There is more to worry about than just HIPAA Compliance in order to secure media data. That’s where HITRUST comes in.

What is HITRUST Compliance?

How is it different from HIPAA?

How can healthcare organizations leverage this framework?

What is HITRUST?

HITRUST or the Health Information Trust Alliance, in and of itself is not just a framework that allows healthcare providers to meet HIPAA security laws. HITRUST goes far beyond that. They are the entity that created and continues to maintain the CSF, or Common Security Framework. The CSF is a certifiable framework that brings together other compliance frameworks, such as HIPAA, NIST, PSI, and ISO.

Many entities in the healthcare industry think of health information security rules as a burden to deal with before they can do their jobs. HITRUST was made to be the core pillar of the union of different health information systems and exchanges. Today’s technology makes risk management and data protection key for healthcare organizations of all kinds, and HITRUST helps covered entities meet information security regulations easier than ever before.

The HITRUST website describes “a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.”

comparison of HIPAA and HITRUST

What is HITRUST Compliance Certification?

Part of what makes HITRUST different is the fact that it is certifiable. A health care facility can’t be certified in HIPAA compliance or in how well they follow Federal Trade Commission laws. In the past, healthcare practices just signed agreements that they were, in fact, HIPAA compliant. They signed forms that said they had taken the right measures to put security controls in place.

This could never be confirmed or judged by anyone, making it more of an “I promise” sort of situation. Some medical practices took the first step to conduct a HITRUST readiness assessment or hire a HITRUST CSF assessor. This was to make sure that the practice was properly following the HIPAA security rule and other laws set forth. This was the most any practice could do to “prove” they were HIPAA compliant.

A medical practice can become HITRUST certified.

How to become HITRUST Certified?

As said above, HITRUST compliance requirements include HIPAA, FTC, and many other data security regulations.

HITRUST has the option to allow healthcare practices to do their own self-assessment.

It is highly recommended that medical practices first perform a self-audit.

The HITRUST self assessment tool is also an excellent resource for practices to use on a frequent basis.

Any gaps in regulatory compliance can be addressed and lessened before the final CSF assessment is done. They can make any needed changes before the assessor comes to do the validated assessment.

Or, they can have a CSF assessor perform a validated assessment.

The CSF framework and HITRUST assessment and certification have 19 different domains:

  • Healthcare Data Protection & Privacy
  • Information Protection
  • Wireless Protection
  • Transmission Protection
  • Network Protection
  • Endpoint Protection
  • Portable Media Security
  • Mobile Device Security
  • Third Party Security
  • Physical & Environmental Security
  • Configuration Management
  • Vulnerability Management
  • Password Management
  • Incident Management
  • Risk Management
  • Access Control
  • Audit Logging & Monitoring
  • Education, Training & Awareness
  • Business Continuity Management & Disaster Recovery

Many HITUST CSF certification requirements must be met to become certified. These are clearly outlined and can be easily understood and put into practice. HITRUST certifications are good for two years. Then, a healthcare practice will need to go through the assessment, validation, and certification process again.

This may seem like a burden. But with technology and security regulations changing so quickly, certifications require updates

Once a new technology is introduced, or new compliance laws are passed, the certification becomes out of date. When healthcare practices work with HITRUST, they can be sure that every two years the most up-to-date security technology is employed.

common security framework

HITRUST vs HIPAA Requirements for Certification, The Differences

HIPAA is a law that protects patient medical records. It gives patients some privacy when it comes to who can gain access to the information stored in their file.

Whether or not a health care provider is HIPAA compliant or not is subjective without a certification process. Without being certified, any healthcare practice can say they are HIPAA compliant without following some or all of the laws that HIPAA has set forth.

With growing technology in the healthcare sectors, security compliance can seem strict and at times, unnecessary. Maintaining compliance and IT risk management has been a struggle for many healthcare practices. Costs have increased across the board as practices have had to hire and train more staff to meet the burden of staying compliant with the latest laws in healthcare privacy.

Medical practices in every field have shown a need to simplify how they meet healthcare privacy requirements. Compare HIPAA to HITRUST and learn the differences between the two. Learn how healthcare organizations can use HITRUST to make risk assessment and health care security compliance easy to maintain.


HITRUST is the entity that created and maintains control frameworks that include many different compliance regulations. HITRUST brings together and unifies the various aspects of regulatory compliance. This makes it easy for medical practices to adopt compliant practices and make sure they are using the right security controls to protect sensitive information and patient data.


HIPAA, or the Health Insurance Portability and Accountability Act, are a set of standards and regulations that are meant to protect sensitive information in the healthcare industry. HIPAA compliance involves protecting health information and making sure that only those medical professionals, vendors, and other need-to-know people have access to patient health information.


HITRUST and HIPAA are not interchangeable

HITRUST includes but is not limited to HIPAA. HIPAA is a vital part of data protection and is the baseline for patient information security. However, it does not offer anything beyond guidelines to follow. It doesn’t allow medical practices to engage with complete protection that takes into account the increased threats. These healthcare cybersecurity threats change as technology grows, making it harder to keep up without help.

HITRUST is the organization that formed and updates a comprehensive security platform, or Common Security Framework (CSF). It includes much more than HIPAA regulations. For example, HIPAA includes physical, technical, and administrative safeguards. They outline the policies, procedures, and requirements for organization and documentation that healthcare practices must adhere to.

HITRUST, on the other hand, includes all of the HIPAA safeguards, as well as security guidelines and risk management framework from:

  • Control Objectives for Information and Related Technology (COBIT)
  • International Organization for Standardization (ISO)
  • Federal Trade Commission (FTC)
  • Centers for Medicare and Medicaid Services
  • National Institute of Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Other federal and state entities

HITRUST is the framework that allows medical practices to make sure they have all their bases covered. The framework is meant to balance the standards from the different regulatory entities to help healthcare practices simplify.

With HITRUST certification, healthcare facilities can expand their data and patient security coverage.

Planning for Healthcare Security Threats

Data breaches in the healthcare industry can be costly and negatively impact a healthcare practice in many ways.

Sadly, these data breaches are on the rise and are showing no signs of stopping or slowing down. It’s more important than ever to be aware of the risks of technology in a healthcare practice and to adopt controls that minimize those risks. While HIPAA compliance was the first widely adopted set of compliance laws to help keep patient data private and to stop data breaches, it is simply just one piece of an enormous puzzle.

Contrary to popular belief, many entities want to get their hands on private patient data. It may not be relevant to some of them that Joe Smith had a kidney transplant last year. Or, that he was allergic to a particular type of medicine. Remember though that patient data includes much more than just health history.

It includes patient names, addresses, social security numbers, health insurance information, and more. This data can be used to commit different kinds of fraud. With the lack of healthcare available to low income and middle-class people, health insurance fraud is on the rise. Identity theft is also an issue when it comes to patient records. This is because nearly all of an individual’s identifying information is contained within their medical chart.

People who want to get their hands on private patient data don’t have to physically break into a medical office and steal file folders. Technology makes it easy for advanced hackers to get to this information remotely if the right security controls are not in place. Unsecured or unencrypted email can be infiltrated, or hackers can download a wealth of patient data through unprotected cloud services.

Without good cybersecurity framework, a health care facility’s sensitive data is a playground for smart hackers. It’s critical for healthcare practices of all kinds to plan for threats to security. They need to work to adopt controls that keep sensitive information out of any hands it does not belong in.

Next Steps: Protecting Patient Data & Achieving HITRUST Certification

Carefully consider the benefits of becoming HITRUST CSF certified. HITRUST certified medical practices can enjoy the peace of mind that comes with having efficient data security processes and reducing the threat of data breaches.

This certification isn’t one of the business requirements for opening or operating a health care facility of any kind. However, it’s the simplest and most complete way to ensure that your facility is on par with the latest security and regulatory compliance laws.

Get rid of confusion over compliance. Have peace of mind that your practice is protected by a universal cybersecurity framework that accounts for all current industry regulations. Becoming HITRUST certified can also help build the trust between your practice and your patients. Your patients will know their private data and health information is safe.