HIPAA requires the security and privacy of personal medical information. While that may have once only been relevant for the healthcare sector, today’s vast data sprawl expanded HIPAA’s reach to any business associate or entity that transmits PHI.

HITRUST CSF is a certifiable framework built from multiple other security and compliance frameworks, with roots in the International Organization for Standardization (ISO) 27001, 27002, and National Institute of Standards and Technology (NIST) 800 Series. As an optional certification, HITRUST CSF demonstrates and implements an organization’s security and compliance with requirements such as HIPAA and other major regulatory factors — and can scale with the organization based on its unique risk profile. Certification is commonly sought among highly regulated industries including healthcare organizations, technology companies, payers, and others. HITRUST certification occasionally goes through iterative improvements, with version 11 requiring certain legacy HITRUST certificate holders to switch to a newer version. HITRUST assessments and certifications can be done on an annual or biennial basis.

What is the difference between HIPAA and HITRUST?

HIPAA is a regulatory mandate required by law. It has no prescriptive controls, only the requirement that organizations comply. HITRUST, on the other hand, is an optional certifiable framework. It does contain prescriptive controls that together create a road map to assess and adjust security and compliance risks. But there are overlaps between the two. HITRUST started with a focus on demonstrating HIPAA compliance. Over time, the increasing prevalence of ransomware, phishing, and business email compromise among web applications and cloud computing resources pushed boards of directors and audit committees to focus on pursuing certification for more than just HIPAA purposes.

What is the advantage of HITRUST certification?

One of the biggest benefits of HITRUST is that it’s multipurposed. In a single certification, an organization can show compliance with some of the most important regulatory requirements — not just HIPAA, but also NIST CSF (the standard for cybersecurity frameworks), ISO 27001/27002, General Data Protection Regulation (GDPR), and many others. HITRUST is also highly scalable and can flex with an organization’s individual compliance needs. This sets it apart from other frameworks. You can tailor the controls based on industry-specific or other applicable regulatory requirements — scoping in and out various measures within the HITRUST system based on what matters most to you.

What is the relationship between HIPAA, HITRUST, and SOC 2 reporting?

While all different types of reporting, they can be strategically combined for more efficient use. This can be especially helpful for organizations looking to improve their security investments. For instance, you might have a business associate agreement that requires SOC 2 reporting and HIPAA compliance. By stacking HITRUST certification atop the SOC 2, you demonstrate HIPAA compliance but can also meet other regulatory compliance needs you may face now or in the future. Synergizing and consolidating these controls in relationship with one another could help reduce redundancy and help organizations get the most from IT and cybersecurity investments.

Article

Protect health data: SOC controls, HIPAA, and HITRUST compliance intersect

July 6, 2023 · Authored by Troy Hawes, Raveen Bhasin, Mark Hurst

Wearables, apps, telehealth, and other digital sources have transformed the care continuum — keeping people more informed and empowered to take control of their own health.

But as that digital health engine becomes more advanced, so does the volume of protected health information (PHI). To cybercriminals, that data is a hot commodity.

Healthcare and health-adjacent organizations not only need to be aware of the nuances of various frameworks and regulatory requirements such as System and Organization Controls (SOC) examinations, HIPAA, and HITRUST CSF, but they should also understand how to combine efforts to be more efficient with their security and privacy controls.

What is SOC 2®?

SOC reporting involves an independent examination of an organization’s safeguards.

SOC 1® covers financial reporting, SOC 2 covers managing customer data, and SOC 3® is used for marketing. Vendors providing data security and storage often need to have SOC 2 reports in place.

These incorporate five criteria:

Security
Availability
Processing integrity
Confidentiality
Privacy

As an optional framework — not a regulation — SOC 2 reporting can be important for multiple purposes, including organization oversight, vendor management programs, internal corporate governance, risk management processes, and regulatory oversight. Some business agreements may require them.

From a SOC 2 report perspective, you can build upon it by adding in controls designed to meet HIPAA and HITRUST requirements.

Protect health data: SOC controls, HIPAA, and HITRUST compliance intersect

What is SOC 2®?

Troy Hawes

Raveen Bhasin

Mark Hurst

Related sections

What is HIPAA?

What is HITRUST CSF?

What is the difference between HIPAA and HITRUST?

What is the advantage of HITRUST certification?

What is the relationship between HIPAA, HITRUST, and SOC 2 reporting?

Have questions? Baker Tilly can help.