Guest Column | October 31, 2019

HIPAA vs. HITRUST, And Why It Matters

By Perry Price, Revation Systems


As technology continues to permeate the healthcare industry, ensuring that technology partners are compliant with the most current security regulations in order to protect sensitive patient data has become critically importance. With more data in the cloud than ever before, and the imminent threat of a data breach continuously on the rise, it is no surprise just how significant protecting patient data has become. IBM’s 2018 “Cost of a Data Breach” study reports the global average cost of a single data breach is up 6.4 percent from 2017 to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent, to $148.

While most organizations want to be prepared in the event of a data breach, many spend a disproportionate amount of time and resources in response to an incident that has already taken place rather than proactively safeguarding the company and its consumers. When it comes to security regulations in the healthcare industry, most organizations are familiar with the Health Insurance Portability and Accountability Act of 1996 – more commonly referred to as HIPAA, which is responsible for ensuring confidentiality, integrity and availability of all data created, received, maintained, or transmitted, while also protecting consumers against data breaches. Though HIPAA provides a regulatory baseline for data protection in the healthcare industry, it does not offer a comprehensive approach to securing patient data against threats in today’s digital world. As a result, digitally transforming healthcare organizations are seeking alternative designations or certifications to help tighten security measures and go far beyond HIPAA compliance.

Where HIPAA Falls Short

From patient expectations of a quick and seamless transition between digital channels to rigid regulation and security standards, the healthcare industry is up against many obstacles in enhancing the patient experience.

Because of this, tech vendors that serve the industry are turning to the HITRUST certification to help organizations overcome the challenges of today’s digital landscape. Although the prevalence of HIPAA has created a certain standard degree of security to protect the amount of confidential patient data that is in the cloud today, HIPAA compliance alone is no longer enough to protect that data long term. Today, the best way to ensure patient data in the cloud is secure is through HITRUST certification.

HITRUST certification provides organizations with a comprehensive approach to regulatory compliance and risk management — normalizing more than 20 of the most common security and privacy standards, including PCI, ISO2700, HIPAA, NIST and COBIT. Although HIPAA remains a valuable tool in the healthcare space, HITRUST CSF (certifiable security framework) is quite different and classifies organizations as compliant with the most strict and prevalent security standards; thereby creating a consistent universal protection standard as well.

Compliance vs. Certification

In 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) reported a whopping 13 million healthcare records were exposed – indicative of the vulnerability facing patient data, especially when it’s only protected by HIPAA compliance.

Although HIPAA remains a valuable tool and is a baseline expectation for healthcare technology partners, HITRUST certification extends beyond the bare minimum of HIPAA security requirements and provides organizations with an efficient, robust framework for both logical and physical security requirements.

Because HITRUST certification follows strict state and federal standards/regulations that combine (what are recognized as) the top security frameworks that exist today into one single standard, organizations that have undergone the thorough and rigorous process of becoming HITRUST certified can provide a dramatically tightened approach to data security.

Essentially, it boils down to the difference between compliance and certification – with the former only requiring healthcare tech partners follow essential practices to keep data secure and the latter requiring them to adhere to a rigorous, comprehensive framework that is all encompassing to fully protect patient data in today’s digital world.

Why It Matters To Healthcare Organizations & Tech Partners

Moving into 2020, more and more healthcare organizations are realizing that although HIPAA is an important measure of protection in the industry, it still has shortcomings and a more robust criteria of security standards is necessary. Healthcare organizations must remain abreast of the latest security standards as they work to fill the gaps that exist today in protecting sensitive patient data. And while the threat of a cyberattack is always on the horizon, healthcare organizations that are working with technology partners with a HITRUST certification can rest easy knowing that their patients’ data is protected to the highest degree available in the marketplace today.

As the world continues to digitize and more data is put into the cloud, technology vendors must take additional steps to ensure the security of patient data. Becoming HITRUST certified is the most secure designation in the marketplace today, which enabling technology partners to best serve healthcare organizations and their patients.

About The Author

Perry Price is CEO/president of Revation Systems. In this role, Price builds and grows the customer base, recruits qualified talent, and streamlines internal operations. Price utilizes his deep domain expertise in IP networking and communication applications, including telephony, unified communications, call-center technologies, and messaging.