Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) establishes crucial data privacy and security rules for protecting medical information. Despite its age, HIPAA remains pivotal in today’s regulatory landscape. Closely associated with HIPAA is the Health Information Trust Alliance (HITRUST).
However, there is confusion between the two with some mistakenly believing that HITRUST is synonymous with HIPAA. Continue reading to learn more about HITRUST vs. HIPAA and how they differentiate.
What is HIPAA?
HIPAA is the primary federal law safeguarding healthcare information and consists of five titles. Its key objectives include facilitating health insurance portability, reducing fraud and abuse in healthcare, and establishing industry standards for electronic billing information.
In 2003, the U.S. Health and Human Services (HHS) Department issued the landmark national data privacy rule under HIPAA. This rule grants individuals rights to their protected health information (PHI) and outlines how covered entities can use and disclose it.
Covered entities must obtain written consent from consumers using valid HIPAA certification before disclosing health information for purposes not permitted by the privacy rule, and the entities must specify the intended use of the information.
Covered entities are also required to assess their risks and implement feasible measures to manage and mitigate them effectively.
Amongst the covered entities are:
- Healthcare providers, including doctors, dentists, nurses, urgent care clinics, nursing homes, hospitals, and pharmacies. All are subject to HIPAA regulations if they electronically transmit health information for covered transactions. Given the prevalent use of electronic transmissions in healthcare today, most providers fall under HIPAA coverage.
- Health plans, such as those offered by HMOs, health insurance companies, employer-sponsored group health plans, government-backed plans, and other employer-funded healthcare arrangements, are all deemed covered entities.
- Additionally, healthcare clearinghouses, which act as intermediaries between providers and health plans, are subject to HIPAA requirements.
In the same year, HHS introduced the Security Rule and the Enforcement Rule. The Security Rule establishes standards for protecting electronic healthcare information and the Enforcement Rule defines compliance and penalties for HIPAA violations.
HIPAA defines health information as data related to a patient’s current, past, or future physical or mental health, treatments received, and payment history.
This information can be in electronic, oral, or paper format. The legislation also categorizes ‘individually identifiable health information’ as any data that can directly identify an individual, such as name, date of birth, social security number, and address.
HIPAA also requires that covered entities establish written contracts with business associates to ensure that they are safeguarding patient information according to the HIPAA standards. Business associates are entities that perform services without patient interaction such as:
- Actuarial
- Accounting
- Billing
- Consulting
- Data aggregation
- Data analysis
- Data transmission
- Processing/administering claims
- Quality assurance
- Patient safety activities
In addition, HIPAA states that covered entities must guarantee that their subcontractors comply with its standards. Subcontractors are entities that create, maintain, or transmit protected health information.
However, HIPAA only stipulates that covered entities, their business associates, and their subcontractors comply with the regulations. This means that other individuals, institutions, or entities that handle health information are not required to comply with HIPAA. Some examples are:
- Alternative medicine practitioners
- Courts
- Fitness clubs
- Health and fitness mobile apps
- Insurance companies
- Law enforcement agencies
- Marketers
- Schools
- Workers’ compensation insurance firms
What is HITRUST?
HITRUST is an industry initiative aimed at achieving HIPAA security compliance through a unified and certifiable framework for covered entities.
The organization developed and manages the Common Security Framework (CSF), which integrates HIPAA requirements with other compliance frameworks such as the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO).
Established in 2007 as a non-profit organization, HITRUST develops and promotes programs to protect sensitive health information. Its goal is to fill the void left by regulations such as HIPAA.
The CSF is divided into the following 19 domains:
- Access control
- Audit logging and monitoring
- Business Continuity and Disaster Recovery
- Configuration management
- Data protection and privacy
- Endpoint protection
- Education, training and awareness
- Information protection program
- Incident management
- Mobile device security
- Network protection
- Risk management
- Password management
- Physical and environment security
- Portable media security
- Transmission protection
- Third party security
- Vulnerability management
- Wireless protection
In addition to the domains, HITRUST has 135 controls and three distinct implementation levels. For an organization to get to one level, it must meet all the requirements for the previous levels. For example, to get level two, then an organization must cover all requirements for both level one and level two.
Getting to level three is the most challenging with the number of requirements to accomplish. An entity can only become fully compliant with HITRUST CSF when all 135 controls are completely implemented.
Differences between HITRUST and HIPAA
The key distinction between HITRUST and HIPAA can be broken down into the nature of the regulation and the compliance process.
Nature
The primary difference is that HITRUST, unlike HIPAA, is not a legal mandate but a private organization composed of healthcare providers, physicians, hospitals, and payers such as insurance companies.
It developed the CSF, a certified framework for healthcare technology security, aimed at ensuring adherence to HIPAA and other established security standards. However, HIPAA, enacted in the 1990s, is considred landmark legislation. Before its enactment, there were no security standards or requirements in place for protecting healthcare information.
Compliance
The second major difference between HIPAA and HITRUST lies in the compliance process. HIPAA has guidelines for compliance, although it does not have a clear blueprint that covered entities can follow.
In contrast, HITRUST outlines a comprehensive certification process to achieve compliance with multiple security frameworks, which surpasses the scope of HIPAA. Adhering to its CSF also involves a more rigorous and complex process compared to HIPAA compliance.
Integral to compliance in HIPAA is yearly security and privacy risk analysis. HIPAA requires covered entities to analyze specific risks and vulnerabilities that their organizations face, as well as to take reasonable and appropriate measures to eliminate potential risks to healthcare information such as the adoption and execution of security and privacy controls.
HIPAA takes into account that covered agencies face various security risks built on factors like size and scope. Therefore, it developed the Security Rule to be adaptable and scalable, allowing covered entities to implement policies, procedures, and controls suitable for their size, organizational structure, and specific risks.
The covered entity should address fundamental issues in its risk analysis, such as the flow of PHI within the organization, including where the information is stored and how it is created, received, or transmitted.
Covered entities are also responsible for how their business associates or third party service providers handle PHI. Covered entities must be aware of any hardware, software, and storage that come in contact with protected health information at any given time.
HIPAA requires risk analysis every year although it is strongly recommended that risk analysis be viewed or treated as an ongoing, dynamic process. HIPAA compliance mandates that risk analyses should encompass vulnerabilities posed by current IT systems.
Additionally, covered entities must identify methods to reduce human errors, such as employee negligence in handling protected health information. This includes improper storage or transmission errors and susceptibility to phishing scams, among other risks.
A risk management plan is essential for HIPAA compliance and includes identifying vulnerabilities within the organization. The covered entity must assess the severity of each threat and effectively implement controls to mitigate potential impacts.
HIPAA also requires covered entities to assign a compliance officer, or a person qualified to oversee their compliance program. The compliance officer will ensure that the covered entity complies with both internal policies and external regulatory requirements.
Self-audits are also integral to HIPAA compliance as the law requires covered entities and their business associates to conduct yearly audits to assess gaps in compliance with HIPAA.
Once covered entities and their business associates have determined gaps in compliance, implementation of remediation plans should be followed to reverse compliance violations.
These plans should be fully documented with calendar dates to identify when each specific gap will be addressed.
Covered entities and business associates must develop policies and procedures that align with regulatory standards and update them regularly.
They are also required to conduct annual staff training and document employee attestation to ensure comprehension of these policies and procedures.
Unfortunately, HIPAA lacks clear directives for the actual implementation by covered entities, despite its numerous standards and specifications. Adding to the challenge, HHS does not provide sufficient guidance on interpreting and implementing appropriate safeguards.
In the past, there have been cases where some covered entities have signed business associate agreements as a form of compliance verification, leading to a problematic ‘take your word for it’ approach to the law that posed significant issues for healthcare providers.
On the other hand, HITRUST outlines an exhaustive certification process for achieving compliance with various security frameworks, unlike HIPAA. Compliance to its CSF is a more thorough and complicated process when compared to HIPAA compliance.
HITRUST compliance and certification address the demand for heightened HIPAA assurance. Organizations widely adopt the HITRUST CSF for HIPAA compliance, using it as both a compliance tool and a governance and risk management mechanism customized to their systems.
In the healthcare sector, HITRUST requirements are based off of ISO 27001 standards.
Taking the First Step Towards HITRUST Compliance
In short, HITRUST compliance has become the highly-regarded compliance framework in the healthcare industry. HIPAA is a federal law setting the standard for safeguarding health information.
HITRUST takes this a step further and establishes a comprehensive framework and certification process for healthcare security compliance where directives may otherwise be unclear under HIPAA alone.
Working with a certified HITRUST assessor like RSI Security can give an organization the edge over the competition especially during this era when cybercrime and data security problems are serious issues dodging the industry.
Stay ahead of HIPAA breaches, download our HIPAA Checklist and close your compliance gaps today