HITRUST vs. HIPAA: What’s the Difference?

Passed by Congress and signed into law in 1996, the Health Insurance Portability and Accountability Act (HIPAA) sets data privacy and security provisions for safeguarding medical information. While it has been more than 20 years since this act was put into law, the HIPAA remains relevant for many firms up to this day.

One identity that is closely associated with HIPAA is Health Information Trust Alliance (HITRUST). But many are confused with these two, thinking that HITRUST is the same as HIPAA. Continue reading to learn more about HITRUST vs. HIPAA in this article. 

 

What is HIPAA?

HIPAA is the main federal law protecting healthcare information. It contains five titles or sections with key objectives such as allowing individuals to transfer or continue their health care insurance after changing or losing a job. Other objectives include reducing healthcare fraud and abuse and mandating industry standards for healthcare information on electronic billing.

It was only in 2003, however, when the United States Health and Human Services (HHS) Department issued the landmark national data privacy rule under HIPAA. The said rule gives individual rights to protected health information (PHI) and explains how covered entities can use and disclose it. If a covered entity would disclose health information for purposes not permitted by the privacy rule, then it should seek first written consent from the consumer using valid HIPAA certification. The entity must specify how the information is to be used.

It was also during that year when the HHS introduced the security rule which sets the standards for safeguarding electronic healthcare information and the enforcement rule which sets the compliance and penalties for violating the HIPAA.  Under this rule, covered entities are to assess their potential risks and take feasible and appropriate measures to control or mitigate said risks.

The HIPAA defines health information as any information created or received by a covered entity pertaining to a patient’s past, present, or future physical or mental condition. It can also pertain to information regarding treatment provided to an individual as well as the past, present, or future payment for a healthcare service that an individual receives. It can exist in any form or medium like electronic, oral, or paper.

Also Read: Top 5 Components of HIPAA Privacy Rule

The said legislation also calls ‘individually identifiable health information’ any health information that can identify an individual. This includes name, date of birth, social security number, and address of a patient.

 

Assess your HIPAA / HITECH compliance

 

Amongst the covered entities are:

•  Healthcare providers such as doctors, dentists, nurses, and establishments or entities like urgent care clinics, nursing homes, hospitals, pharmacies. Under the HIPAA, healthcare providers must comply only if they electronically transmit health information in connection with their covered transactions.  But since most providers these days transmit patient information electronically, it can be said that most healthcare providers are covered by the HIPAA.
• Health plans offered by health maintenance organizations (HMOs), health insurance companies, group health plans shouldered by employers, government-backed health plans, and other health care arrangements paid for by companies. 
• Healthcare clearinghouses which serve as a go between for health care providers and health plans. 

Also Read: What Rights do you have under HIPAA?

The HIPAA also stipulates that covered entities execute written contracts with business associates to ensure that they are safeguarding patient information according to HIPAA standards. Business associates are entities that perform services without patient interaction such as:

•     Actuarial
•     Accounting
•     Billing
•     Consulting
•     Data aggregation
•     Data analysis
•     Data transmission
•     Processing/administering claims
•     Quality assurance
•     Patient safety activities

HIPAA also states that covered entities ensure that their subcontractors comply with its rules. Subcontractors are entities that create, maintain, or transmit protected health information. 

 

 

The said legislation, however, stipulates that only covered entities, their business associates,  and subcontractors comply with HIPAA. This means that other individuals, institutions, or entities that handle health information are not required to comply with HIPAA. Among these are:

•     Insurance companies
•     Workers’ compensation insurance firms
•     Marketers
•     Fitness clubs
•     Health and fitness mobile apps
•     Schools
•     Alternative medicine practitioners
•     Law enforcement agencies
•     Courts

 

What is HITRUST?

HITRUST is an industry-driven effort to meet HIPAA security laws through a common and certifiable framework for covered entities. This organization created and maintains the Common Security Framework (CSF) bringing together HIPAA but other compliance frameworks like National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO).

Founded in 2007 as a non-profit organization for developing and promoting programs to safeguard sensitive health information, HITRUST aims to fill the void that certain regulations like the HIPAA fail to address.

Its CSF is divided into the following19 domains:

•     Access control
•     Audit logging and monitoring
•     Business Continuity and Disaster Recovery
•     Configuration management
•     Data protection and privacy
•     Endpoint protection
•     Education, training and awareness
•     Information protection program
•     Incident management
•     Mobile device security
•     Network protection
•     Risk management
•     Password management
•     Physical and environment security
•     Portable media security
•     Transmission protection
•     Third party security
•     Vulnerability management
•     Wireless protection

Apart from the said domains, HITRUST has 135 controls and three distinct implementation levels. For an organization to get to one level, say level 2, it should cover all requirements for levels 1 and 2. Thus, getting to level 3 is the most challenging with the number of requirements to be accomplished.

 

Assess your HITRUST compliance

 

It is only when all the 135 controls are completely implemented that an entity can become fully compliant with HITRUST CSF. 

 

Differences between HITRUST and HIPAA

Based on the definition and scope of the two, one can deduct the key differences between HITRUST and HIPAA.

Nature

Perhaps the most glaring difference is that HITRUST is not a law like HIPAA. It is a private organization composed of healthcare providers such as physicians and hospitals as well as payers like insurance companies. It created the CSF, a certifiable framework for healthcare technology security designed to ensure compliance with HIPAA and other existing security frameworks.

HIPAA is a public law which can be considered a landmark legislation when it was enacted in the ‘90s.  Prior to its enactment, there were no security standards or requirements for protecting health care information. 

 

Compliance 

There is also a glaring difference in the compliance process between HIPAA and HITRUST.  HIPAA has guidelines for compliance although it does not have a clear blueprint that covered entities can follow. 

Integral to compliance in HIPAA is yearly security and privacy risk analysis. HIPAA requires covered entities to analyze specific risks and vulnerabilities that their organizations face, and take reasonable and appropriate measures to eliminate potential risks to healthcare information such as the adoption and execution of security and privacy controls.

The said legislation takes into account that covered agencies face various security risks built on factors like size and scope. It thus designed the Security Rule to be workable and scalable in order for a covered entity to take necessary policies, procedures and controls appropriate to its size, organizational structure, and the risks it faces.

 

 

The risk analysis of a covered entity should address fundamental issues such as the flow of PHI in the organization, including where the information is stored and how it is created, received, or transmitted.  Covered entities are also responsible for how their business associates or third party service providers handle PHI. Covered entities must be aware of any hardware, software, and storage that come in contact with protected health information at any given time.

HIPAA requires risk analysis every year although it is strongly recommended that risk analysis be viewed or treated as an ongoing, dynamic process.

The risk analysis required in HIPAA compliance should also cover how current IT systems makes the covered entity vulnerable. Moreover, it requires covered entities to identify ways to minimize human errors such as employee negligence in handling protected health information like the incorrect  storage of information or transmission of data to the wrong party, as well as being a victim of phishing scams, amongst others.

A risk management plan is integral to the risk analysis required for HIPAA compliance. Aside from identifying vulnerabilities within the organization, the covered entity should assess the severity of each threat and more importantly, put controls to mitigate those threats based upon potential impact.

HIPAA also requires covered entities to assign a compliance officer, or a person qualified to oversee their compliance program. The compliance officer will ensure that the covered entity complies with both internal policies and external regulatory requirements. 

Self-audits are also integral to HIPAA compliance as the law requires covered entities and their business associates to conduct yearly audits to assess gaps in compliance with HIPAA.

Also Read: How to File a HIPPA Compliant?

Once covered entities and their business associates have determined gaps in compliance, implementation of remediation plans should be followed to reverse compliance violations. These plans should be fully documented with calendar dates to identify when and which gaps will be addressed.

Policies and procedures corresponding to regulatory standards should then be developed by covered entities and business associates. These must be regularly updated. It is also required that covered entities and business associates conduct annual staff training and document employee attestation proving that employees understood the policies and procedures.

Unfortunately, HIPAA lacks the prescription essential for actual implementation by covered entities despite the numerous standards and implementation specifications. It also does not help that HHS does not offer guidance to organizations on how to interpret and implement appropriate and reasonable safeguards.

There have also been cases in the past when covered entities simply signed business associate agreements to attest that they have complied with HIPAA. This has resulted in a ‘take your word for it’ approach to the law, which became a big issue to healthcare providers. 

On the other hand,  HITRUST lays out an exhaustive certification process for achieving compliance with various security frameworks, which cannot be said of HIPAA. Compliance to its CSF is a more thorough and complicated process when compared to HIPAA compliance. 

HITRUST compliance and certification addresses the market need for enhanced HIPAA assurance.  It is for this reason that HITRUST CSF is typically used or leveraged for compliance with HIPAA.

Serving not only as a compliance tool but also a governance and risk mechanism, the CSF is tailored to the unique system of each organization. As for the healthcare industry, the requirements of HITRUST are based on ISO 27001.

 

 

There are three steps toward HITRUST compliance:

1. Assessment

For most organizations, the first step towards the HITRUST compliance journey is conducting the self-assessment portion. In some instances, the engagement of a third-party assessor is done although this is not a prerequisite. Organizations can perform this step as long as they are honest and thorough. 

Depending on factors like the size of the organization and the scoped environment, self-assessment would take 2 to 8 weeks. This will be followed by an independent assessment, this time conducted by a third party assessor. 

 

2. Scoping

This straightforward process involves determining which of the 19 domains apply to the company, as well as the more than 130 controls and 700 potential requirements.

Once the scope of the project has been decided there comes a complex and thorough process involving the documentation of policies, risk assessments, technical documentation, and configuration. 

 

3. Validation and certification

The longest stage, this is the so-called moment of reckoning where an assessor will validate the entries in the CSF of the covered entity. The organization should provide evidence that it is operating in accordance with the policies and procedures documented in the CSF. An experienced auditor/assessor can help covered entities during this stage. 

 

In short, HITRUST compliance has become the highly-regarded compliance framework in the healthcare industry. Working with a certified HITRUST assessor like RSI Security can give an organization the edge over the competition especially during this era when cybercrime and data security problems are serious issues dodging the industry. 

 

 

---

Download Our HITRUST Compliance Checklist

Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.