What is the HIPAA Security rule?

Explore the Administrative, Physical and Technical safeguards under the HIPAA Security Rule & the difference between addressable and required safeguards.

HIPAA Security Rules Infographics

The HIPAA Security rule applies to covered entities, business associates, subcontractors – anyone or any system with access to confidential patient data. Every organization in the healthcare delivery ecosystem must adhere to this rule because of the potential sharing of Electronic Protected Health Information (ePHI). This rule contains the standards organizations must follow to protect electronically created, accessed, processed, or stored PHI (ePHI). These standards apply to ePHI when it is at rest and in transit. It clarifies the physical, administrative, and technical safeguards that organizations must implement. The HIPAA security rule focuses on managing access and interprets it as having the means necessary to read, write, modify, or share ePHI or any personal identifiers that may reveal the patient’s identity.

Organizations are required to document their adherence to these standards and safeguards in their HIPAA Policies and procedures. They also need to ensure that staff members are trained annually on these policies and procedures and maintain documentation to prove this. 

  i) What is the difference between addressable and required safeguards ? 

Under HIPAA, safeguards are either ‘Required’ or ‘Addressable.’ ‘Required’ safeguards must be implemented, while ‘Addressable’ safeguards have some level of flexibility. If a covered entity is unable to implement an addressable safeguard, they can implement an appropriate alternative or not introduce the safeguard altogether. This decision depends on the organization’s risk analysis, risk mitigation strategy, and the other security measures they have implemented. The organization is required to carefully document all the factors leading up to the decision along with the results of the risk assessment on which the decision was based.

Addressable safeguards should not be interpreted as optional. Due to the dynamic nature of technology, complexity and cyber attacks, addressable safeguards may become required. We recommend implementing most of the controls. Physical safeguards, in some cases, can be addressable if ePHI is stored on the cloud. However, most controls are critical for maintaining security.

  ii) What are Administrative Safeguards under the HIPAA Security rule?  

Administrative Safeguards are the cornerstone of HIPAA Compliance. They are the policies and procedures that connect the Privacy Rule and the Security rule. A critical administrative safeguard is the appointment of a Security Officer and a Privacy Officer to ensure the security measures are in place to protect ePHI and staff members follow them. 

Organizations are required to conduct a risk assessment before planning their policies and procedures and on a regular basis once they are implemented. This assessment is usually reviewed in a HIPAA audit to ensure it is ongoing and comprehensive. It is important to plan this annually and assess the organization’s level of risk and HIPAA compliance.

Administrative Safeguards – HIPAA Security rule
Required / Addressable
Risk Assessment
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the PHI being created, used, and stored
Risk Management Policy
Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level
Sanctions Policy
Create and implement a ‘Sanctions Policy’ to outline sanctions against workforce members who fail to comply with organizational security policies and procedures
Information System Activity Review
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
Assigned Security Responsibility
Assign the responsibility of maintaining security to a security official who will be accountable for the development and implementation of policies and procedures
Authorization / Supervision
Implement procedures to authorize and supervise staff members who access PHI
Workforce Clearance Procedure
Implement procedures to verify if an employee’s access to PHI is appropriate
Termination Procedures
Implement procedures for terminating access to PHI when an employee leaves the organization
Isolating Health care Clearinghouse Function
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect their ePHI from unauthorized access by the larger organization
Access Authorization
Implement policies and procedures for granting access to ePHI, for example, through access to a designated workstation
Access Establishment and Modification
Based on access authorization policies, create and implement procedures to establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process
Security Reminders
Set up periodic security updates
Protection from Malicious Software
Implement procedures for detecting and reporting malicious software
Log-in Monitoring
Implement procedures to monitor log-in attempts and report discrepancies
Password Management
Implement procedures for creating, changing, and safeguarding passwords
Response and Reporting
Identify and respond to suspected or known security incidents; mitigate any known harmful effects of security incidents to the extent possible; and document security incidents and their outcomes
Data Backup Plan
Establish and implement procedures to create and maintain retrievable exact copies of ePHI
Disaster Recovery Plan
Establish (and implement as required) procedures to restore any loss of data
Emergency Mode Operation Plan
Establish procedures to ensure business continuity and protect ePHI while operating in emergency mode
Testing Contingency Plans
Implement procedures to test and update contingency plans periodically
Criticality Analysis of Applications and Data
Assess the relative criticality of specific applications and data which support other contingency plan components
Business Associate Contracts and Other Arrangements
Ensure that BAAs and all other arrangements with vendors are signed and updated
Security Awareness Training for employees
All organizations covered under HIPAA are required to train their employees and ensure they are aware of the policies and procedures governing access to ePHI. They must also be taught to identify malicious software attacks and malware. Training must be conducted annually, and all records must be maintained.

  iii) What are Technical Safeguards under the HIPAA Security rule? 

Technical Safeguards are related to the technology used to protect ePHI and provide access to the data. These should be reviewed by the IT Department of an organization covered under HIPAA (Covered entities, business associates, and subcontractors).

Technical Safeguards – HIPAA Security rule
Required / Addressable
Unique User Identification
Assign a unique name and/or number for identifying and tracking user identity
Emergency Access Procedure
Establish procedures to obtain ePHI during an emergency
Automatic Logoff
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
Encryption and Decryption
Implement a method to encrypt and decrypt ePHI
Audit Controls
Implement hardware, software, and/or procedural mechanisms to record and examine the activity in information systems that contain or use ePHI
Mechanism to Authenticate Electronic PHI
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
Person or Entity Authentication
Implement procedures to authenticate the personnel who are authorized to work with ePHI
Integrity Controls – Transmission Security
Implement security measures to ensure that electronically transmitted PHI is not improperly modified without detection until it is disposed of

  iv) What are Physical Safeguards under the HIPAA Security rule? 

ePHI can be stored in a data center in a remote location, in the cloud, or on on-prem servers within the organization’s premises. Physical Safeguards focus on direct physical access to ePHI irrespective of where it is stored. They outline guidelines to secure workstations and mobile devices against unauthorized access. 

Technical safeguards emphasize encryption as per NIST standards to protect ePHI at rest and in transit once it crosses the organization’s internal firewalled servers. This ensures that any data breach renders the data unreadable, undecipherable and unusable. While this is a required safeguard, organizations can select the most appropriate mechanism.

Physical Safeguards – HIPAA Security rule
Required / Addressable
Contingency Operations
Establish procedures that permit facility access to restore lost data in an emergency. These procedures should be in accordance with the disaster recovery plan and emergency mode operations plan
Facility Security Plan
Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft
Access Control and Validation Procedures
Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision
Maintenance Records
Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security like the hardware, walls, doors, and locks
Workstation Use
Implement policies and procedures to specify the functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI
Workstation Security
Implement physical safeguards for all workstations that access electronic PHI to restrict access to unauthorized users
Disposal of Device and Media Controls
Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored
Media Re-use
Implement procedures for removing ePHI from electronic media before the media are made available for reuse.
Accountability of Device and Media Controls
Maintain a record of the movements of hardware, electronic media, and any person responsible for them
Data Backup and Storage
Create a retrievable, exact copy of ePHI before moving equipment in which it is stored

If you are looking for support to understand how to implement the HIPAA Security Rule and would like to connect with a HIPAA Expert, please get in touch us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:


Rules of HIPAA Compliance

Protected Health Information (PHI)

What are the rules of HIPAA Compliance?

Explore the basics of 5 main HIPAA Rules - HIPAA Security Rule, HIPAA Privacy Rule, HIPAA Breach Notifications Rule, HIPAA Enforcement Rule & HIPAA Omnibus Rule

databrackets Infographics on Rules of HIPAA ComplianceThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of mandatory standards for all organizations that work with Protected Health Information (PHI) of US Residents. It applies to all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, subcontractors, etc. The scope and applicability of the Act have been amended since 1996 to include additional rules.

The Office for Civil Rights (OCR) enforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. To ensure that businesses are informed of best practices, the OCR regularly publishes recommendations on new issues affecting healthcare. It also investigates common HIPAA violations on a regular basis.

The Rules of HIPAA Compliance are:

  1. HIPAA Privacy rule
  2. HIPAA Security rule
  3. HIPAA Enforcement rule
  4. HIPAA Breach Notification rule
  5. HIPAA Omnibus rule

HIPAA Privacy Rule: This rule mandates appropriate safeguards to protect the privacy of PHI and ensures that patient data cannot be used or disclosed without patient authorization. It gives patients and their nominated representatives rights over their PHI, including the right to obtain a copy of their health records or  examine them – and the ability to request corrections if required.

HIPAA Security Rule: This rule outlines the standards that covered entities, business associates, and subcontractors must follow to protect PHI that is electronically created, accessed, processed, or stored. These standards are also intended for ePHI when it is at rest and in transit. The HIPAA Security Rule includes physical, administrative, and technical safeguards that organizations are required to implement.

HIPAA Breach Notifications Rule: This rule outlines the protocol that organizations must follow in case of a data breach containing ePHI or PHI. As per this rule, they are required to notify patients when there is a breach of their PHI. They also need to notify the HHS and issue a notice to the media if it affects more than 500 patients. Breach notifications must be made within 60 days and without unreasonable delay, following the discovery of a breach. For breaches involving less than 500 patients, they must conduct an investigation and report them through the OCR web portal. The OCR requires these reports on an annual basis.

 The HIPAA Enforcement Rule: This rule comes into effect after a breach of PHI or ePHI. Under this rule, the OCR investigates the breach and has procedures for hearings. Penalties may also be imposed on organizations responsible for the breach. Fines are imposed for each violation based on a tiered system. The total value of the fine is related to the number of records exposed in a breach. It also considers the risk due to the exposure of that data and the level of neglect that the organization permitted. Criminal charges may also be laid on organizations that knowingly deviate from HIPAA rules. Additionally, patients who are victims of a breach can also file civil lawsuits under this rule.

 HIPAA Omnibus Rule: The HIPAA Omnibus rule focuses on areas that previous HIPAA updates had overlooked. The most important addition made by this rule was the expansion of HIPAA compliance regulations to include business associates, and subcontractors. This rule also focuses on streamlining Business Associate Agreements (BAAs). A BAA is a contract that must be signed and implemented between covered entities, business associates and subcontractors before PHI or ePHI is shared or transferred.

 There are two additional HIPAA rules which focus specifically on electronic data.

a) HIPAA Transactions and Code Set rule: This rule ensures a uniform way to exchange PHI between entities in the healthcare delivery ecosystem based on electronic data interchange (EDI) standards. It is used for all healthcare-related digital transactions.

b) HIPAA Unique Identifiers rule: This rule focuses on Identifier Standards for Employers and Providers. It requires employers and healthcare providers to have standard national numbers to identify them instead of their business names and other identifiers.

If you are looking for support to understand how HIPAA compliance rules apply to your organization and would like to connect with a HIPAA Expert, don’t hesitate to get in touch with us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:


What is Protected Health Information (PHI)?

Who is Covered under HIPAA?

What is Protected Health Information (PHI)?

Explore the 18 HIPAA Identifiers that constitute PHI or Protected Health Information under HIPAA & learn about de-identifying health data to reduce risk

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a set of mandatory standards to manage the use and disclosure of healthcare data, known as Protected Health Information or PHI. Complying with HIPAA is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, and any Organization that directly or indirectly works with PHI. HIPAA has been amended to include additional rules that expand its scope and applicability.

The Office for Civil Rights (OCR) enforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.

Protected Health Information (PHI)

Any identifiable health-related data used, stored, maintained, or shared by an entity is considered PHI. It covers every aspect of a patient’s information. The HHS has identified 18 HIPAA identifiers. They are:

databrackets Infographics on PHI Identifiers for HIPAA

HIPAA rules are focused on protecting PHI – HIPAA Security rule, HIPAA Privacy rule, HIPAA Breach Notification rule, HIPAA Omnibus rule and HIPAA Enforcement rule. There are specific safeguards and guidelines under each rule to ensure that Protected Health Information is handled with utmost care.

Organizations that are covered under HIPAA  can avoid penalties, fines, and jail time for violating these HIPAA rules by ‘De-identifying PHI’. De-identification implies disassociating a patient from their health information. Once it is de-identified, the data set is no longer covered under HIPAA. The organization continues to be covered under HIPAA, but this security measure significantly reduces its risk. The HHS recommends 2 methods to de-identify health data.

If you are looking for support to implement or evaluate your level of HIPAA Compliance, or if you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please get in touch with us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:


Who is covered under HIPAA?

7 Benefits of HIPAA Compliance

Who is covered under HIPAA?

Who needs to be HIPAA compliant? Explore the types of organizations covered under HIPAA and the ways in which they are required to maintain compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is applicable to all entities in the Healthcare Industry. It outlines the rules and regulations with regard to the use and disclosure of protected health information (PHI) by organizations in the industry. The Department of Health and Human Services (HHS) regulates HIPAA Compliance while the Office for Civil Rights (OCRenforces it. While healthcare providers who directly work with patients are aware of the regulation, it is crucial to understand the entire landscape of the healthcare service delivery ecosystem to which the Act applies. The insights below clarify the answer to another commonly asked question ‘Who needs to be HIPAA compliant?’.

There are three types of organizations that need to be HIPAA compliant:

  1. Covered Entities
  2. Business Associates (third-party service providers who work with covered entities)
  3. Subcontractors (Business Associates of Business Associates)

Who is covered under HIPAA?

Covered Entities
Business Associates
A Covered Entity consists of 3 types of organizations that directly work with patients and administer healthcare. They are: A Healthcare Provider, A Health Plan & A Healthcare Clearing House.
A “business associate” is a person or entity that performs specific functions or renders services to a covered entity, which involve the use or disclosure of protected health information. A covered entity can be a business associate of another covered entity.
Business Associates hire subcontractors to process, create, or store PHI. They usually don’t have a business associate agreement or a direct relationship with covered entities. However, because they handle patient data, they need to be HIPAA compliant.
A Healthcare Provider includes Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies… if they transmit any information electronically
Services rendered by business associates are: legal; actuarial; accounting; web-hosting; managed IT and security services; financial, consulting; management; accreditation; data aggregation, data transmission;  administrative; accreditation agencies, medical equipment service companies.
A hosted service provider like Amazon Web Services is a classic example of a subcontractor. With the increase in cloud-based services, there is an increased dependence on subcontractors by covered entities and business associates. 
A Health Plan includes Health Insurance Companies, HMOs, Company Health Plans, Government programs that pay for healthcare like Medicaid, Medicare, Healthcare programs for veterans / military
Some examples of business associate functions and activities include: • data analysis, processing or administration • claims processing or administration • utilization review • quality assurance • billing • benefit management • practice management • repricing
A Healthcare Clearing House includes entities that process nonstandard health information that they receive from another entity into a standard (e.g. a standard electronic format / data content) or vice versa
HIPAA Compliance
Business Associate Agreement
Required between a Covered Entity and a Business Associate / Subcontractor
Required between a Covered Entity and a Business Associate / Subcontractor
Required between a Business Associate and Contractor
Penalties, Fines & Jail Time
Applicable & Direct
Applicable & Direct
Applicable & Direct
All HIPAA rules are applicable to the healthcare service delivery ecosystem, which consists of organizations that fall into one of these three categories. Even if they are not directly engaged in delivering healthcare services, their employees and vendors need to undergo HIPAA Compliance Training every year to ensure they are aware of the organization’s security protocols and understand their accountability under HIPAA. They are required to have HIPAA-compliant policies and procedures and a Business Associate Agreement (BAA) with the entity that hires them or the entities they hire. They also need to prove that they are complying with HIPAA rules by undergoing an annual attestation.

Organizations under all three categories are required to register with the Department of Health and Human Services (HHS). The Office for Civil Rights (OCR) is authorized to enforce all HIPAA rules, including compliance with new best practices shared by them on a regular basis.

If you are wondering whether your organization is covered under HIPAA or if you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please contact us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:


7 Benefits of HIPAA Compliance

What is HIPAA?

7 Benefits of HIPAA Compliance

Explore the benefits of HIPAA compliance for healthcare providers, healthcare SaaS companies and healthcare business associates. Connect with HIPAA Experts

HIPAA Benefits Blog Banner

databrackets infographics on Benefits of HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines the rules and regulations with regard to the use and disclosure of Protected Health Information (PHI) by all businesses in the Healthcare industry. The Department of Health and Human Services (HHS) regulates HIPAA Compliance while the Office for Civil Rights (OCR) enforces it.

HIPAA Compliance is very beneficial for patients since it ensures their personal and identifiable information is protected from known and potential channels used for cyber-attacks. However, there are several benefits for HIPAA-compliant organizations as well. Some of the numerous advantages for Healthcare Providers, Business Associates, and Subcontractors are listed below.

1. Protect Health Records

HIPAA acts as a benchmark checklist for businesses that work directly or indirectly with Protected Health Information (PHI). It helps them plan a cumulative approach to security and data privacy. The Act equips the Healthcare industry and its allied businesses with the information they need to protect PHI from known, predictable, and potential channels and sources of cyber-attacks. The emphasis on annual staff training and preparation for an unannounced HIPAA audit ensures that businesses stay alert at all times.

2. Prevent HIPAA Violations, Penalties & Fines

Adherence to HIPAA rules helps Healthcare Providers, Business Associates and Subcontractors to prevent HIPAA violations. Since a HIPAA violation leads to fines and jail time, being HIPAA compliant ensures they can protect their organization, personnel, and brand reputation.

3. Enforce a High Security Standard for Vendors

HIPAA compliance is mandatory across the Healthcare delivery ecosystem. This includes mandatory protection of PHI according to HIPAA rules by Business Associates, Subcontractors, and any vendor, even if they have access to only a few elements of PHI like diagnostic images associated with a patient ID. While this may not seem like identifiable information to us, it is a gold mine for hackers, who find ways to locate the personal information associated with the patient ID from other sources.

4. Protect your Brand Reputation & Ensure a Patient-First Approach

Being HIPAA compliant is mandatory not only for Healthcare providers but also for their Business Associates and Subcontractors. This ensures that a patient-first approach is adopted across the Healthcare delivery ecosystem. Since HIPAA is mandatory, an organization’s brand reputation is damaged if they are penalized by the HHS. In order to retain the trust of patients, B2B customers and their brand reputation, it is critical for organizations to evaluate their level of HIPAA compliance regularly.

5. Develop a Security and Compliance Process

Adherence to HIPAA requires regular maintenance of security protocols, with particular emphasis on the security rule and the physical and technical safeguards outlined under it. This is achieved by developing an IT compliance process to review if all the safeguards are in place. Developing this process is beneficial as it allows organizations to detect deviations faster and take corrective actions to prevent a cyber-attack.

6. Ensure Compliance across the Organization

HIPAA mandates specific actions from the IT department and all stakeholders since its rules, amendments,  and regular updates from the OCR ensure that compliance is a shared responsibility. The Act is mandatory for all businesses in the Healthcare Industry. As a result, businesses that are HIPAA compliant are protected from known sources / channels of data breaches. This ensures that ignorance of security protocols does not accidentally result in a vulnerability / loophole in the system.

7. Implement Security Best Practices to Prevent Cyber Attacks

The OCR has a subscription service to share security best practices with organizations and regular updates about the security measures that need to be updated. This helps organizations to stay informed and implement them.

If you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please contact us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:


What is HIPAA?

Learn HIPAA Basics, amendments to HIPAA and get an overview of HIPAA rules. Connect with HIPAA Experts

databrackets Infographics on Rules of HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of mandatory standards to manage the use and disclosure of Protected Health Information (PHI). It is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, and any Organization directly or indirectly working with PHI.

The Department of Health and Human Services (HHS) regulates HIPAA compliance while the Office for Civil Rights (OCR) enforces it. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.

While the Act was passed in 1996, there have been several amendments to keep up with technological advancement:

  • The Security Rule Amendment of 2003
  • Technical Safeguards
  • Physical Safeguards
  • Administrative Safeguards
  • The Privacy Rules Amendment of 2003
  • The HITECH Act and Breach Notification Rule of 2009
  • The Final Omnibus Rule of 2013

The Final Omnibus rule of 2013 streamlined HIPAA compliance rules to include any business that stores, manages, records, or transfers Protected Health Information (PHI). These businesses are called ‘Business Associates’ under HIPAA. This broad term includes all vendors and subcontractors who directly or indirectly work with Healthcare Providers.

Currently, HIPAA consists of 5 main rules:

  • HIPAA Privacy Rules
  • HIPAA Security Rules
  • HIPAA Enforcement Rules
  • HIPAA Breach Notification Rules
  • HIPAA Omnibus Rule

There are additional rules that relate to transactions and code sets, in addition to unique identifiers. HIPAA compliance focuses on specific data privacy rules to protect sensitive patient data. Its aim is to create a culture in the healthcare industry to ensure protected health information’s privacy, integrity, and security. Annual HIPAA training of all personnel who come in contact with patient data is one of many aspects of the Act that ensures all stakeholders are involved and they understand their role in protecting PHI.

We recommend that IT professionals, CTOs, and CISOs carefully examine the details of the Administrative, Technical, and Physical Safeguards outlined under the Security Rule to ensure their IT systems are HIPAA compliant.

If you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please contact us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:


Is HITRUST Worth The Investment?

HITRUST certification helps healthcare companies to effectively manage information risk. It is worth it if is considered an investment rather than a one-time cost.

Blog banner image databrackets is HITRUST worth it?

What is HITRUST?

HITRUST, or Health Information Trust Alliance, is a non-profit organization that uses the ‘HITRUST approach’ to help the healthcare industry control data protection standards and effectively manage data, information risk, and compliance. It’s similar to HIPAA, but instead of being written and enforced by the federal government, HITRUST is regulated by a group of healthcare professionals.

HITRUST is a way for the healthcare sector to self-regulate security practices while also fixing some of HIPAA’s shortcomings and providing a PCI (Payment Card Industry)-like enforcement system for businesses to adopt. HITRUST is a recommended framework trusted by many larger healthcare companies, health networks, and hospitals to manage risk along with other frameworks.


Why is HITRUST important?

In the United States, HITRUST is the healthcare industry’s security framework getting adopted primarily in hospitals It sets an industry-wide standard for handling Business Associate compliance. For a variety of reasons, HITRUST is slowly getting adopted in the healthcare industry along with other certifications:

HITRUST is updated daily to keep healthcare organizations up to date on new regulations and security threats. It is the most frequently updated security framework, with periodic updates and annual audit revisions. This ensures that those who follow the HITRUST CSF(Common Security Framework) work tirelessly to ensure their safety.

Some large payers need HITRUST. On February 8, 2016, five major healthcare payers assured their business associates that they would comply with the HITRUST CSF within two years. As a result, companies must consider “what HITRUST entails” and “what changes are needed to be made to achieve and maintain certification.”

HITRUST Certification has the strictest requirements with high-risk data that can demonstrate that an entity is a leader in compliance because they have the certification to back it up.

Is HITRUST worth it?

HITRUST Certification won’t be easy.

Many business associates will find it challenging to obtain HITRUST CSF certification because the vast majority may be unprepared and caught off guard. This is due to the fact that many organizations, especially smaller vendors, lack the resources to complete HITRUST CSF Certification. Organizations must not only meet the CSF criteria, but a third party must also audit them before being approved, and they must be recertified every other year.

Several businesses are taken aback by the HITRUST certification. Why?

  • Firstly, the cost of assessment and assessor services are high. Budgets are often tight, and data protection may be a substantial investment as the cost might be too steep for small and medium enterprises, and HITRUST might be perceived as more expensive. For enterprises, HITRUST Certification could be seen as an investment rather than an expense
  • Many customers are hesitant to invest in HITRUST because they fear failing
  • A company choosing to get HITRUST certified, must first adopt the HITRUST CSF (Common Security Framework) which is updated regularly with multiple versions. You need to stay on top of the update, use the right protocol and technologies to be able to use it effectively. This may be a daunting task for many companies
  • Assessment may include up to 400 control criteria and take upto 8 weeks depending on the scope and complexity of the company. This may be severely time consuming

The HITRUST Certification Fee


If you’re looking for a ballpark figure, the best guess will be $50,000 to $200,000, not including ongoing recertification costs. However, the range is so wide that it is ineffective for your business.

It depends on the assessment’s reach and the organization’s size, the state of its information system, and the steps taken to plan for a HITRUST assessment.


What exactly is included in this price?

Costs directly related to:

– The HITRUST MyCSF® gateway and services are made available

– Companies can take a readiness assessment and rating it

– Conducting a difference analysis, administering and rating a validated evaluation

Indirect costs incurred as a result of:

– Employee time spent on participation

– Security data recording and updating

– Initial setup

– Developing corrective action plans and remediation initiatives

– Assistance in locating and submitting necessary documents

Why is HITRUST Certification more expensive than other security certifications?

One must factor in the detail-oriented approach, thoroughness, and dependability.

A thorough examination

Depending on the company’s risk profile, a single HITRUST assessment may include up to 400 control criteria. This is in addition to the three forms of protection required by HIPAA regulations, the 12 PCI DSS compliance standards, COBIT’s five domains, 37 processes, and the 80-100 controls included in a SOC 2 audit.

The HITRUST CSF blends these and other regulatory standards into a single, overarching risk management and enforcement program, which is one of the most tangible benefits of the framework. It combines information management, financial services, technology, and healthcare standards. As a result, businesses will streamline their enforcement processes, resolve security concerns in all sectors, and reduce the time and expense associated with maintaining compliance with multiple standards.

Detail-oriented approach

Each control in your organization’s assessment must be reported, assessed, checked, and verified by an accredited external assessor before being evaluated by HITRUST. In addition, each control must be assessed using the HITRUST Maturity Model, which has five levels.

The HITRUST CSF certification process covers much more ground than any other security evaluation. In most cases, 2,000-2,500 separate data points are examined. Throughout this phase, an average of 1.5 hours per control is spent, with the number of controls assessed varying depending on the organization’s size, risk profile, and scope.


The HITRUST CSF system was created to give enforcement programs more structure and continuity. Recent enhancements have also increased scoring accuracy over time and between internal and external assessors.

HITRUST has strict standards for the assessor firms and experts involved in its commitment to solid assurance. Firms must apply for and receive approval from HITRUST to conduct assessments and services related to the CSF Assurance Program and work hard to retain that status.

Certified CSF Practitioners (CCSFP) are HITRUST Approved External Assessors responsible for assessing and validating security controls. They must complete a training course, pass an exam, and retain certification through regular refresher courses. HITRUST helps organizations ensure the evaluation and certification process is accurate through service.

Can you have a data breach after a HITRUST Certification?

Anthem, a HITRUST-certified company, was hacked, which resulted in a breach impacting nearly 80 million individuals.

While HITRUST released a statement in its defense that “the healthcare payer did not have a breach in any system or area of the organization that was within the scope of its HITRUST CSF Certification,” some security experts did question the significance “what did it mean to be HITRUST certified?” given the scale and sheer magnitude in the numbers.

HITRUST Alternatives

The HITRUST CSF is a certifiable and widely accepted security framework with a list of prescriptive controls to demonstrate HIPAA compliance. However, as alternatives to HITRUST, several SMEs comply with other security governance frameworks like the National Institute of Standards and Technology [NIST], HIPAA, SOC Reports – SOC 1, 2, and 3 Form 1 and 2 and ISO 27001 Certification.

NIST is a set of voluntary guidelines, and processes that companies use to reduce the risk of a cybersecurity threat. It aims to improve security and resiliency by implementing 108 security controls to achieve NIST compliance.

Many HIPAA requirements may not be understood in accordance with their intended objectives. HITRUST aims to provide an integrated and holistic approach to demonstrate compliance with HIPAA security requirements.

HIPAA is a federal law with national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Based on the certification goals and requirements of our clients, we offer alternative frameworks NIST, ISO 27001 or SOC 2 certifications. Different certifications involve different costs and levels of efforts, so it is imperative to consider your size, requirement and budget before you seek certification. IF you company falls under a broad range of industries or comes under a regulated industry, SOC 2 may be the best option. If your company processes electronic health information, HITRUST may be the better option.

Talk to us to understand your certification category and know more information

About databrackets

databrackets certified privacy and security professionals could help your organization comply with a range of Certifications and Compliances that include HIPAA/HITECH, PCI Data Security, CCPA, OSHA, GDPR, Penetration Testing,  FDA CFR Part 11, ISO 27000, Cloud Security Management, NIST Framework, Cybersecurity Framework, SOC Certification, Third-party Assessment, NYDPS Cybersecurity  Series, ISO 17020, and  ISO 27001.

databrackets assists organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platform, awareness training, policies, and procedures, and consulting expertise, you can meet the growing demand for data security and evolving compliance requirements more efficiently.

American Association for Laboratory Accreditation (A2LA) has accredited databrackets for technical competence in and compliance with the Inspection Body Accreditation Program.

databrackets has been accredited by the American Association for Laboratory Accreditation (A2LA) as a Cybersecurity Inspection Body for ISO/IEC 17020:2012 vide its Certificate Number: 5998.01.

The Cybersecurity Inspection Body Program accreditation provides added trust and assurance in the quality of assessments performed by databrackets. A2LA’s third-party accreditation offers an independent review of databrackets’ compliance to both ISO/IEC 17020 (Requirements for the operation of various types of bodies performing inspections) as well as competence in technical program requirements for the desired scope of accreditation (I.e. SOC II, HIPAA/HITECH, PCI, etc.).

databrackets received accreditation by the International Accreditation Service (IAS] to provide ISO/IEC 27001 Certification for Information Security Management Systems (ISMS) and joins an exclusive group of certification bodies.

To learn more about the services, read here.