HIPAA vs HITRUST Compliance: What’s the Difference?

Today’s compliance H2H features HIPAA vs HITRUST. If you’re looking to understand how these two healthcare frameworks stack up against one another, then you’ve definitely come to the right place.

Okay, let’s get this party started.

What Is HIPAA?

We’ve already written a fairly comprehensive primer on HIPAA. That said, if you’re strapped for time, here’s the CliffsNotes version.

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a U.S. law that oversees the privacy and security of protected health information (or PHI). PHI includes all personal identifiers, like names, telephone numbers—even license plates. 

HIPAA only applies to certain organizations, or what it calls “covered entities” and their business associates. 

So, what are these covered entities, you ask? 

Simple. They are: 

  • Health insurers (health insurance companies, company health plans, etc.)
  • Healthcare providers (doctors, clinics, dentists, chiropractors, pharmacies, etc.)
  • Healthcare clearinghouses (entities that process nonstandard health information which they receive from another entity into a standard format)

… in other words, any entity that handles PHI. 

HIPAA is enforced by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and includes steep penalties for violations. The law contains three rules: the Privacy, Security and Breach Notification Rules. Together, they protect and give individuals rights to their health information.


As mentioned above, HIPAA is the law. If your organization is a covered entity or business associate of a covered entity then it must be compliant. Failure to do so could result in hefty fines and irreparable damage to your reputation.

You could also end up on the OCR’s “Wall of Shame”, which is a big yikes. 

The Process of HIPAA Certification

There’s no certification body for HIPAA. As such, it isn’t auditable or certifiable, unless you retain a certified public accountant (CPA) that specializes in SOC 2 + HIPAA audits to evaluate your systems. While the OCR does enforce the law and penalize organizations for noncompliance, it doesn’t hand out certifications.

Covered entities and their business associates are expected to follow HIPAA’s privacy, security and breach notification rules. That said, the law’s security rule includes an evaluation standard that requires organizations to perform a periodic technical and nontechnical evaluations to ensure compliance. 


Health Information Trust Alliance (or HITRUST Alliance for short) created its own cybersecurity standard to help organizations manage information risk, data and compliance. You know it as HITRUST CSF (Common Security Framework).

You can think of it as a kind of mega-framework since it combines requirements from a bunch of other standards and regulations, like HIPAA, PCI DSS, GDPR, and more. One of the many benefits of getting compliant with HITRUST CSF is that it prepares you for a host of other frameworks you’ll likely need at some point in the future.

HITRUST’s bread and butter is healthcare organizations. Remember how we mentioned that HIPAA can’t be certified? That creates an issue for organizations that require security assurance from vendors that handle PHI.

This is where HITRUST can help.  


HITRUST CSF has a number of benefits. 

First off, because the framework includes requirements from a number of key standards and regulations, it can simplify future compliance efforts. In a sense, getting HITRUST is like hitting two (or three or four or five…) birds with one stone.

Finally, HITRUST offers measurable criteria and objectives for applying appropriate administrative, technical and physical safeguards that are also covered by HIPAA. By being HITRUST compliant, an organization can definitely prove it has met some HIPAA-mandated requirements

It’s important to note that HITRUST doesn’t replace HIPAA. Remember, HIPAA is the law. However, it is widely accepted as a good approach for evaluating risk.

The Process of HITRUST Certification

To become compliant, you have to purchase access to HITRUST’s MyCSF portal. You complete a self-assessment (similar to a scoping exercise) and then HITRUST provides you with the controls you need (we’ve seen up to 700 controls for a SaaS company). 

The organization must implement these controls, then have a HITRUST assessor complete an audit. The HITRUST Alliance then certifies this assessment and gives the company the HITRUST certification. 

More Certifications, Less Work

Find out how to leverage your existing InfoSec program to get compliant with new frameworks faster.

Find Framework Overlaps

Differences Between HIPAA vs HITRUST

The key difference between HIPAA vs HITRUST is that one’s a law, while the other’s a security standard. But there are many others, which we cover below.


HIPAA’s purpose is clear: to ensure that covered entities protect PHI and notify individuals if their information is breached. 

To get a sense of what HITRUST is all about, let’s take a look at their website.

“The HITRUST Approach provides organizations a comprehensive information risk management and compliance program to provide an integrated approach that ensures all programs are aligned, maintained and comprehensive to support an organization’s information risk management and compliance objectives.”

HITRUST focuses on mitigating the information risks facing an organization. It also enables businesses to provide their customers with different degrees of assurance through self-assessment, CSF validation and finally, CSF certification.


Estimating costs for any security framework can be complicated. That’s because there are so many variables to account for. Generally speaking, the smaller and more sophisticated your organization is, the cheaper it’ll be. So the estimates we’ve provided below represent the best-case scenario for a startup.

The U.S. Department of Health and Human Services, Office for Civil Rights includes estimated costs for HIPAA. They are… well, unrealistic. The figure they provide is $1,040. SecurityMetrics offers a more realistic number: $4000 – $12,000. And that’s only for small covered entities or business associates. 

HITRUST is much pricier. Estimates range from $60,000 on the lower end to $120,000 a year. That’s all-in. You can conduct a self-assessment, which is dramatically less expensive than hiring a third-party assessor but then you’re not offering the same level of security assurance.

HIPAA vs HITRUST: Noncompliance Penalties 

HIPAA penalties can be quite steep, depending on the violation. You can check them out below.

Table containing fines for organizations that violate HIPAA


With HITRUST, things are a little more straightforward. There are no penalties. That is unless you fail an audit, in which case you’d lose your HITRUST accreditation.  

Similarities Between HIPAA vs HITRUST

HIPAA and HITRUST are both relevant to the healthcare industry. As such, HITRUST controls cover requirements from HIPAA’s Security Rule. Otherwise, that’s about all these two frameworks have in common.

How Tugboat Logic Can Help

If you’re looking for a deeper understanding of HIPAA, connect with one of our experts today. They have plenty of experience helping organizations like yours navigate HIPAA. If you already know everything you need to know about HIPAA and just want to get compliant fast, start a free trial of our product and someone on our team will set you up. To get compliant with HITRUST, organizations must use their proprietary MyCSF tool. That said, we can support a self-assessment. Feel free to contact us for more information.