HITRUST Certification vs HIPAA: What You Need to Know

Medical practitioners and clinical science professionals are often faced with cybersecurity problems when protecting patient or subject data. Traditionally, you hear about practices needing to uphold standards such that they are Health Information Portability and Accountability Act (HIPAA) compliant. One of the downsides of HIPAA?s regulatory practices is that they lack a certification system to ensure compliance on the part of a medical group’s data security.

[adrotate banner=”4″]

That’s where HITRUST comes in. HITRUST stands for Health Information Trust Alliance, and it’s an entity that unites different pillars of regulatory compliance to make it easier for medical practices to meet HIPAA standards. It carries multiple certifications in different cybersecurity areas, and achieving HITRUST certification ensures HIPAA, FTC, and other data security protocol compliance.?


Today, we will explain the difference between HIPAA vs. HITRUST certification and how both are critical benchmarks for medical practices? data network integrity.?


Related: Best Cyber Security Frameworks for 2018


So, What’s HITRUST?

HITRUST, or Health Information Trust Alliance, is a non-profit organization that seeks to unify the standards set by regulatory agencies, including HIPAA, and implement certifications for medical practices. This is because HIPAA is, at its base, a law, and does not offer a certification for these groups; thus, HITRUST filled this gap by providing clinical professionals an opportunity to ensure compliance, and in a way, ?prove? that they were operating according to HIPAA standards.?


In the past, medical professionals signed off that they were HIPAA compliant, but this was problematic for several reasons:


  • There was no genuine quality assurance for their database security system


  • There was no system for checking problems in their database and confirming compliance with HIPAA.


  • This placed the medical field pretty much on an honor system where they assured HIPAA of compliance, despite there possibly being risks to their patients? health data.


Some practitioners were trailblazers and asked HITRUST assessors to review their systems, and many went on to receive certifications. This practice continues today, and there are many more types of certifications available depending on the exact practices and their needs, especially with the rise of cloud computing in medicine.?

Well, What’s HIPAA?

doctor?s stethoscope


HIPAA stands for the Health Information Portability and Accountability Act, a federal law regulating the collection, logging, and exchange of information that is considered personal health information (PHI). It specifically protects a patient’s rights to their health information and ensures strict confidentiality in medicine and clinical research. A physician can never speak about your health condition outside of the direct communication necessary for your continued medical care under this law. It is also why researchers can never release your PHI or share it with other researchers without your explicit written consent.


Are you still unsure of how to satisfy HITRUST and HIPAA standards? Let our team at Cyber Security Resource guide you through the process!


HITRUST Certification

Getting certified by HITRUST is a length process, but it ensures that your medical practice is in compliance with local, state, and federal authority. HITRUST is a framework that incorporates multiple guidelines set by regulatory agencies, and centralizes them into a common network; this is why they refer to their framework as the Common Security Framework?


The HITRUST Common Security Framework contains at least 75 core statements that need to be satisfied in order to receive certification. The software for the framework, myCSF, is very similar to an electronic case report form capturing system and allows submitters to upload evidence for an accredited HITRUST assessor to review.?


Related: Vulnerability Assessment vs. Penetration Testing: What’s the Difference?

Differences Between HITRUST and HIPAA Certifications

The main difference between HITRUST and HIPAA certifications is that HIPAA has no certification. A business that claims to be HIPAA certified is mistaken, as there is no such certification. HITRUST is an agency that provides a framework that makes it easier for medical and research groups to satisfy HIPAA requirements and assure compliance.?


HITRUST certifications also do not protect you from potential consequences of non-compliance and lack of security. HIPAA has a specific penalty system that handles breaches of the act in a systematic way; this is a key difference, as HITRUST does not do either of those things.?


Another key difference is how HITRUST is arranged as a framework; in many ways, it is much clearer than HIPAA is in its guidelines. HIPAA does not give specific guidelines for medical groups, making it difficult for practitioners to satisfy their requirements. HITRUST fills in the blanks and gives these organizations the chance to prove their compliance with clear benchmarks?

How can you become HITRUST Certified?

HITRUST certification involves either self-assessment or submission to a HITRUST assessor by way of their online platform. A self-assessment is a good first step, but submitting to HITRUST and being assessed by them may give you more peace of mind?


Medical practices can use these self-assessment tools to do annual training. Again, while they are a useful tool, a full audit by an assessor will ensure gaps in knowledge are filled.?


There are multiple domains that medical practices can be certified in, including those more focused on cybersecurity, data management, and network protection. After two years, the certification expires, and this is mainly to account for changing technologies and practices.

I’m HITRUST Certified. Does That Mean I’m HIPAA Compliant?

Not necessarily. HITRUST provides the framework for practices to meet HIPAA standards, but this does not completely guarantee that you are in compliance. Effective implementation of HITRUST?s training and suggestions should make meeting HIPAA standards much easier. It demonstrates that you are taking a proactive approach towards data protection for your patients?


Related: Network Security vs. Cybersecurity vs. Information Security?

How Can You Prepare Yourself For Cybersecurity Threats?



HITRUST is a great starting point for medical practices, but employing their standards can be difficult unless you know precisely how to achieve better cybersecurity. That?s where our team at Cybersecurity Resource comes in! We know that managing a medical practice means dealing with threats from anywhere and everywhere, with threats to your information security, cybersecurity, and network security abound.?

Closing Thoughts

Cybersecurity threats are everywhere and keeping your patients and clients safe means being educated on the best security practices for your business. HITRUST and HIPAA are best implemented as necessary protocols for protecting your data and your patients.?


We pride ourselves on our knowledge of current cybersecurity practices! Contact our team to find out how we can make your patient data more secure and in compliance with HITRUST and HIPAA.?

Share your thoughts