In This Article
Quick Answer
HIPAA is a law you must comply with if you handle PHI. There's no "HIPAA certification."
HITRUST is a voluntary certification framework that demonstrates compliance with HIPAA and other frameworks through third-party assessment.
Bottom line: HIPAA compliance is mandatory. HITRUST certification is optional but increasingly demanded by enterprise healthcare customers.
What is HIPAA?
HIPAA (Health Insurance Portability and Accountability Act) is US federal law enacted in 1996. It establishes requirements for protecting Protected Health Information (PHI).
Key HIPAA Characteristics
- Legal requirement: Not optional for covered entities and business associates
- Enforcement: HHS Office for Civil Rights (OCR)
- No certification: There's no official "HIPAA certified" designation
- Self-attestation: Organizations self-attest compliance
- Prescriptive but flexible: Specifies what, not always how
HIPAA Rules
- Privacy Rule (PHI protection)
- Security Rule (ePHI safeguards)
- Breach Notification Rule
- Enforcement Rule
What is HITRUST?
HITRUST (Health Information Trust Alliance) is a private organization that created the HITRUST CSF (Common Security Framework) - a certifiable framework incorporating HIPAA and other standards.
Key HITRUST Characteristics
- Voluntary certification: Not legally required
- Third-party assessed: Independent assessors validate compliance
- Certifiable: Results in formal certification (e1, i1, or r2)
- Prescriptive: Specific control requirements
- Multi-framework: Maps to HIPAA, ISO 27001, NIST, SOC 2, and others
HITRUST Assessment Types
| Assessment | Description | Best For |
|---|---|---|
| e1 (Essentials) | Basic assessment; 44 requirements; self-assessment with validation | Lower-risk organizations, starting point |
| i1 (Implemented) | Intermediate assessment; ~180 requirements; demonstrates implementation | Organizations with moderate risk profiles |
| r2 (Risk-based) | Comprehensive assessment; ~350+ requirements; full certification | Enterprise vendors, high-risk organizations |
Side-by-Side Comparison
| Aspect | HIPAA | HITRUST |
|---|---|---|
| Type | Federal law | Private framework/certification |
| Required? | Yes (if handling PHI) | No (voluntary) |
| Certification | None exists | Yes (e1, i1, r2) |
| Assessment | Self-assessment + OCR audits | Third-party assessor |
| Scope | PHI/ePHI only | Broader security program |
| Controls | ~50 requirements (flexible) | 350+ requirements (prescriptive) |
| Cost | Internal compliance costs | $50K–$200K+ (assessment + remediation) |
| Timeline | Ongoing compliance | 6–12 months for initial certification |
| Validity | N/A (always required) | 1 year (e1, i1) or 2 years (r2) |
| Market recognition | Required for healthcare business | Premium credential for enterprise sales |
When HIPAA Alone Is Enough
HIPAA compliance without HITRUST certification may be sufficient when:
Your Customer Base
- Small to mid-sized healthcare providers
- Customers don't specifically require HITRUST
- Regional or local market focus
- Direct-to-consumer healthcare services
Your Organization
- Early-stage startup with limited resources
- Simple technology stack with limited PHI exposure
- Already have other assurances (SOC 2, ISO 27001)
- Not pursuing enterprise healthcare customers
Your Risk Profile
- Limited PHI volume and sensitivity
- Straightforward business associate relationship
- No regulatory pressure beyond standard HIPAA
Even if HITRUST isn't needed, you still must be HIPAA compliant. Having a robust HIPAA compliance program with documented risk analysis, policies, training, and BAAs is non-negotiable.
When HITRUST Helps
HITRUST certification provides strategic value when:
Customer Requirements
- Enterprise health systems requiring HITRUST
- Health insurers/payers with HITRUST mandates
- RFPs that specifically request HITRUST certification
- Customers tired of lengthy security questionnaires
Competitive Advantage
- Differentiating from competitors in sales cycles
- Shortening enterprise sales cycles
- Reducing vendor assessment fatigue
- Building trust with security-conscious buyers
Organizational Maturity
- Ready to invest in comprehensive security program
- Need to operationalize and systematize compliance
- Want external validation of security controls
- Planning for scale and enterprise customers
Multi-Framework Efficiency
- Need to demonstrate compliance with multiple standards
- Want to leverage one assessment for multiple purposes
- HITRUST maps to HIPAA, SOC 2, ISO 27001, NIST, etc.
Decision Framework
Ask These Questions
- Are your target customers requiring HITRUST?
- If yes → Strong signal to pursue HITRUST
- If no → May not be necessary yet
- Are you losing deals due to lack of HITRUST?
- If yes → Clear business case
- If no → Lower priority
- Can you afford $50K–$200K+ and 6–12 months?
- If yes → Consider if business case supports it
- If no → Focus on HIPAA compliance first
- Is your security program mature enough?
- If yes → Ready for HITRUST assessment
- If no → Invest in program maturity first
Recommendation by Organization Type
| Organization Type | Recommendation |
|---|---|
| Early-stage health tech startup | Focus on HIPAA compliance + SOC 2; consider HITRUST later |
| Growth-stage targeting enterprises | Evaluate HITRUST based on customer requirements |
| Enterprise vendor serving large health systems | Strong candidate for HITRUST r2 |
| Covered entity (hospital, clinic) | HIPAA compliance required; HITRUST often not needed |
| Health plan/payer technology vendor | HITRUST often required by customers |
HITRUST certification is not about compliance - you must be HIPAA compliant regardless. It's about demonstrating that compliance through a rigorous, third-party validated framework that enterprise customers trust. Make the decision based on customer requirements and business value, not just security best practices.