with any questions.

About the Author

Related Services