Wipfli logo
Back to Articles

HITRUST vs HIPAA: What is the difference?

Karen Johnston
Karen Johnston
May 01, 2025
4 min read

Medical records hold more than just health data — they’re full of personal, financial and insurance information that criminals can exploit for identity theft, fraud and blackmail. It’s no surprise, then, that the number of medical data breaches has been rising for years.

As healthcare data breaches become bigger news, you may be hearing more about HITRUST, too. So, what is HITRUST? And how does it relate to the Health Insurance Portability and Accountability Act (HIPAA)?

Unlike HIPAA, which has no official certification process, HITRUST CSF certification offers a formal way for healthcare organizations to validate their security and privacy practices. The HITRUST Common Security Framework (CSF) provides a comprehensive, risk-based framework for creating and implementing security and privacy controls. It’s designed to help organizations safeguard protected health information (PHI) and prove they’ve done so.

HIPAA: A high-level, flexible regulation

HIPAA was first enacted in 1996. Its Privacy Rule and Security Rule became law in 2003 and 2005, respectively, long before today’s cybersecurity landscape was formed.

To remain broadly applicable over time, HIPAA rules were designed with high-level, flexible requirements. But that flexibility creates challenges. HIPAA provides little to no detail on how organizations should safeguard PHI. It’s up to organizations to define what it means to be HIPAA compliant.

For example, HIPAA requires organizations to have passwords, but it doesn’t specify their length, complexity or how often they must be updated. HIPAA also requires organizations to perform periodic risk analysis, but it doesn’t define what “periodic” means or what a risk analysis should include.

Flexibility allows safeguards to scale based on an organization’s size and complexity (which is necessary), but it also leaves room for inconsistent or inadequate compliance. Without clear benchmarks, healthcare organizations may rely on outdated practices or incomplete interpretations. Or their interpretations may fall short because of bias, misinformation or a lack of expertise. Ambiguity around the standards can put healthcare organizations and patients at risk.  

HITRUST: A prescriptive framework for HIPAA compliance and more

Recognizing these gaps, HITRUST created a framework to help organizations implement HIPAA more effectively. The HITRUST framework provides a prescriptive set of security and privacy controls that address HIPAA and map to other regulatory requirements and industry standards.  

In short, HIPAA is a law that everyone must abide by; HITRUST is a means to HIPAA compliance.

Unlike HIPAA, which rarely changes, the HITRUST CSF is regularly updated and maintained. The most recent version, 11.5.0, was released in April 2025. It covers 19 different domains, including access control, password management, risk management and business continuity planning — areas healthcare organizations need to keep current on.

With healthcare data breaches and legal scrutiny both rising, “ticking the box” isn’t an acceptable security approach. Today’s medical data breach lawsuits typically revolve around what organizations should have done, and they’re looking at everything from common sense to industry best practices to assign fault.

HITRUST certification provides a structured, evidence-based way to demonstrate your organization’s approach to risk management. Pursuing HITRUST certification as proof of HIPAA compliance is one way to strengthen security and reduce your organization’s legal exposure.

HITRUST can streamline compliance

HITRUST covers more than HIPAA requirements. In fact, it’s designed to help healthcare organizations manage multiple compliance obligations through a single, streamlined process.

The HITRUST framework can help healthcare organizations save time and money by running one audit process that meets multiple regulations and standards, including:

  • The Payment Card Industry Data Security Standard.
  • CMS minimum security requirements.
  • Joint Commission standards.
  • The FTC Red Flags Rule.
  • State privacy and security laws.

Because so many HITRUST controls overlap, organizations can reduce their compliance efforts by leveraging HITRUST’s “Assess Once, Report Many” approach.

What’s the difference between a HITRUST assessment and HITRUST certification?

While HIPAA has no official certification, HITRUST offers two distinct pathways for validation: a HITRUST assessment and HITRUST certification. The key difference is the level of assurance.

  • A HITRUST assessment is a self-assessment that helps organizations evaluate their current security and compliance practices. It results in a formal report issued by HITRUST, but it is not a certification. This option is ideal for organizations that want to identify gaps, learn best practices or prepare for a future certification. For that reason, you often hear assessments referred to as HITRUST readiness assessments.
  • A HITRUST certification requires a third-party validated assessment conducted by an authorized HITRUST external assessor, such as Wipfli. If your organization meets the HITRUST scoring criteria, it achieves HITRUST certification status for 24 months. To maintain certification, you must complete an interim assessment at the one-year mark and continue to implement and document the required controls. Organizations that do not qualify for certification criteria are issued a HITRUST CSF Validated Assessment Report, which is valid for one year.

Both assessment types provide value. A readiness assessment helps you understand where you stand and how to improve to prepare for HITRUST certification. A validated assessment can lead to formal certification, which provides a higher level of assurance to customers, partners and regulators.

How to get HITRUST certified

Certification isn’t something organizations can achieve on their own. It requires expert validation through a formal assessment process.

Your HITRUST external assessor can also act as a guide, helping you navigate every step of the certification process. Look for someone who will:

  • Help you understand HITRUST CSF certification requirements and options.
  • Develop actionable policies and procedures that map to HITRUST standards.
  • Map your data flow so you understand where your data lives, moves and is vulnerable.
  • Explain how to test and validate controls to confirm they are fully implemented and effective.
  • Offer templates and examples to ensure a successful documentation review.

Whether you intend to pursue HITRUST certification or start with a HITRUST assessment, the process should deliver immense value in terms of protecting sensitive data.

How Wipfli can help

Wipfli was one of the first HITRUST authorized external assessors in the country. If you are ready to improve how you manage risk and compliance, contact us.

Author(s)

Karen Johnston
Karen Johnston
CCSFP, CIA, CISA, CCSFP-CHQP, Partner, Wipfli Advisory LLC
View Profile

See how we can help improve your risk operations and compliance: 

Securing your data
How we helped one organization undertake both HITRUST and SOC audits successfully.
See their story

TOP PICKS

Tony Jarnigan 06/02/2026
The FCC one-to-one consent rule was overturned. TCPA consent requirements still matter.
Read full story
Brandon Breslin 06/01/2026
AI in PCI compliance: Where it adds value — and where it creates risk
Read full story
06/01/2026
TCPA compliance checklist: Measure your compliance posture
Read full story