HIPAA · HITRUST

HIPAA vs HITRUST, without the marketing.

HIPAA is a mandatory US federal law for any organization handling Protected Health Information; HITRUST CSF is a voluntary private certification framework that maps to HIPAA, ISO 27001, NIST CSF, and other standards in one audited certificate. Most healthtech startups must comply with HIPAA but only pursue HITRUST when a major hospital system or payer requires it in a procurement contract.

TL;DR

HIPAA is mandatory. If you touch ePHI on behalf of a Covered Entity, you're already legally required to comply. There's no "HIPAA certification" you can buy — it's the legal baseline.

HITRUST is voluntary. A private certification framework you pursue when (a) customers demand it, or (b) you want a single audited certification that demonstrates HIPAA + ISO + NIST compliance to multiple buyers at once.

Most healthtech startups: implement HIPAA controls first, get SOC 2 Type II second, pursue HITRUST only when a customer requires it in a signed contract.

What HIPAA is

HIPAA is the Health Insurance Portability and Accountability Act of 1996 — a US federal law enforced by HHS's Office for Civil Rights (OCR). It has multiple rules; the ones you care about as a healthtech vendor are the Security Rule (technical safeguards for ePHI) and the Privacy Rule (how PHI can be used and disclosed).

You don't "get HIPAA certified." You either comply or you don't. OCR doesn't issue certificates. Auditors and customers might attest to your HIPAA posture (via a HIPAA gap assessment), but it's not a recognized certification scheme.

See our HIPAA Compliance for SaaS guide and 47-item HIPAA checklist for what implementation actually looks like.

What HITRUST is

HITRUST (Health Information Trust Alliance) is a private organization that publishes the HITRUST CSF (Common Security Framework). Unlike HIPAA, HITRUST is:

Buyers (large hospital systems, payers like Anthem / Highmark / Cigna, some pharma, some health-data clearinghouses) increasingly require HITRUST CSF certification from vendors handling ePHI at scale.

The 3 HITRUST CSF assessment types

AssessmentControlsValidityUse case
e1 (Essentials)~441 yearFoundational cybersecurity. Entry-level certificate. Useful for early-stage healthtech demonstrating commitment.
i1 (1-year Implemented)~1821 yearCommon starting point. Broader scope but standardized control set — no risk-tailoring.
r2 (Risk-based 2-year)Varies — typically 200-400+2 years, with interim assessment year 1The gold standard. Risk-tailored to your business. Required by most large healthcare buyers.

Side-by-side

HIPAAHITRUST CSF
TypeUS federal lawPrivate certification framework
Mandatory?Yes, if you touch ePHINo — voluntary
Issuing bodyHHS / OCRHITRUST Alliance
Certification?None — you self-assess + attestYes — third-party-audited certificate
License fees$0Annual subscription to HITRUST
Implementation cost~$25-150K depending on scopee1 $20-50K; i1 $40-100K; r2 $50-200K initial + $20-50K annual interim
ValidityOngoing compliance — no expiratione1/i1: 1 year. r2: 2 years.
What buyers ask for"Confirm HIPAA compliance""Provide HITRUST CSF certification letter"
PenaltiesHHS civil penalties (up to $1.5M/year per category)Loss of certificate; commercial impact only

The decision matrix

Pursue HIPAA only (no HITRUST)

Pursue HIPAA + SOC 2 Type II (still no HITRUST)

Pursue HITRUST CSF e1 or i1 (along with HIPAA)

Pursue HITRUST CSF r2 (along with HIPAA)

How HITRUST controls cover HIPAA

HITRUST CSF was designed to subsume HIPAA's Security Rule. When you implement HITRUST controls:

A HITRUST r2 certificate effectively demonstrates HIPAA Security Rule compliance to most buyers without them needing to evaluate you against HIPAA separately. That's the value prop.

Big caveat: HITRUST certification is NOT a legal substitute for HIPAA. If OCR investigates a breach, they evaluate you against HIPAA itself. HITRUST gives you commercial credibility, not legal immunity.

Typical healthtech path

  1. Year 0 (founding): Implement HIPAA Security + Privacy Rule controls. Sign BAAs with subprocessors. Get a HIPAA gap assessment from a third party (not a certification — just a written opinion).
  2. Year 1-2: Pursue SOC 2 Type II — most commercial healthcare buyers accept SOC 2 as "good enough" for general security. Layer on HITRUST e1 if customer demand starts emerging.
  3. Year 2-3: When the first large hospital system or payer puts HITRUST in a procurement requirement, start the i1 → r2 progression. Budget $150-300K and 12-18 months for r2.
  4. Ongoing: Maintain HIPAA forever, refresh SOC 2 annually, recertify HITRUST every 2 years.

Run HIPAA and HITRUST in one platform.

Pre-mapped control libraries for HIPAA and HITRUST CSF, evidence collection that satisfies both, and a single audit-ready posture. 7-day trial.

Start your free trial →