How Do HIPAA, NIST, and HITRUST CSF Work Together?



If your company deals with credit card numbers, patient records, customer information or other sensitive data, the list of compliance standards, federal regulations, and state laws can be very long. And if you’re a healthcare organization? It’s even more complex.

What is HIPAA?

Probably the most well-known compliance standard is the Health Insurance Portability and Accountability Act, better known as HIPAA. Like its cousin, the Health Information Technology for Economic and Clinical Health (HITECH) standard, HIPAA is a federal regulatory requirement outlining the administrative, physical and technical safeguards that must be in place to assure the confidentiality, integrity, and availability of electronically protected health information (ePHI).

HIPAA applies to more than just hospitals and health insurance companies. For example, if you are an employer and provide self-insured health benefits or an Employee Assistance Program (EAP), any unauthorized disclosure of PHI may be considered a breach of HIPAA. The short version is this: If your organization deals with patient information in electronic form, HIPAA compliance is mandatory.

How is HIPAA different from HITRUST?

HIPAA is only one of several compliance standards that an organization may be required to meet. But going through several audits can be costly, time-consuming and can even lead to conflicting recommendations. To that end, the Health Information Trust Alliance (HITRUST) developed a Common Security Framework (CSF) that combines best-in-class risk-management and security controls from not only HIPAA, but also the National Institute of Standards and Technology (NIST), International Standards Organization (ISO), and Process Safety Information (PSI). It allows HITRUST Assessors to pinpoint and streamline the compliance process for any organization, no matter how many standards might apply.

Today, HITRUST CSF is one of the most widely-used and dynamic certifications in the healthcare industry. But does earning HITRUST certification mean you’re also HIPAA compliant? For the most part, yes.

How do HIPAA and HITRUST work together?

HIPAA compliance requires an organization to undergo a risk analysis and implement a “reasonable and appropriate” set of information safeguards, or controls, to protect patient information. In everyday application, that means demonstrating that each standard in the HIPAA Security Rule has been met. The problem can be deciding which standards apply to a particular business.

That’s where HITRUST comes in. Because the framework covers all HIPAA standards, it can help companies focus in on what they need for compliance. This means that as long as a company implements the applicable HITRUST CSR control requirements, they’re also meeting HIPAA specifications.

One difference, however, is that HITRUST is certifiable — HIPAA is not. While healthcare organizations are required to operate according to HIPAA laws, there isn’t a certificate they can display. This is likely one reason that businesses are not only choosing HITRUST certification but requiring it of their partners.

How does NIST fit in?

To further complicate matters, healthcare organizations that work with the federal government are also required to meet NIST compliance standards. As a result, HITRUST joined forces with the institute to develop a NIST certification program. For businesses that require both, it has helped to streamline the process.

It’s another reason HITRUST is so widely used. Via one framework, a company can achieve compliance under HIPAA, NIST, and a number of other regulatory agencies from around the world.

We can help focus your HITRUST needs

As a HITRUST CSF Assessor, 360 Advanced is approved to perform a variety of assessment services associated with the CSF Assurance Program, including the most efficient way to achieve all your organization’s compliance requirements.

Schedule a Consultation