How HITRUST Can Help Healthcare Organizations Prove HIPAA
Key Takeaways
- HITRUST Strengthens HIPAA Compliance: Built on HIPAA requirements and NIST security practices, HITRUST provides a structured, certifiable framework that helps healthcare organizations demonstrate compliance with HIPAA.
- Supports the HIPAA Safe Harbor Defense: A HITRUST certification can serve as strong evidence of an organization’s good-faith security efforts during an OCR investigation, potentially influencing enforcement decisions and penalties.
- Provides Independent Validation: Unlike self-attested frameworks, HITRUST assessments are independently validated and certified, offering greater assurance that security controls are implemented effectively.
- Translates HIPAA into Actionable Controls: HITRUST converts HIPAA’s broad security requirements into prescriptive, measurable, and testable controls that organizations can consistently implement and maintain.
- Associated with Stronger Security Outcomes: HITRUST reports significantly lower breach rates among certified organizations, suggesting that its rigorous security framework can help reduce cybersecurity risk in healthcare.
HITRUST is a voluntary, certifiable security and compliance framework that was built off the HIPAA privacy rules, security controls, and NIST security practices. This makes the HITRUST framework a strong defense under the HIPAA Safe Harbor provision.
HIPAA Act and Requirements
HIPAA (Health Insurance Portability and Accountability Act) is a federal mandate enacted in 1996 to provide portable health coverage for individuals and to protect individual health information and privacy. As a federal law, it requires all healthcare organizations and their business associates that handle PII (Personally Identifiable Information) to protect individual health information. HITECT, the enforcement mechanism for HIPAA, was enacted in 2006 and is handled by the Office of Civil Rights (OCR) of the Human Health Service Department. The OCR is charged with enforcing HIPAA, other federal civil rights, and privacy laws related to healthcare.
To address the need for healthcare security, the HITRUST framework was created in 2007 as a coalition of major healthcare organizations to navigate the ambiguity of HIPAA. In 2009, HITRUST Common Security Framework (CSF) was established to provide a pathway to validation and certification of HIPAA compliance.
HIPAA Safe Harbor Defense
The HIPAA Safe Harbor provision notes that the OCR must weigh evidence in its enforcement decision and how it is required to consider how security practices were in place when determining the fine and penalties, the scope of the corrective actions, the extent of its audits, and the resolutions and settlements. OCR is only required to consider the good faith efforts of an organization’s security practices; however, historically, OCR has shown to have rewarded proven good faith efforts.
In the event of an OCR event, HITRUST offers a strong defense. Whether triggered by a breach, a complaint, or a random or targeted audit, a HITRUST assessment can prove that the recognized NIST security practices where in place.
HITRUST’s Assessment Strength
In the 2025 Trust Report, HITRUST cites a 99.62% breach-free statistic compared to the broader industry’s 60%, which means roughly less than 1% of HITRUST-certified entities have reported a breach compared to the 40% for all industries that are not in the HITRUST-certified environment. In Verizon’s 2025 Data Breach Report, healthcare represents 34% of breaches in 2025 while HITRUST reports that healthcare is 24% of its certified environment.
HITRUST proves HIPAA compliance through prescriptive, testable controls mapped to HIPAA requirements and NIST security practices. HITRUST translates HIPAA’s high-level requirements into concrete control requirements that are consistent and measurable over time for corrective actions. Unlike NIST which allows for self-attested, HITRUST provides independently validated assessments through HITRUST’s quality assurance procedures where only HITRUST validates and certifies the e1, i1, and r2 assessments.
McKonly & Asbury’s SOC and HITRUST teams are available to assist your organization in evaluating what assessment report best fits your needs. For more information, be sure to visit our HITRUST and System and Organization Controls (SOC) service pages, and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding HITRUST, SOC reports, and our services.
About the Authors
Chris Fieger, CPA, CISA, CISM, CCSFP, CCP is a Senior Manager with the firm. He is a member of the firm’s System and Organization Controls (SOC) & Technology Practice, performing SOC 1, SOC 2, and SOC 3 engagements, as well as HITRUST an… Read more
Josh Bantz, CPA, CCSFP, CHQP, CISA, CCP is a Director with the firm. He is a key member of the firm’s Audit & Assurance Segment, primarily working with clients in the firm’s Service Organization Controls (SOC) Practice, HITRUST and CM… Read more