Ensuring the triad of health information HIPAA vs HITRUST

‍

When it comes to maintaining the security of users' information and demonstrating that personal data is being used appropriately, it is important to review which standards make this possible, meaning, what are the guidelines that help and ensure that the information will be used only with the user's consent and in an appropriate manner, since it can be somewhat complicated to repair the damage caused by the misuse and/or filtration of it.

That is why when looking to comply with the above, it is necessary to cover all the important aspects that safeguard the identity of users. However, when comparing or wanting to choose between HIPAA and HITRUST, it is not an entirely valid comparison, since both terms define something different, but with a common goal.

What is HIPAA?

Something that governments have given themselves the task of adding it to their agendas. In this case, we are talking about the Health Insurance Portability and Accountability Act (HIPAA), a U.S. law, proposed in 1996, which defined the requirements to be met by institutions that manage health data, whether they are providers of health plans, of health care and partners, to protect patient information. It has been amended over the years, adding information that is managed electronically and in case there is a leak of this, immediately notifying the affected individuals, as well as the United States Department of Health and Human Services (HSS) and the media. (American Medical Association, s.f.)

Once the requirements to protect patient information have been defined – using the necessary administrative, physical, and technical tools – organizations are responsible for complying with this law to prevent data breaches and/or cyber-attacks. (Jen, s.f.)

However, the law includes three rules to protect patient information, being: (Digital Health Folio 3, 2021)

• The Privacy Rule, standards that establish how and when to use patient information.
• The Security Rule, standards that organizations must cover to protect patient information.
• The Breach/Leak Notification Rule, a requirement that organizations notify affected users.
  

Failure to comply with all three HIPAA rules, or any breach of security of electronic systems, whether called unauthorized access to records, such as medical history or personal information, can result in civil and even criminal penalties, loss of reputation for healthcare professionals and organizations, including loss of employment for the employees involved. (Wheel House IT,  2021)

HIPAA requires annual audits to be conducted reviewing the requirements, however, it does not provide any official framework or methodology to verify compliance. In order, for organizations to demonstrate this, there are several recommended frameworks that manage health data or Protected Health Information (PHI), which we will be focusing on is the Common Security Framework, HITRUST CSF.

What is HITRUST?

It is a security and privacy framework that assists organizations in certifying HIPAA compliance, among other requirements. It is the only official certification that validates compliance with the law in question, as well as other standards, ISO 27001, HITECH, EU GDPR, PCI-DSS, NIST 800-53, among others. (Jen, s.f.)

HITRUST consists of 14 Control categories, 19 Domains, 49 Control Objectives, 156 Control References and three implementation levels. (Datica, s.f.)

How to choose between HITRUST and HIPAA?

Is HITRUST the best option for demonstrating HIPAA compliance?

HITRUST can be somewhat strict and require a high degree of resources to ensure its certification, [CR1] however, by its nature of including multiple requirements in one, it is the best option to demonstrate that there are controls that assist in protecting patient information, likewise, the duration of this certification is 2 years,  compared to other standards, and is globally recognized for providing adequate controls that aid data regulation and protection. (Rieben, 2022)

This certification process refers to the standardization of the security requirements of different information security frameworks. It facilitates the delivery of multiple compliance reports based on a single evaluation, which consists of an assessment that includes the review of the policies and procedures implemented, moderated, and administered, along with a corrective action plan based on the evaluation of these. (Intraprise  Health, 2022)

It is worth mentioning that HITRUST certification considers the level of assurance based on the level of effort associated with the evaluation, resulting in the following (Rieben, 2022):

• Basic HITRUST: it is the most elementary level and focuses on "good hygiene", which simply performs a validation to identify errors and / or omissions, however, does not provide any type of certification.
• HITRUST implemented (i1) + certification: is a non-personalized assessment that focuses on "best practices" as well as threat adaptation, which is valid for one year, requires moderate effort.
• HITRUST risk-based assessment (r2) + certification: this requires maximum effort and provides a personalized assessment which focuses on high-risk scenarios where a high level of security is required.

Therefore, although there is no comparison as such, it is necessary to understand both concepts to correctly implement the appropriate framework to be in compliance with the laws that regulate the protection of data, in this case of patients.

‍

Odalys Vaquez

Junior Security Engineer

References

• American Medical Association. (s.f.). HIPAA  security rule & risk analysis. Obtenido de AMA:  https://www.ama-assn.org/practice-management/hipaa/hipaa-security-rule-risk-analysis
• Datica. (s.f.). Datica. Obtenido de What Are  HITRUST Requirements?: https://datica.com/blog/what-are-hitrust-requirements
• Digital Authority Partners. (s.f.). HITRUST  Certification Guidelines. Obtenido de Digital Autority:  https://www.digitalauthority.me/resources/hitrust-certification-guideline/
• Digital Health Folio 3.  (2021, 09 28). 3 Major Things Addressed In The HIPAA Law. From Digital  Health Folio 3: https://digitalhealth.folio3.com/blog/what-are-3-major-things-addressed-in-the-hipaa-law/
• Intraprise Health.  (2022). The Benefits of HITRUST Certification. From Intraprise Health:  https://intraprisehealth.com/what-is-hitrust-and-how-can-it-benefit-your-organization/
• Jen, S. (s.f.). HITRUST vs. HIPAA. Obtenido de  SecurityMetrics:  https://www.securitymetrics.com/blog/HITRUST-vs-HIPAA-what-difference-between
• Rieben, R. (22 de 05 de  2022). Linford & co llp cpa firm. Obtenido de What is HITRUST? A Comprehensive Guide:  https://linfordco.com/blog/what-is-hitrust/
• Schneider Downs. (s.f.). What is HITRUST? Obtenido de Schneider  Downs: https://www.schneiderdowns.com/cybersecurity/what-is-hitrust
• Wheel House IT. (2021,  11 28). What Are The Three Rules of HIPAA? From Wheel House IT:  https://www.wheelhouseit.com/what-are-the-three-rules-of-hipaa/

‍