A HITRUST vs HIPAA analysis can help healthcare organizations understand why it may be worth pursuing a HITRUST certification, but why a HITRUST certification is no guarantee of HIPAA compliance, or why a certification may not help an organization avoid a penalty for a violation of HIPAA.

What is a HITRUST Certification?

The HITRUST Cyber Security Framework (CSF) provides best practices, policies, procedures, guidelines, and organizational structures to help organizations in the healthcare industry comply with mandatory regulations such as HIPAA, voluntary standards such as SOC 2, and state laws such as the Texas Medical Records Privacy Act. The Framework can also be customized to support compliance with some industry-specific regulations.

The Framework maps “authoritative sources” (i.e., NIST, ISO, etc.) to regulatory requirements so healthcare organizations can undergo an independent assessment and become HITRUST certified. In many cases, being able to demonstrate compliance with a recognized cyber security framework such as HITRUST can help healthcare organizations mitigate the regulatory consequences of a data breach or other security incident.

For this reason alone it can be worth pursuing a HITRUST certification. However, the recommended best practices, policies, procedures, guidelines, and organizational structures in each control category can also help healthcare organizations build trust with patients and business partners, improve operational efficiency in all areas of the organization’s activities, and acquire a competitive advantage in the healthcare industry.

What is HIPAA Compliance?

HIPAA compliance is compliance with the applicable regulations, standards, and implementation specifications of the HIPAA Administrative Simplification Rules. The Rules not only include the Privacy, Security, and Breach Notification Rules, but also the General Rules (Part 160) and the Transaction Rules (Part 162). In addition to healthcare organizations, the Rules can also apply to business associates and software vendors.

In the context of HITRUST vs HIPAA, while a HITRUST r2 certification demonstrates compliance with the Security Rule and parts of the Privacy and Breach Notification Rules, it does not guarantee compliance with all applicable regulations, standards, and implementation specifications of HIPAA – notwithstanding that the noncompliant actions of a member of the workforce can result in the whole organization being considered non-compliant.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Consequently, although a HITRUST r2 certification might help mitigate a penalty for a violation of HIPAA if the violation is security-related, it may be of less benefit if the violation is attributable to a Privacy or Breach Notification failure, or if the organization is found guilty of violating the General or Transaction Rules. The same applies to business associates who perform claims and billing operations on behalf of healthcare organizations.

Other HITRUST Considerations to be Aware Of

There is no doubt that adopting the HITRUST Cyber Security Framework, passing an r2 assessment, and receiving a HITRUST certification will have benefits for a healthcare organization. However, it is important healthcare organizations do not get too carried away with the achievement and drop the ball with regards to their other compliance obligations – especially as penalties for HIPAA security violations are becoming rarer, while penalties for other regulatory violations are increasing.

The reason that penalties for HIPAA security violations are becoming rarer has nothing to do with improved data security or the number of security violations reducing. In 2021, HHS’ Office for Civil Rights was notified of 64,180 impermissible disclosures of unsecured Protected Health Information, but only issued two civil monetary penalties – making it more likely that a healthcare organization will be fined for an OSHA violation or for employing an individual on the OIG Exclusion List.

The HITRUST CSF does not covered compliance requirements such as OSHA or the OIG Exclusions List (or CMS’ condition of participation in federal health plans), and this is something healthcare organizations should be mindful of when deciding whether or not to devout resources towards achieving HITRUST certification. Healthcare organizations unsure about whether HITRUST certification would be the right option for them should seek professional compliance advice.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/