One of the most common questions that we receive at Accountable relates to the differences between HITECH and HITRUST which both deal with information security in the healthcare industry to some degree. However, one is a piece of legislation under HIPAA and one is an organization. If this is a question that you have had - don’t worry! We’ll tell you everything you need to know about each of these acronyms and how they may impact you.
What is HITECH?
HITECH, the Health Information Technology for Economic and Clinical Health Act which is a piece of HIPAA that was added to the law in 2009. HITECH aimed to streamline health care and reduce costs through health care information technology. HITECH also marked a significant expansion in the reach of HIPAA and imposed new regulations and requirements with respect to PHI.
Here are a few of the ways that HITECH changed the enforcement of HIPAA:
- HITECH strengthened enforcement of the HIPAA Security and Privacy laws by strengthening penalties for breaches.
- HITECH mandated security audits of all healthcare providers to be used to investigate and determine whether providers meet minimum standards to be in compliance with the Privacy and Security rules.
- HITECH created a four-step tiered system for assigning penalties for HIPAA violations, and for the first time allowed organizations to be penalized for a violation even if they were unaware that the violation occurred.
- The HITECH Act also extended the requirements of the HIPAA Privacy and Security Rules to apply directly to business associates, which are organizations like software providers, law firms, marketing agencies, and any other group that helps the covered entities perform their work in a way that may allow them access to PHI.
What is the goal of HITECH?
We know that the goal of HIPAA overall is to mandate the security of protected health information so that individuals can have the confidence that their information is safe but also that they can receive access or copies of this information upon request. The HITECH Act more specifically has the goal of encouraging and promoting the use of secure and portable EHR (electronic health records) throughout the country. Additionally, the act intended to strengthen the Breach Notification Rule within HIPAA, now requiring organizations to notify all affected individuals rather than just those who may experience harm as a result.
What is HITRUST?
One other piece of policy that is frequently associated with HIPAA and occasionally even confused with aspects of HIPAA is HITRUST. HITRUST, which was originally an acronym for The Health Information Trust Alliance, is not a law like HITECH. Rather, it is a company that has collaborated with an assortment of organizations to create a framework that can be used by all types of companies that store, transmit or create sensitive or regulated data.
The HITRUST framework, known as the “HITRUST CSF” drew inspiration from HIPAA but is intended for use by a more broad group of companies than just those in the healthcare industry. The HITRUST CSF provides security risk and compliance assistance plus it can be tailored to fit each organization’s specific needs. The organization has worked to establish a framework that can be used to meet most of the requirements of HIPAA.
What is the goal of HITRUST?
The ultimate goal of HITRUST and a HITRUST Certification is to assist businesses through efficiently managing their compliance and risk management of private data. This framework is unique in the way that they combined the efforts and needs of multiple information security groups in order to establish one cohesive policy. One of the goals and key benefits of HITRUST is that it can start you down the path of compliance to multiple other compliance mandates including HIPAA, NIST, PCI DSS, and more. Although it gives you a strong head start, this one framework does not guarantee full and complete compliance with all of these other mandates.
Does following the HITRUST CSF Framework guarantee HIPAA compliance?
While HIPAA is composed of a few different rules and a wide range of mandates, the HITRUST CSF will push you in the right direction towards compliance to the Security Rule aspect of HIPAA, however, complying with this framework does not guarantee that you will reach a complete HIPAA compliance. By following each requirement of the HITRUST CSF, then you will be, at the same time, addressing each aspect of the HIPAA Security Rule. While the Security Rule mandates are a core part of HIPAA compliance, that is not all that is required of you by the law.
If you are wanting to receive the full confidence that your organization has followed every step necessary to be safe from a HIPAA audit, then you should work with a complete HIPAA compliance solution, like Accountable, instead! With Accountable’s HIPAA Seal of Compliance, is a signal that you have completed all the necessary steps to adhere to the many requirements of HIPAA. Plus, this Seal of Compliance will give your current or future customers and partners full confidence ad trust in your compliance with these regulations.