To quickly summarize a very complex subject, HITRUST is an organization that helps regulate data security standards within the healthcare industry. It is similar to HIPAA, but while HIPAA was written and is enforced by the federal government, HITRUST is governed by a collective body of the healthcare industry.
To that effect, HITRUST is the healthcare industry’s method of self-regulating security practices within the industry, and addressing certain shortcomings of HIPAA, as well as creating a PCI-like compliance framework for business entities to follow.
It’s easy to think of HITRUST certification as any other kind of non-mandatory certification a business can obtain, but that’s not the entire picture. For starters, HIPAA compliance does not come with any certification. HITRUST certification is one way of showing that a business is HIPAA compliant, because obtaining HITRUST compliance addresses many of the HIPAA compliance requirements.
To that degree, you may be wondering whether HITRUST certification is “worth it”, and the answer is pretty much yes. Business entities that must adhere to HIPAA standards generally have a difficult time self-assessing their HIPAA compliance level without a framework to follow, and so HITRUST provides a CSF (Common Security Framework) for the industry, which helps business entities much better self-assess whether or not they are HIPAA compliant.
What are the pros and cons?
Well the pros are mainly what we’ve already mentioned. Data breaches are such a major thing in modern times, and the healthcare industry is often hit hardest of all, due to the amount of personal and financial information that healthcare providers and their business associates can have on patients.
So anything that helps the industry better regulate security practices and take cybersecurity more seriously is definitely a pro. Data breaches hit all industries, not just healthcare, but many companies (especially SMBs) simply elect not to allocate enough budget for cybersecurity. HITRUST is a great initiative by the healthcare industry to expand on the requirements mandated by the federal government in HIPAA.
If there are any cons to HITRUST certification, it’s that the entire concept of HIPAA / HITRUST are quite complex, so it can be easy to assume that HITRUST is just a piece of paper, or worse, a sort of compliance racket within the healthcare industry itself. This is due to the fact that being HITRUST certified does not automatically guarantee HIPAA audit, it’s not something you can wave to make an HIPAA auditor go away. However, HITRUST certification does provide a much clearer framework for implementing HIPAA procedures, and for obtaining other compliance reports as well, such as SOC II and NIST 800-53.
Another con is if HITRUST certification is treated as simply a checklist of security requirements to pass an HIPAA audit, when companies should have a genuine interest in securing PPI (protected patient information) instead of just following a set of rules.
At the end of the day, the pros of HITRUST outweigh the cons, which are primarily theoreticals. The industry absolutely requires a more serious approach to data protection, and HITRUST greatly expands on the efforts laid out in HIPAA.
Author | Emily Forbes
An Entrepreneur, Mother & A passionate tech writer in the technology industry!