BLOG HOME > Cybersecurity > What is HITRUST Compliance?

What is HITRUST Compliance?


Matt Halbleib Security Analyst
By: Matt Halbleib
Director of Security Assessments
 CISSP, CISA, QSA, PA-QSA, CCSFP  

Secure storage and transmission of electronic data is increasingly critical to the healthcare industry. Data security and compliance with mandates like HIPAA are paramount, yet more often than not, the two intersect in ways that make them complex and difficult to implement. 

Many HIPAA requirements are nuanced and open to interpretation, and depending on an organization’s size and available skill, they may not be understood or implemented in accordance with their intended purposes. 

HITRUST aims to solve these issues by providing an integrated security approach as well as a way to demonstrate compliance with HIPAA security requirements to a third-party assessor. 

HITRUST is a certifiable and recommended framework trusted by many health networks and hospitals to manage risk.

SEE ALSO: How Much Does HIPAA Compliance Cost?

Get Started with HITRUST

Learn More

What is HITRUST?

HITRUST stands for the Health Information Trust Alliance. It was founded in 2007 and uses the “HITRUST approach” to help organizations from all sectors–but especially healthcare–effectively manage data, information risk, and compliance. 

HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework. 

HITRUST was organized with the intent to provide an option for the healthcare sector to address information risk management across a matrix of third-party assurance assessments, with the hope of consolidating, reducing, and in some cases, eliminating the need for multiple reports. HITRUST refers to this design element as “assess once, report many.” 

What is HITRUST CSF Certification?

Organizations that create, access, store, or exchange sensitive information can use the HITRUST Common Security Framework (CSF) assessment as a roadmap to data security and compliance. The CSF is a certifiable (by security assessors) standard and was designed as a risk-based approach to organizational security–as opposed to a compliance-based approach. The HITRUST CSF assurance program combines aspects from common security frameworks like ISO, NIST, PCI, and HIPAA. 

Between the CSF’s 19 reporting domains are 149 control specifications which can each be assessed to one of three implementation levels. 

Read about the HITRUST Common Security Framework here. 

White Paper: HIPAA Compliant Emails 101

Download Here

How to get HITRUST certification? 

What HITRUST calls the “HITRUST approach” provides organizations a comprehensive information risk management and compliance program. This blend of security and compliance mandates provides an integrated approach that ensures all programs are aligned, maintained, and comprehensively support an organization’s information risk management and compliance objectives. 

HITRUST certification requires an independent assessment. The length of the assessment depends on the size and complexity of an organization, its scope and the amount of counselling. According to HITRUST, the certification process can take an additional 6 weeks after an assessment is complete. 


What is the difference between HITRUST and HIPAA?

HIPAA vs. HITRUST: While HIPAA is a law created by lawyers and lawmakers, HITRUST is a framework created by security industry experts which includes aspects of HIPAA. 

The HITRUST CSF gives organizations a way to show evidence of compliance with HIPAA-mandated security controls. HITRUST takes the requirements of HIPAA and builds on them, incorporating them into a framework based on security and risk.

According to the HHS, "The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form . . . This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information."

HITRUST can help provide measurable criteria and objectives for applying "appropriate administrative, technical, and physical safeguards." HITRUST does not replace HIPAA compliance or prove that an entity is HIPAA compliant, but it is widely accepted as a good approach for evaluating risk.

Have questions? Talk to us about HIPAA Compliance Audit or a HITRUST Assessment.

Matt Halbleib, Director of Security Assessments at SecurityMetrics, is responsible for overseeing the activities of the company’s audit teams. He holds QSA (Qualified Security Assessor), PA-QSA (Payment Application Qualified Security Assessor), and CISSP (Certified Information Systems Security Professional) security certifications and as a qualified assessor for the Payment Card Industry, has completed over 80 PCI DSS and PA-DSS security assessments.

Join Thousands of Security Professionals and Subscribe

Subscribe