Despite all the attention given to credit card breaches, medical records are the real crown jewel for cybercriminals. Packed with contact information, social security numbers, payment data, and plenty more, they provide everything needed to steal someone’s identity and commit an array of fraud.
It’s for good reason that healthcare is one of the most regulated industries. But within its tangle of regulatory requirements, two create an inordinate amount of confusion: HITRUST and HIPAA.
The two acronyms sound similar and both address data protection, so it’s common for people to believe they’re essentially the same. However, HITRUST and HIPAA play separate but related roles in securing patient data.
To understand how they work together to help improve the security of your organization and help you meet your regulatory responsibilities, it’s necessary to first look at each of them individually.
What is HIPAA?
Most organizations are probably familiar with HIPAA, or the Health Insurance Portability and Accountability Act. Passed by Congress in 1996, it set national standards and regulations that govern the handling of patient data collected by doctors, hospitals, health insurance companies, and other healthcare providers and their business associates.
HIPAA security and privacy requirements are defined by several interlinked regulatory rules. The most critical to be aware of are:
- HIPAA Privacy Rule: This HIPAA rule sets national standards for access to patient health information (PHI). PHI includes more than a dozen types of information included in an individual’s medical records, including contact details, social security numbers, financial data, diagnoses and treatments, and other personal identifiers. It applies only to HIPAA covered entities.
- HIPAA Security Rule: This rule provides specific guidelines for PHI that is created, stored, transmitted, or received electronically, known as ePHI. It addresses the physical, administrative, and technical safeguards health care organizations must implement to secure ePHI. Because of the sharing of electronic data, this rule applies to both HIPAA covered entities and their business associates — the service providers that handle PHI.
- HIPAA Breach Notification Rule: This rule outlines the procedures HIPAA covered entities and their business associates must follow if PHI is exposed.
- HIPAA Enforcement Rule: This rule details the procedures and penalties relating to HIPAA violations.
The Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) implement and enforce HIPAA compliance, respectively. Non-compliance with HIPAA can result in civil and criminal penalties. Civil penalties are divided into four categories based on the level of culpability and can be as much as $50,000 per violation. Criminal violations carry penalties of up to 10 years in prison.
What is HITRUST?
HITRUST stands for the Health Information Trust Alliance. It’s a private entity that created and maintains a standardized and certifiable framework for achieving HIPAA compliance. Called the HITRUST CSF, the framework outlines a set of controls that meet the requirements of multiple existing standards and regulations including HIPAA. Organizations can use the HITRUST CSF to implement HIPAA-compliant practices and ensure they have the right security controls in place to reduce the risk of a breach of sensitive patient data.
The HITRUST CSF maps CSF controls to specific HIPAA standards and specifications, and each CSF control has multiple levels with varying requirements. This allows organizations to tailor security measures based on their type of business, size, systems, and regulatory requirements.
HITRUST offers organizations three levels of assessment it calls Degrees of Assurance. Each assessment builds on the previous one and requires more time and effort to complete:
- Self-Assessment: Organizations can do their own independent assessment using the myCSF tool. At completion, the company is issued a self-assessment report detailing where they are in compliance and which areas need improvement.
- CSF Validated: After completing the self-assessment and implementing the recommended corrective actions to meet compliance requirements, an organization can have a HITRUST-approved third-party CSF Assessor verify the information it gathered through an on-site visit. The assessor then submits the report to HITRUST, which reviews it and issues a validated report.
- CSF Certified: For the final Degree of Assurance, HITRUST reviews all the information gathered by the organization combined with the CSF Assessor’s information and grants the organization a HITRUST CSF Certification. The certification is good for two years, after which the company’s compliance must be assessed again.
[Related Reading: What Is the HITRUST Framework]
What are the differences between HITRUST and HIPAA?
Both HITRUST and HIPAA address regulatory compliance for healthcare organizations, so it’s understandable that some believe the two are interchangeable. It’s important to understand the differences between the two and how they work together so you can better meet your compliance responsibilities.
A critical difference is that HIPAA is a federal law implemented and enforced by government agencies, whereas HITRUST is a framework created by a private group of security professionals. The HITRUST CSF can help healthcare companies achieve HIPAA compliance, but organizations are not required to use the framework.
Another difference is that HIPAA does not prescribe what practices and security controls organizations should adopt to meet its regulatory requirements. Its language is often unclear, making it difficult for many companies to determine what measures they need to take to achieve compliance with its standards, and it offers no certification to validate their efforts. HITRUST attempts to provide companies clearer direction around what actions to take along with a certification process to demonstrate compliance.
There’s also a difference in how HIPAA and HITRUST are enforced. While non-HIPAA compliance carries significant civil and criminal penalties, non-HITRUST compliance does not. Companies aren’t required to follow the HITRUST CSF, though healthcare organizations can effectively regulate HITRUST compliance by requiring vendors and other business partners to receive HITRUST CSF Certification.
HITRUST and HIPAA go hand in hand
Ultimately, HITRUST and HIPAA work together to simplify data protection and risk management for healthcare organizations. HITRUST dispels much of the confusion around HIPAA compliance by mapping clear controls to every HIPAA standard and specification. The HITRUST CSF Certification brings a healthcare organization a greater level of confidence in its data security and establishes it as a trusted business partner.
Working with a managed detection and response provider can help you demonstrate with specific HITRUST CSF. With its deep visibility into your environment, it can provide you with a range of reports to help you understand where you meet requirements with specific HITRUST CSF control categories and where you are falling short.
Interested in learning more about how Alert Logic can help with compliance? Read more about how Alert Logic MDR empower and expedites compliance with security mandates, and if you’d like to talk with one of our compliance experts, click here.