WHAT IS THE DIFFERENCE BETWEEN HIPAA, HITECH, AND HITRUST STANDARDS IN HEALTHCARE?

Introduction

6 min readJun 24, 2022

HIPAA, HITECH, and HITRUST are topics that are commonly referred to within the healthcare information technology (IT) space, since these three entities all relate in a certain way to the protection and security of health information. Although HIPAA, HITECH, and HITRUST are all interrelated in this way, they have distinct differences that bestow specific functions in the data privacy and information security space.

A clear understanding of the intricacies amongst these three complex topics is necessary in every discipline that encompasses healthcare systems. However, they are often confused with one another since they overlap in nature. In short, HIPAA is an act that outlines the compliance expectations for the protection of health information, including transmission and management. HITECH, which falls under the HIPAA umbrella, expands the latter to include additional modernized legislation that broadens the scope of health information security and protection. Lastly, HITRUST is an organization that provides certification to organizations for demonstrated compliance with both HIPAA and HITECH regulations.

Because HIPAA, HITECH, and HITRUST all have broad implications to the protection and privacy of information and healthcare IT, the differences amongst them should be well understood. To clarify these differences, this article will further explain the purpose of each entity, identify distinctions between them, and elucidate the relationship and interplay amongst the triad.

HIPAA

HIPAA, which is short for the Health Insurance Portability and Accountability Act, was first enacted in August of 1996. This act required that the United States Department of Health and Human Services (DHHS) Secretary issue national guidelines for the security of electronic protected health information (e-PHI), electronic interchange, and health information privacy as well as security. The three tiers of necessary health information exchange under HIPAA include treatment, payment, and operations. During a time of immense technological advancement, HIPAA also established to accommodate the modernization occurring within the healthcare industry. Most notably, this set of regulations addressed the advancements of technology and telecommunication within the healthcare industry, aiming to legislate issues surrounding data access, privacy, and sharing.

HIPAA also established several rights for those in the United States that receive health care services under the Privacy Rule. The Privacy Rule established standards regarding an individual’s right to personal health information accessibility, how an individual’s protected information is used, and an individual’s entitlement to understand and influence the way their health information is utilized. Through these mechanisms, the Privacy Rule ensures the protection of an individual’s health information, while also allowing access to those that need it to make informed medical and administrative decisions. Therefore, the Privacy Rule is flexible enough to be applied to an array of use cases related to the exchange of health information.

Since HIPAA was enacted at the beginning of the dot-com era, technology has only further advanced to what we know it to be today. Along with these developments, the utilization of health information and its privacy also had to adapt to a more modern and evolving electronic landscape. As such, the Health Information Technology for Economic and Clinical Health Act was passed

HITECH

The HIPAA Privacy Rule was modernized with the inception of the Health Information Technology for Economic and Clinical Health (HITECH) Act. This act was passed by Congress in 2009, representing a new piece of legislation under HIPAA. HITECH added valuable updates to HIPAA that encouraged the use of secure electronic health records (EHR) and expanded the scope of responsibility surrounding covered entities. These major additions included:

Ability of patients to access their electronic health information
Incentives for companies and institutions to implement EHRs
Expansion of HIPAA-covered entities to include business associates
More stringent penalties for HIPAA violations
Rules for addressing data breaches

These additions are further described in detail below.

Patient Access

HITECH expands HIPAA by not just regulating the protection of health information but also the way it to shared electronically amongst patients, physicians, and healthcare systems. Under HITECH, an individual has the right to access their electronic health information held by covered entities and their business associates. In an instance where a covered entity utilizes an EHR to maintain an individual’s PHI, it is the individual’s right to obtain a copy of the PHI electronically, if desired. Additionally, the individual can ask the entity to provide a copy to another entity or designated individual, given that the decision is both clear and specific.

Business Associates

The HITECH Act also enacted new requirements for HIPAA-covered entities, particularly with regards to business associates. A business associate is defined as an individual or entity that performs specific duties or responsibilities requiring the use or exchange of protected health information. Business associates work on behalf of a covered entity. The HITECH Act ensures that such business associates of covered entities comply with HIPAA rules.

In 2013, the DHHS Office for Civil Rights (OCR) provided a ruling to change the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules. Amongst these changes was a final rule that ensures HIPAA Rules also apply to business associates. Therefore, business associates are considered directly liable for HIPAA violations, which expands the requirements of HIPAA beyond just hospitals and insurance companies and furthermore applies to anyone managing PHI.

Penalties

Outside of its inclusion of business associates, the HITECH Act also expanded the range of the HIPAA Privacy and Security Rules. This expansion implemented several provisions and more intense penalties for non-compliance, thereby increasing criminal and civil enforcement. For example, the HITECH Act implemented four hierarchical categories of violations, with each level having a corresponding penalty. The penalty amounts increase significantly with each violation, with penalty amounts extending up to $1.5 million.

Data breaches

HIPAA provides foundational guidelines surrounding the release of information, while HITECH builds upon these standards regarding data breaches. In the event of an unsecured breach, HITECH outlines notification requirements for covered entities to abide by. HIPAA-covered entities are required to alert affected individuals after any level of a data breach. For breaches that affect less than 500 people, entities should notify the DHHS Secretary annually. If the breach affects greater than 500 people, the entity must contact both the DHHS Secretary as well as the media immediately. This change holds covered entities and business associates accountable to specific government bodies and the affected individual(s) for providing adequate protection of such health information.

HITRUST

Another term that is frequently associated with HIPAA and HITECH is HITRUST. HITRUST, also known as the Health Information Trust Alliance, is not a law like HIPAA or HITECH. Instead, it is a well-known private organization. Founded in 2007, HITRUST created a Common Security Framework (CSF), which offers an approach for organizations to ensure adherence to several regulatory standards as well as risk management.

The CSF provides a method that can be utilized by all types of entities to create, maintain, and exchange sensitive or regulated information. The HITRUST CSF integrates with nationally and internationally accepted security and privacy-related standards, including HIPAA, ISO, NIST, PCI, and GDPR. By doing so, it provides a widespread set of security and privacy controls to ensure compliance across the globe.

Not all the controls contained within the CSF are relevant to HIPAA standards, however, all HIPAA requirements are embedded within the framework.

The interplay between HIPAA, HITECH, and HITRUST

Anyone who manages PHI, including companies like TechBlocks, must comply with HIPAA and associated HITECH regulations. The implementation of the HITECH Act both changed and strengthened the pre-existing foundational HIPAA legislation. As aforementioned, the HITECH Act strengthens HIPAA in several ways, most notably via the inclusion of the breach notification rule, the accountability of business associates in data breaches, and the expansion of the violation and penalty infrastructure. These changes impact businesses, specifically in our sector, who must develop solutions to address both sets of rules.

It is important for any organization that utilizes protected health information to be HIPAA compliant. However, no HIPAA certification existed to prove compliance until the enactment of HITRUST. HITRUST establishes a standardization of compliance for any institution by upholding HIPAA and HITECH standards.