Articles & E-Books

 

HITRUST vs HIPAA: What is the difference?

Apr 09, 2020

Medical records are juicy treasure troves of information, full of contact and payment data, medications, insurance info, Social Security numbers and more. There’s enough info in a medical record to steal someone’s identity and commit insurance fraud, medication fraud, financial theft, even blackmail.

Perhaps that’s why medical data breaches surpass financial breaches today. And perhaps that’s why you may be hearing “HITRUST®” pop up more in your industry news feeds.

But what exactly is HITRUST, and what does it mean in terms of HIPAA?

Since there is no official certification for HIPAA, healthcare organizations are left to their own devices to figure out if they have sufficient security in place to protect their patients’ health information. HITRUST has stepped in to fill that void.

HITRUST has developed and continuously maintains the HITRUST CSF®, a comprehensive risk- and compliance-based framework that is comprised of tailorable security and privacy controls that healthcare organizations can use to validate and prove they have implemented and are maintaining appropriate controls to safeguard protected health information (PHI).

HIPAA: High-level regulation

The Health Insurance Portability and Accountability Act (HIPAA) was never meant to be prescriptive. First enacted in 1996, the law includes the Privacy and Security Rules, which became law in 2003 and 2005, respectively. Whatever date you calculate from, it’s a long time ago. You can imagine how much has changed since then.

In order to address issues of longevity and wide-ranging applicability, the HIPAA rules were designed to be high-level requirements. There’s no detail to go on. That means, to some extent, organizations were forced to define for themselves what it means to be HIPAA compliant.

For example, the HIPAA rule says you must have passwords. But it says nothing about how long or complex they must be, or how often they must change. So, it’s up to the organization to determine to what degree they need to implement it. As another example, HIPAA states organizations will perform a periodic risk analysis, but it does not define “periodic” or what a risk analysis even is.

It makes sense that HIPAA rules don’t come with a strict, cookie-cutter approach. HIPAA was designed for allow organizations to implement safeguards based on the size and complexity of their organization.

That kind of flexibility is necessary. But it makes for a vague regulation, allowing organizations to make subjective decisions based on bias, misinformation and lack of expertise that weakens the impact and puts many healthcare organizations (and their patients) at risk.

HITRUST: A living, breathing how-to

HITRUST picked up on the struggle organizations were having as they puzzled through how to implement HIPAA effectively. The HITRUST framework was created and based on the information security industry standards to give organizations a prescriptive set of controls that meet the requirements of not only HIPAA but also other applicable regulations and standards.

So, while HIPAA is a law that everyone must abide by, HITRUST is a means to do that.

HITRUST builds its framework on accepted industry standards, and the HITRUST CSF is regularly updated at least annually. If you want to keep up with the current practices for information security program management, access control, password management, continuity planning, risk management, mobile device management — up to 19 different domains — HITRUST is the way to do that.

And healthcare organizations DO need to keep up. The government and the courts are no longer allowing organizations to tick the box and stick their head in the sand. Today’s medical data breach lawsuits all revolve around what you should have done in terms of common sense, risk management and industry best practices.

HITRUST: Save time and resources

As an added advantage, HITRUST recognizes that healthcare organizations have more rules and regulations than HIPAA to worry about. It can become something of a consolidated audit program to help your organization comply with any number of regulations, from payment card rules to CMS Minimum Security Requirements, Joint Commission, the FTC Red Flags rule, specific state laws and more.

Since many HITRUST CSF controls overlap other regulations, the framework is designed so healthcare organizations can save time and money running one audit process that meets multiple compliance assessments — hence HITRUST’s Assess Once, Report Many™ message.

HITRUST: Assessment or certification

Again, part of what makes HITRUST compliance different from HIPAA is that it’s certifiable. As a healthcare organization, you can’t get certified in HIPAA compliance. With the HITRUST CSF, you and your patients and business partners all get a solid level of assurance you’re doing what needs to be done.

With a HITRUST assessment from Wipfli, you can choose the level of review and validation:

  • Assessment: Organizations may opt for a HITRUST CSF Readiness Assessment as a tool to learn best practices and review their controls. These self-attestations include a formal report issued by HITRUST, but they are not eligible for certification.
  • Certification: Organizations can perform a third-party attested HITRUST CSF Validated Assessment and, based upon meeting scoring criteria, become HITRUST CSF Certified. HITRUST CSF Certification is good for 24 months, but you must maintain policies and procedures, demonstrate implementation of controls and undergo an interim assessment at the one-year mark, or you could lose your HITRUST certification. Organizations that fail to meet certification criteria are issued a HITRUST CSF Validated Assessment Report, which is valid for one year after issuance.

To get certified, you must work with an Authorized HITRUST External Assessor like Wipfli. As a guide, we can help you understand your requirements and options. We can help you develop actionable policies and procedures, map your data flow so you understand every system your data touches, where it interacts with others’ systems and where it’s vulnerable. Once you’re ready for certification, we can help by validating the effectiveness of your controls through testing and documentation review.

Whether you intend to pursue certification or not, a HITRUST assessment provides immense value in terms of protecting sensitive data.

Know where you’re vulnerable

Wipfli was one of the first HITRUST certified assessors in the country. If you are ready to start an assessment, or you would like to learn more about how Wipfli can help you manage risk and compliance, contact us.

For related advice on protecting patient health information, keep reading:

What you need to know about transmitting patient health information

5 ways healthcare organizations can secure employee smartphones

3 ways you can prevent employees from selling confidential data

Does your healthcare organization struggle with risk management?

Author(s)

Rick Ensenbach
Rick Ensenbach, CISSP, CISA, CISM, ISSMP, CCSFP
Director, Risk Advisory Services
View Profile