Security compliance Designing security programs HIPAA


In the world of healthcare, individual patients once felt they had little control over their personal information and who could access it. The Health Insurance Portability and Accountability Act of 1996 — HIPAA for short — was put in place to protect the privacy of individuals. But, as healthcare technology has grown larger and more complex, understanding how to maintain HIPAA compliance and what the relationship is between this key piece of legislation and organizations like HITRUST has become more and more difficult.

Understanding how HITRUST and its Common Security Framework fit into HIPAA compliance is essential for healthcare companies and the third-party vendors who partner with them. Read on for a quick overview, and check out our other articles on HIPAA for even more in-depth information on how to achieve and maintain compliance.

What is HIPAA?

HIPAA is a federal law that put in place national standards for the protection of patient health information. HIPAA not only defines what patient information must be protected but sets out specific guidelines for when this information can be disclosed by specific entities and to specific entities.

It’s all about ePHI, electronic protected health information, which cannot be shared under HIPAA. Any protected health information (PHI) that is created, stored, transmitted, or received in any electronic format or media is ePHI. This includes any of the 18 distinct demographics that can be used to identify a patient. These are covered by the HIPAA Security Rule.

One of HIPAA's major goals is to ensure that health information is properly protected while allowing that information to be safely shared. Sharing patient data is a critical part of providing high quality healthcare. HIPAA attempts to find a good balance between protecting the individual's privacy while permitting the use of protected information to promote healthcare and healing.

What does HIPAA cover?

HIPAA is a powerful tool for protecting patient privacy. Its rules cover the following types of individuals and organizations, called “covered entities,” and third-party vendors who do business with them, called “business associates” by HIPAA:

  • All healthcare providers who electronically transmit health information, including claims, benefit eligibility inquiries, referral authorization requests, and other transactions
  • Individuals and organizations that provide health plans that provide or pay for medical care, including health, dental, vision, and prescription drug insurers
  • Healthcare clearinghouses that process information received from other entities
  • Business associates using or disclosing individually identifiable health information for a covered entity, including claims processing, data analysis, utilization review, and billing

While HIPAA might seem like it puts a lot of requirements on data, the protection it provides to patients is invaluable. Most disclosures of protected information require permission from the patient, but it is important to note that there is a list of exceptions where disclosure doesn't require patient consent. These circumstances include essential government functions, public health activities, judicial proceedings, and various functions concerning deceased persons.

How has changing technology affected HIPAA?

Technology has changed a lot since HIPAA was passed in 1996, and the way that ePHI is distributed and used has changed as well. Because of this evolution, Congress passed the Health Information Technology for Economic and Clinical Health Act of 2009, also known as HITECH. This legislation serves to tighten up the language used in HIPAA by removing loopholes and ensuring that covered entities were complying with HIPAA's rules and requirements for patient notification. Thanks to HITECH and future legislation, HIPAA compliance requirements aren't going away. They are getting more stringent and requiring more effort to meet.

For covered entities and their business associates, compliance with HIPAA is critical. Violations are costly and embarrassing. To date, HIPAA fines have totaled over $131 million. Some single fines have been in the millions of dollars. The Department of Health and Human Services will also intervene early and provide technical assistance to move covered entities into compliance.

What is HITRUST?

While HIPAA is a federal law to enforce privacy and security over ePHI for covered entities and their business associates, it is not a compliance certification. This is where HITRUST comes in. 

The Health Information Trust Alliance, or HITRUST, is a company that develops and maintains frameworks that other entities can use to prove and enforce compliance with regulations like HIPAA. HITRUST works to streamline compliance issues that could otherwise hinder entities from working with protected patient data.

HITRUST works in collaboration with healthcare, technology, and information security organizations to establish products that provide regulatory compliance assistance. It is a privately held company with an executive council made up of leaders from across a variety of industries. These leaders represent a variety of companies and organizations, including such names as Kaiser Permanente and Anthem, Inc.

By providing broad access to its widely adopted risk and compliance management frameworks and assessment methodologies, HITRUST gives organizations a comprehensive way to manage information risk management and compliance.


The Common Security Framework provided by HITRUST is known as HITRUST CSF. It is a certifiable framework that brings together a number of security and privacy-related regulations, standards, and frameworks. This collection includes HIPAA, ISO, NIST, PCI, and GDPR.

By utilizing one framework to manage all of these regulations, an organization gains valuable clarity and consistency that reduces the burden of compliance. For many organizations struggling to deal with compliance issues, tools like the HITRUST CSF can prove to be invaluable.

Differences between HITRUST and HIPAA

While HIPAA is a federal law that enacts patient information privacy and protection standards, HITRUST is a privately held company that specializes in helping organizations maintain compliance with various regulatory standards such as HIPAA. This means that every organization that falls under the purview of HIPAA must meet the legislation’s regulations. However, not every organization that must meet HIPAA requirements will deal with HITRUST. They may elect to do so or be asked to by a partner.

HIPAA Compliance with Strike Graph

Strike Graph is an IT security compliance platform that helps an organization manage its entire compliance process. Our solution builds a system of record for an organization's risks, controls, and evidence and then ties them to whichever framework or certification the business needs.

HIPAA compliance is not just a list of items that need to be checked off. Its requirements are complex and interwoven. For example, the HIPAA Privacy Rule sets national standards to protect patients' medical records and other personal health information, but it also establishes authorized actions and required disclosures applying to that data. Other parts of HIPAA like the Breach Notification Rule can require covered entities to notify patients when their ePHI is improperly used. 

Our security compliance software makes it simple to design, operate, and measure a security stance that ensures HIPAA compliance. And, our library of HIPAA-ready policy templates, strategic automation, and expert guidance cut the time and cost of compliance and ensure your HIPAA success.

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

Are you ready to build trust through cybersecurity?