Both HIPAA (Health Insurance Portability and Accountability Act) and HITRUST (Health Information Trust Alliance) aim to enhance security and privacy in healthcare. However, they offer different levels of comprehensiveness and are applied differently.
By knowing the features of each, healthcare organizations can make informed decisions regarding their compliance strategies and the level of security they seek to achieve.
This article explores the key differences between HIPAA and HITRUST, two critical frameworks that govern compliance in the healthcare industry.
HIPAA vs. HITRUST: Overview of Differences
HIPAA compliance is required by law for healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. On the other hand, HITRUST certification is optional and serves as a demonstration of security and compliance.
Achieving HITRUST certification does not automatically guarantee HIPAA compliance and should be viewed as a means to facilitate rather than substitute HIPAA compliance. That said, HITRUST incorporates many of the HIPAA requirements and, when appropriately implemented, goes well beyond the baseline requirements of HIPAA.
What Is HIPAA?
HIPAA is a U.S. federal law enacted in 1996 that regulates the privacy, security, and confidentiality of medical patients' private information. HIPAA mandates that all protected health information (PHI) is handled in such a way as to minimize the risk of unauthorized access or disclosure.
HIPAA regulations primarily apply to:
- Healthcare providers, health plans, and healthcare clearinghouses (covered entities).
- Business associates who handle PHI.
- Full-time employees, part-time employees, and contractors who work for covered entities or business associates.
The Office for Civil Rights (OCR), a division of the U.S. Department of Health and Human Services (HHS), oversees and enforces HIPAA compliance. The OCR conducts comprehensive HIPAA compliance audits as the primary control mechanism. Non-compliant organizations face fines and penalties, further investigations, and reputational damage.
How to Become HIPAA Compliant?
Being HIPAA compliant involves implementing comprehensive policies and procedures that address the privacy, security, and breach notification rules of HIPAA.
While there are specific rules, HIPAA compliance does not have universally applicable standards like HITRUST. The OCR assesses organizations on a case-by-case basis and expects organizations with higher risk to implement more robust security measures.
Audits typically occur following a data breach or patient complaint, and require covered entities and business associates to prove that they have implemented "reasonable and appropriate" measures to protect PHI.
Here are the best practices for becoming HIPAA compliant:
Appoint a Privacy Compliance Officer
The HIPAA security rule mandates that organizations of all sizes hire a privacy compliance officer if they create, store, or transmit ePHI. Larger institutions often appoint a dedicated privacy officer, while smaller ones may assign the responsibility to an employee who also handles administrative or IT duties.
The role of the privacy officer is to oversee the creation, implementation, and maintenance of all policies and procedures related to the secure handling of PHI. They are responsible for promoting a culture of privacy and play a key role in workforce training and education.
Implement Security Measures
HIPAA requires covered entities and business associates to establish technical and physical safeguards to protect PHI. Depending on an organization’s risk profile, these safeguards may include:
- Access controls that limit access to PHI based on roles and responsibilities.
- Encrypted connections or virtual private networks (VPNs) to protect data in transit.
- Firewalls and Intrusion Detection Systems.
- Physical protection of facilities.
- Robust endpoint security and network security.
By fortifying these key areas, organizations can strengthen their defense against external and internal threats, effectively shielding PHI from cyber-attacks.
Healthcare organizations can significantly enhance their protection by adopting a zero-trust security strategy that verifies every user and device seeking access to sensitive data.
Conduct Regular Risk Assessments
A systematic risk assessment will identify potential vulnerabilities and weaknesses and enable proactive measures to address them. By implementing these improvements, your risk assessment becomes evidence that any potential data breach was an unforeseen risk rather than willful negligence of HIPAA.
Taking a proactive approach also significantly reduced the likelihood of discovering unaddressed vulnerabilities during an audit.
Develop an Incident Response Plan
A well-crafted incident response plan is critical to any organization's cyber security strategy.
It should provide a clear roadmap for:
- Investigating and containing the breach.
- Minimizing harm to your organization, clients, and partners.
- Adhering to breach notification rules.
The OCR requires covered entities to maintain incident logs detailing the nature of the incident, its date and time, the systems or individuals involved, and the actions taken.
Train Your Employees
All staff members, including contractors and part-time employees, must know how to effectively secure PHI throughout its lifecycle – during storage, transit, and at rest. Training should teach staff how to recognize and prevent common types of cyber-attacks, such as phishing, social engineering, and ransomware.
Keeping documentation of completed training sessions is essential, as auditors often request access to training records from the past 3-4 years. Organizations should prioritize HIPAA education for new hires and provide annual retraining sessions to keep employees updated on any changes to the law.
Email security best practices are critical to reducing the risk of unauthorized access or disclosure of electronic PHI.
Ensure Compliance of Business Associates
HIPAA regulations extend beyond an organization to encompass business associates. As a covered entity, you must ensure that all your partners and vendors handle PHI with the utmost care. This is typically achieved through the implementation of a Business Associate Agreement (BAA), which formalizes the expectations and obligations regarding the protection and handling of PHI.
As laws and regulations surrounding the protection of PHI evolve, it is crucial that business associate agreements align with the latest requirements. By conducting regular reviews and updates, you can address any gaps or inconsistencies, ensuring that your agreements continue to comply with HIPAA.
Signing a Business Associate Agreement with Google is an essential step in achieving HIPAA-compliant Gmail. Follow the link to learn more.
What Is HITRUST?
HITRUST was developed in 2007 by the HITRUST Alliance and is primarily based on HIPAA, ISO 27001, and NIST. HITRUST certification enhances a company's reputation, instills client confidence, and is a prerequisite for collaboration with many business partners and vendors.
HITRUST created the Common Security Framework (CSF) as a set of best practices and guidelines that cover various aspects of information security, including risk management, privacy, and compliance. The CSF helps organizations assess their security posture, identify vulnerabilities, and implement necessary controls to safeguard patient information.
To be HITRUST certified, an organization must undertake a thorough assessment to demonstrate its adherence to CSF requirements. By achieving HITRUST certification, organizations can demonstrate to their partners, clients, and regulators that they have implemented robust security measures to protect sensitive healthcare data.
How to Become HITRUST Certified
HITRUST certification is known for its complexity, which often translates into high costs. The price varies depending on organization size, with typical estimates ranging from $36,000 to $200,000.
While the validated HITRUST assessment and certification can be expensive, it's worth noting that the CSF framework is free. Organizations can leverage the framework to achieve various information security goals, even if full certification is beyond their budgetary means.
Ultimately, the decision to pursue certification is based on weighing the costs and benefits specific to each organization's circumstances and goals. The potential increase in customer confidence and trust may make it a worthwhile investment, especially considering that over 80% of US hospitals and 85% of US health insurers have already adopted HITRUST as their security framework.
To obtain HITRUST certification, follow these steps:
1. Familiarize Yourself with the HITRUST CSF
The HITRUST CSF serves as the foundation for the certification. It integrates multiple standards and frameworks, such as HIPAA, NIST Cybersecurity Framework, ISO 27001, and more. Understanding the CSF provides a roadmap of industry best practices and requirements for establishing a robust security program.
2. Assess Current Security Controls
After understanding the HITRUST CSF, you need to assess your current security controls and identify any areas that need improvement. This involves conducting a thorough internal assessment and utilizing the myCSF tool provided by HITRUST. The myCSF platform serves as a centralized system for recording evidence, testing, and submitting reports to HITRUST for evaluation.
3. Hire a HITRUST-Approved Assessor Firm
Once the internal assessment is complete, you should hire a HITRUST-approved external assessor firm. The assessor firm independently validates your security controls and compliance with the HITRUST CSF. They also review the evidence, perform on-site visits, and evaluate your security posture.
4. Submit Assessment Findings and Quality Assurance
Upon completing the assessment, the assessor firm submits the findings to HITRUST for quality assurance. HITRUST conducts its review to ensure the assessment aligns with its requirements and maintains the integrity of the certification process. If you meet all the necessary criteria, HITRUST grants the certification.
Both HIPAA and HITRUST share the common goal of data security. However, HIPAA is a federal law that must be abided by, while HITRUST is an optional certification.
HIPAA sets the baseline for protecting PHI, while HITRUST builds upon HIPAA by providing a more comprehensive and detailed framework for implementing additional security controls, risk management methodologies, and assessment processes. It is designed to address the evolving threat landscape and the increasing complexity of information security risks.
By adopting HITRUST, organizations demonstrate their commitment to protecting sensitive data to regulatory bodies and nurture their patients’ and partners’ trust.