Most of us have heard the term HIPAA before, I think, in our everyday lives. Whether it's going to the doctor's office or the hospital. We've often heard the term HIPAA when it comes to our protected health information. Now often most of us (not in the compliance space), haven't heard of HITRUST, but HITRUST is actually a way in which to show your compliance with HIPAA in a certification standard. In this video, we're going to talk about the difference between going for a HIPAA attestation report versus going through a HIPAA certification process.
Hi, I'm Ryan Meehan. I'm a director here at Schellman and I'm one of our health care practice leaders. When it comes to thinking about the differences between HIPAA and HITRUST. Let's start with the fact that HIPAA itself is a regulation and does not currently have a certification path for it. Now HITRUST, on the other hand, is actually a combination of frameworks, standards, and regulations that have been pulled together into its own unique framework that at the end of the day, leads to a certification.
Now, when we talk about HITRUST, like we just said it is an amalgamation of other frameworks, standards, and regulations that are pulled together in a way that creates a risk-based control framework for organizations to show their compliance not just with HIPAA, but with other security best practices that can show their compliance across a myriad of areas. So if we think about it, HIPAA is almost a subsection of HITRUST, but is covered in HITRUST. Now, if your organization is trying to focus purely on HIPAA, you know, perhaps you want to think about doing an attestation just for HIPAA, and in that the focus becomes on the areas of the security rule, the privacy rule, and the HITRUST breach notification rule. And so you come up with controls that speak to those different safeguards that are in HIPAA and your auditor is going to test those and you're going to get a report. And the report is going to show what controls you have for each of those safeguards. And you can hand that out to somebody. And that is an examination that you undergo. There is no certification you can post on your website that people seem to like.
The difference is between which one you need to get is really going to depend on your customers. Try to understand who you work with and whether or not those covered entities or other business associates that you do work for, whether or not they need the comfort that comes from a HITRUST certification or a HIPAA attestation.
So I know we've just covered quite a lot, and there's so much more that goes into these two areas. So the next best step, honestly, is to go to our website, fill out the form and set up a conversation with us so we can talk to you more about what your organization might need.