The Differences Between HIPAA and HITRUST

June 28, 2022

Video Transcript:

Most of us have heard the term HIPAA before, I think, in our everyday lives. Whether it's going to the doctor's office or the hospital. We've often heard the term HIPAA when it comes to our protected health information. Now often most of us (not in the compliance space), haven't heard of HITRUST, but HITRUST is actually a way in which to show your compliance with HIPAA in a certification standard. In this video, we're going to talk about the difference between going for a HIPAA attestation report versus going through a HIPAA certification process.

Hi, I'm Ryan Meehan. I'm a director here at Schellman and I'm one of our health care practice leaders. When it comes to thinking about the differences between HIPAA and HITRUST. Let's start with the fact that HIPAA itself is a regulation and does not currently have a certification path for it. Now HITRUST, on the other hand, is actually a combination of frameworks, standards, and regulations that have been pulled together into its own unique framework that at the end of the day, leads to a certification.

Now, when we talk about HITRUST, like we just said it is an amalgamation of other frameworks, standards, and regulations that are pulled together in a way that creates a risk-based control framework for organizations to show their compliance not just with HIPAA, but with other security best practices that can show their compliance across a myriad of areas. So if we think about it, HIPAA is almost a subsection of HITRUST, but is covered in HITRUST. Now, if your organization is trying to focus purely on HIPAA, you know, perhaps you want to think about doing an attestation just for HIPAA, and in that the focus becomes on the areas of the security rule, the privacy rule, and the HITRUST breach notification rule. And so you come up with controls that speak to those different safeguards that are in HIPAA and your auditor is going to test those and you're going to get a report. And the report is going to show what controls you have for each of those safeguards. And you can hand that out to somebody. And that is an examination that you undergo. There is no certification you can post on your website that people seem to like.

The difference is between which one you need to get is really going to depend on your customers. Try to understand who you work with and whether or not those covered entities or other business associates that you do work for, whether or not they need the comfort that comes from a HITRUST certification or a HIPAA attestation.

So I know we've just covered quite a lot, and there's so much more that goes into these two areas. So the next best step, honestly, is to go to our website, fill out the form and set up a conversation with us so we can talk to you more about what your organization might need.

Previous Video

The Cost of a HIPAA Assessment

Next Flipbook

Lumen Case Study

Lumen Leverages Strategic Alignment Under One Assessor in Schellman

The Differences Between HIPAA and HITRUST

Previous Video

Next Flipbook

Other content in this Stream

In February 2023, the OCR reported recent HIPAA issues & breaches to Congress—we break down the details so you can understand where other organizations fell short and avoid similar pitfalls.

Considering a HIPAA assessment? Whether you choose to perform it internally or engage an independent third party, we share 7 steps to focus your preparation and boost your compliance.

Not sure what you're getting into with HITRUST certification? We break down the complete process into 4 steps so you can know what to expect and how to get from start to finish.

With the debut of HITRUST CSF v11, it's important to know the dates for the phase-out of previous versions. We break down how it'll work for the i1 & r2 assessments so your transition goes smoothly.

Now that HITRUST has released a new version of CSF, we explain what changes and updates have been made to your HITRUST assessment options in version 11. “New year, new me!”

SOC 2 + HITRUST presents a useful combined approach, but is it right for you? We explain the advantages of this route as well as some considerations before you decide.

What distinguishes HIPAA from HITRUST? We detail the differences between your compliance with these two and their relationship so you understand which one (or both) to pursue.

The emerging TEFCA will change how things work regarding data shared within health information exchanges. Learn about these changes and whether or not they'll mean you need a HITRUST certification.

During your HITRUST certification process, your service providers will play a key role. Here are 4 steps you can take to ensure they're ready so your HITRUST assessment goes forward without a hitch.

To help make scoping your HITRUST Assessment easier, we lay out 5 elements that will affect your final HITRUST scope and how you should factor them in.

Introducing HIPAA Express, a one-of-a-kind, risk-based assessment that can help healthcare providers and systems protect themselves from ransomware, breaches, and perhaps even OCR fines.

Not sure if you're liable under HIPAA? Learn how a business associate is defined, as well as their roles and responsibilities in HIPAA compliance and how to avoid liability.

Interested in HITRUST certification? Learn the details of the two different kinds of assessment and how each works so that you choose the right compliance route for you.

Violations of HIPAA can carry heavy civil or criminal penalties (or both!). Don't be caught out--we break down the different tiers of violations & penalties so you understand clearly what's at stake.

Need a HITRUST assessor and not sure how to choose among your options? We walk you through their role and provide 4 crucial questions to ask during your vetting process.

Concerned about the hefty fines for violating HIPAA? We define what a violation is, common examples, who can be affected by the consequences of such, and how to avoid all this in the first place.