HIPAA is mandatory. If you touch ePHI on behalf of a Covered Entity, you're already legally required to comply. There's no "HIPAA certification" you can buy — it's the legal baseline.
HITRUST is voluntary. A private certification framework you pursue when (a) customers demand it, or (b) you want a single audited certification that demonstrates HIPAA + ISO + NIST compliance to multiple buyers at once.
Most healthtech startups: implement HIPAA controls first, get SOC 2 Type II second, pursue HITRUST only when a customer requires it in a signed contract.
What HIPAA is
HIPAA is the Health Insurance Portability and Accountability Act of 1996 — a US federal law enforced by HHS's Office for Civil Rights (OCR). It has multiple rules; the ones you care about as a healthtech vendor are the Security Rule (technical safeguards for ePHI) and the Privacy Rule (how PHI can be used and disclosed).
You don't "get HIPAA certified." You either comply or you don't. OCR doesn't issue certificates. Auditors and customers might attest to your HIPAA posture (via a HIPAA gap assessment), but it's not a recognized certification scheme.
See our HIPAA Compliance for SaaS guide and 47-item HIPAA checklist for what implementation actually looks like.
What HITRUST is
HITRUST (Health Information Trust Alliance) is a private organization that publishes the HITRUST CSF (Common Security Framework). Unlike HIPAA, HITRUST is:
- Voluntary — no law mandates it.
- Audited and certified — by HITRUST-authorized assessor firms.
- Unified — maps controls to HIPAA + ISO 27001 + NIST CSF + PCI DSS + GDPR + others. One certification, multiple compliance demonstrations.
- Tailored — the r2 assessment is risk-scoped to your specific business, so two HITRUST-certified vendors may have implemented different control sets.
Buyers (large hospital systems, payers like Anthem / Highmark / Cigna, some pharma, some health-data clearinghouses) increasingly require HITRUST CSF certification from vendors handling ePHI at scale.
The 3 HITRUST CSF assessment types
| Assessment | Controls | Validity | Use case |
|---|---|---|---|
| e1 (Essentials) | ~44 | 1 year | Foundational cybersecurity. Entry-level certificate. Useful for early-stage healthtech demonstrating commitment. |
| i1 (1-year Implemented) | ~182 | 1 year | Common starting point. Broader scope but standardized control set — no risk-tailoring. |
| r2 (Risk-based 2-year) | Varies — typically 200-400+ | 2 years, with interim assessment year 1 | The gold standard. Risk-tailored to your business. Required by most large healthcare buyers. |
Side-by-side
| HIPAA | HITRUST CSF | |
|---|---|---|
| Type | US federal law | Private certification framework |
| Mandatory? | Yes, if you touch ePHI | No — voluntary |
| Issuing body | HHS / OCR | HITRUST Alliance |
| Certification? | None — you self-assess + attest | Yes — third-party-audited certificate |
| License fees | $0 | Annual subscription to HITRUST |
| Implementation cost | ~$25-150K depending on scope | e1 $20-50K; i1 $40-100K; r2 $50-200K initial + $20-50K annual interim |
| Validity | Ongoing compliance — no expiration | e1/i1: 1 year. r2: 2 years. |
| What buyers ask for | "Confirm HIPAA compliance" | "Provide HITRUST CSF certification letter" |
| Penalties | HHS civil penalties (up to $1.5M/year per category) | Loss of certificate; commercial impact only |
The decision matrix
Pursue HIPAA only (no HITRUST)
- You're pre-seed or seed-stage healthtech with no customer requirements yet
- Your customers are smaller clinics, mid-market SaaS, or direct-to-consumer
- You haven't signed an NDA with a Fortune-500 hospital system or large payer
- Total scope: small dev team, single product, limited ePHI volume
Pursue HIPAA + SOC 2 Type II (still no HITRUST)
- You're Series A growing, need a recognized commercial security attestation
- Your buyers ask for "your security program" — they care, but haven't named HITRUST
- You're also selling to non-healthcare buyers (general SaaS, fintech) — SOC 2 is the universal currency
Pursue HITRUST CSF e1 or i1 (along with HIPAA)
- A specific customer requires HITRUST in their procurement docs but isn't strict on assessment type
- You want a stepping stone toward r2 over 12-24 months
- Budget is tight; e1 demonstrates commitment without the r2 cost
Pursue HITRUST CSF r2 (along with HIPAA)
- A signed contract with a major hospital system or payer requires "HITRUST CSF validated assessment"
- You handle PHI at scale (millions of records, sensitive specialties like behavioral health)
- Multi-state operations where state-level requirements pile onto HIPAA
- You're Series B+ with budget and a 12-18 month runway to certify
How HITRUST controls cover HIPAA
HITRUST CSF was designed to subsume HIPAA's Security Rule. When you implement HITRUST controls:
- HIPAA §164.308 (Administrative Safeguards) → covered by HITRUST control categories 01-04 (Information Security Management Program, Access Control, Human Resources Security, Risk Management)
- HIPAA §164.310 (Physical Safeguards) → covered by HITRUST category 08 (Physical and Environmental Security)
- HIPAA §164.312 (Technical Safeguards) → covered by HITRUST categories 01, 09, 10 (Access Control, Communications Operations Management, Information Systems Acquisition)
- HIPAA Breach Notification Rule → covered by HITRUST category 11 (Information Security Incident Management)
A HITRUST r2 certificate effectively demonstrates HIPAA Security Rule compliance to most buyers without them needing to evaluate you against HIPAA separately. That's the value prop.
Typical healthtech path
- Year 0 (founding): Implement HIPAA Security + Privacy Rule controls. Sign BAAs with subprocessors. Get a HIPAA gap assessment from a third party (not a certification — just a written opinion).
- Year 1-2: Pursue SOC 2 Type II — most commercial healthcare buyers accept SOC 2 as "good enough" for general security. Layer on HITRUST e1 if customer demand starts emerging.
- Year 2-3: When the first large hospital system or payer puts HITRUST in a procurement requirement, start the i1 → r2 progression. Budget $150-300K and 12-18 months for r2.
- Ongoing: Maintain HIPAA forever, refresh SOC 2 annually, recertify HITRUST every 2 years.