HIPAA & HITRUST: Learning to Walk, Before You Can Run

By Grant Elliott, CEO, Ostendio
Twitter: @ostendio

Are you considering HITRUST but haven’t yet put your HIPAA house in order? That’s similar to starting college when you’ve not yet earned your high school diploma. While both HIPAA and HITRUST share the common goal of protecting healthcare data and personal health information (PHI), they differ in very fundamental ways.

What is HIPAA?
The HIPAA Privacy, Security and Breach notification rules are part of a broad set of federal regulations. Administrative, technical and physical provisions relating to protecting Protected Health Information (PHI) are the essence of HIPAA’s security requirements. Compliance is neither optional, nor an end-state. Rather, compliance with HIPAA is an ongoing journey. HIPAA is regulated by the Office of Civil Rights (OCR), with penalties for HIPAA violations determined by the OCR and state Attorney Generals. HIPAA violations can be extremely costly – as proven by these top 10 largest HIPAA settlement fines.

Granted, the federal requirements of the HIPAA rules aren’t always clear. Providers often wonder what classifies as “reasonable and appropriate” protections, and HIPAA’s rules can often be left open to interpretation (“is this action required or addressable?”). Herein lies the flexibility, as well as the frustration, of HIPAA language. Technically, you can never claim to be ‘certified HIPAA compliant’ as no formal ‘certification’ process exists.

What is HITRUST?
In contrast, HITRUST is a private framework developed by a not for profit organization known as the HITRUST Alliance. There are no federal or state requirements to be HITRUST certified, but HITRUST has built in the HIPAA’s Security Rule, as well as a number of other state and local regulations. It also aligns with many other security standards in an attempt to provide a one size fits all security framework. Importantly, HITRUST provides a more granular set of controls than HIPAA, reducing much of the ambiguity inherent with using the HIPAA framework alone.

HITRUST’s assessment and certification is risk and compliance based. It has a distinct and clear roadmap with a verifiable goal – certification. It also goes far beyond the standards set by HIPAA, adding many additional requirements not included within HIPAA. This makes it attractive to some health plans, providers, technology companies, pharmacies, biotech and more who want to prove via an independent 3rd party, that they meet industry-defined certification requirements of HITRUST.

Therefore, since HITRUST is more granular and more specific than HIPAA, if you are not yet able to meet HIPAA’s requirements, you will fall significantly short of meeting HITRUSTs.

And so, it comes back to HIPAA. Yes, it’s frustrating that there is no government-approved “HIPAA Compliant” certification. Still, this does not mean that you can neglect HIPAA, and the processes involved. There are many 3rd party organizations that will still conduct an independent HIPAA assessment. This will not be government sanctioned, but then again neither is HITRUST. So it really comes down to what your customers are asking for.

If you’ve decided that HITRUST is your organization’s ultimate objective, please be aware that it does not happen overnight. The HITRUST certification is a lengthy and resource heavy process. This means you need to get your privacy, security and breach notification compliance programs in order before you can start down the prescriptive HITRUST certification process. You would not think of starting college before completing high school, so if you still do not have your basic HIPAA policies in place you would be better served building that foundation before graduating to HITRUST, or any other higher order framework.

This article was originally published on Ostendio and is republished here with permission.