HIPAA and HITRUST are 2 common terms used in reference to the protection and security of healthcare data. Given how similar are these abbreviations, it is easy to mix them up and forget what each one addresses. Another common mistake people make is assuming that HIPAA and HITRUST are in competition with one another; on the contrary, they are complementary. Here is everything you need to know about them:
What is HIPAA and why is it Important?
HIPAA stands for Health Insurance Portability and Accountability Act, a law that was passed by the United States Congress in 1996 to enforce data privacy and safeguard patients’ medical information. Other functions of HIPAA include preventing fraud and abuse of data in health insurance and healthcare delivery, and ensuring that insurance and long-term healthcare services remain accessible to all.
All healthcare providers are required to be HIPAA compliant. Failure to do so induces a fine along with the possibility of criminal penalties. Over the past couple of years and with a marked increase in healthcare data breaches, the importance of HIPAA has become more pronounced.
Within the past 12 months alone, there have been multiple data breaches involving healthcare providers. According to this article by Digital Authority, in October 2018, the Federal Affordable Care Act (ACA) portal was breached and over 75,000 records were compromised.
In the same month, a phishing attack on the Minnesota DHS exposed patient records, affecting 21,000 people. The month before that, it was discovered that a staff error at Blue Cross had compromised patient data; it went unnoticed for 3 months.
What is HITRUST and why is it Important?
HITRUST is short for Health Information Trust Alliance, a not-for-profit organization that certifies healthcare providers that handle sensitive medical records. HITRUST created, and presently maintains, a common security framework (CSF) with which all healthcare organizations must comply. This framework combines the frameworks of other standards organizations (e.g. HIPAA, ISO, PSI, and NIST).
The healthcare sector is becoming increasingly digitized; one study estimates that funding for digital healthcare start-ups doubled between 2014 and 2017, rising to over $6.5 billion. In the years to come, the expectation is that this growth will continue, meaning that more patient information will be digitally represented. This growth has made healthcare industry providers a prime target for cyber-attacks. The attacks are becoming more frequent; Healthcare Weekly reports that a computer system connected to the internet is attacked every 39 seconds, and the systems used in the study were attacked over 2,200 times per day. As evidenced by the breaches mentioned above, hackers are finding steady success. In light of the increasing importance of software for medical devices (two thirds of the healthcare market is tied to the manufacture, distribution and use of medical devices in America), the need for an overarching security protocol for healthcare development companies has become even more critical to companies operating in the healthcare digital space.
This emphasizes the importance of an organization like HITRUST that provides a security framework for healthcare providers to follow.
The Relationship Between HIPAA and HITRUST
HIPAA is a set of regulations that mandate that healthcare providers and organizations that handle sensitive patient data abide by certain security standards. This is to ensure that the data in their care do not fall into the wrong hands.
The problem, however, is that HIPAA laws are somewhat vague and there is no way to ensure that organizations actually comply with them. In the past, healthcare providers were only required to sign an agreement claiming they are HIPAA-compliant. As a result, many signed the agreement without putting the required security protocols in place.
As data breaches grew rampant, HITRUST was created in 2007 to enforce data security controls. HITRUST comes with a common security framework (CSF) that all healthcare organizations have to follow. After complying with all the requirements in the framework, the organization gets a certification. Furthermore, by getting a HITRUST certification, the organization is also certified to be compliant with the HIPAA, ISO, PSI, and NIST standards.
In 2016, only 5 healthcare payers required third-party providers working with them to be HITRUST certified; this year, the figure has risen to 90.
Which Organizations Need a HITRUST Certification?
All companies that create, store, exchange, or seek access to patients’ personal medical information must comply with the HITRUST CSF. This list includes: hospitals, pharmacies, insurance providers, healthcare vendors, and doctors’ offices.
HITRUST Common Security Framework (CSF)
The HITRUST CSF has 14 control categories, these contain 46 control objectives and 149 system controls. Each of these system controls has 3 implementation levels that must be met to cover regulations or management risk factors. All-in-all, the CSF has 845 requirements for all companies that create software for the healthcare industry to follow.
This makes it one of the most comprehensive security standards in the United States and, as mentioned above, its framework combines that of four other standards organizations: HIPAA, ISO, NIST, and PSI. Additionally, the HITRUST CSF is designed to quickly adapt to meet changes in technology and the healthcare industry.
The Benefits of HITRUST
A HITRUST certification is beneficial to everyone in the healthcare ecosystem. From the provider that got certified, to the hospitals and healthcare companies that work with them, and the patients to whose records they have access. Here are some benefits the organizations stand to enjoy:
- Reduced risk of data breaches and better security against cyber attacks.
- Reduced risk of losing work from healthcare organizations that require HITRUST certification.
- The common security framework provides a “checklist” that can be used repeatedly, simplifying the risk management and data security process.
Companies in the healthcare space are at risk of online attacks because they are often in charge of patients’ medical records, insurance information, and social security details. These are in high demand on the dark web; organizations have to put in security protocols that are strong enough to ward off cyber-attackers. With the HIPAA, regulation was passed into law to ensure that organizations protect their records.
However, the wording in HIPAA was quite loose and prone to misinterpretation. Also, there was no way to determine whether an organization was really compliant to the standards set by HIPAA. To remedy this, HITRUST created an exhaustive security framework with clearly-defined requirements. To make the situation even better, organizations that are HITRUST compliant get a certification to prove it.
In a nutshell, HIPAA laid the groundwork to keep patient data secure and HITRUST serves to fortify it and enforce the regulatory standards.