Let’s break down three key names in U.S. healthcare cybersecurity: HIPAA, HITECH and HITRUST. We’ll explain what they are, the differences between them, and how organisations can comply with them.
With healthcare cyber attacks being an average of $5.3 million, or about 20% more costly than other industries, protecting patient data is crucial, but also very challenging.
One of the ways that healthcare organisations can protect patient data is by following the various regulatory standards that govern the healthcare industry. Meeting these cybersecurity regulatory standards allows healthcare organisations to protect themselves against these damaging cyberattacks.
However, failing to do so, can cause reputational damage and steep fines.
HIPAA (the Health Insurance Portability and Accountability Act) is an American law that was introduced in 1996 to safeguard patients' Protected Health Information (PHI). The legislation requires healthcare organisations to implement effective measures to protect sensitive data like personal information and medical records.
There are four key pillars of HIPAA:
For a more in-depth look at HIPAA, read our full guide.
The 2009 HITECH Act (Health Information Technology for Economic and Clinical Health Act) was established to promote technological advancements in healthcare and science. In essence, HITECH has served to strengthen and update HIPAA.
It encouraged HIPAA-covered entities to adopt Electronic Health Records (EHRs), replacing traditional paper-based records and bringing about a more secure and innovative healthcare system.
HITECH made HIPAA enforcement tougher in a number of ways. For example, it amended the penalty structure to hold entities accountable for failing to implement safeguards, even for violations that occur without their direct knowledge.
HITECH also significantly strengthened Business Associate Agreement (BAAs), contracts that partners of HIPAA-covered entities must sign agreeing not to share PHI without authorisation. Under HITECH, both Business Associates and HIPAA-covered entities can now be fined for infractions originating at the Business Associate level.
The Health Information Trust Alliance (HITRUST) is a certification agency whose Common Security Framework helps healthcare organisations certify that they’ve achieved high cybersecurity standards and compliance with HIPAA and HITECH. It also integrates requirements from other frameworks like PCI-DSS, ISO/IEC 27001, and GDPR.
The CSF program guides an organisation and its members through modules designed to enhance information security, and it’s customised to the scope and size of an organisation. The CSF comprises 19 domains, including endpoint protection, mobile device security, and access control, with HITRUST certifying IT offerings against these areas.
Distinguishing between HIPAA, HITECH and HITRUST can get somewhat confusing. With that in mind, let’s clarify and summarise the key differences between them.
Legal weight and compliance requirements
Focus and objectives
These differences notwithstanding, HIPAA, HITECH and HITRUST are all ultimately aimed at getting healthcare organisations to have comprehensive, up-to-date cybersecurity protections in place.
There are two main groups that need to comply with HIPAA/HITECH: Covered and Non-Covered Entities:
As we’ve previously mentioned, HITECH extended the HIPAA Security Rule to cover business associates of affected healthcare organisations.
If you’re not sure whether you’re a covered entity, here’s a tool to help you determine this.
Failing to comply with HIPAA and HITECH can result in steep legal penalties and fines. HITECH strengthened HIPAA enforcement by increasing the financial penalties for non-compliance, with the maximum annual penalty standing at $2,067,813 (as of 2024).
Penalties for HITECH and HIPAA violations vary based on the severity of the incident and the promptness of corrective measures.. Tier 4 - ‘Wilful Neglect’ that isn’t remedied within 30 days - carries the highest penalties per violation. However, being unaware that they’re non-compliant doesn’t get accidental violators off the hook. Committing enough Tier 1 - ‘Lack of Knowledge’ - penalties can still result in receiving the $2,067,813 maximum annual penalty.
The reputational damage of failures to protect sensitive patient data can be even costlier than legal penalties. Aon and Pentland Analytics research highlights that some companies saw a 25% fall in market value in the year after suffering a data breach, pointing to significant long-term reputational damage.
HITRUST is a voluntary certification so it’s not legally mandatory to follow it. However, as it’s a widely-followed framework for healthcare cybersecurity, not being HITRUST certified could harm an organisation’s reputation.
While the HITRUST certification will help you with taking these measures, we feel it’s worth highlighting some key actions to focus on.
These include:
Metomic's data security software enables healthcare organisations to secure sensitive data, helping with regulatory compliance.
Metomic provides a comprehensive tool for managing sensitive patient data in the cloud. Our platform includes features such as automated discovery of PII and PHI, strong access controls, and real-time monitoring of data risks.
These tools allow healthcare teams to proactively identify and mitigate risks, ensuring the confidentiality, integrity, and availability of patient information.
With Metomic, healthcare organisations can streamline compliance efforts and data security management. This allows them to provide high-quality patient care without compromising data security.
Book a personalised demo with Metomic to learn how our solutions can protect your patient data.