Key points

• HIPAA, HITECH, and HITRUST are key players in U.S. healthcare cybersecurity, each with distinct roles in safeguarding patient data and ensuring compliance.
• HIPAA focuses on patient data protection, while HITECH strengthens and modernises HIPAA provisions.
• HITRUST offers a voluntary certification framework, integrating cybersecurity standards to guide organisations through rigorous compliance.
• Metomic's data security software provides tools to secure patient data in the cloud, streamlining compliance efforts and data security management.

With healthcare cyber attacks being an average of $5.3 million, or about 20% more costly than other industries, protecting patient data is crucial, but also very challenging.

One of the ways that healthcare organisations can protect patient data is by following the various regulatory standards that govern the healthcare industry. Meeting these cybersecurity regulatory standards allows healthcare organisations to protect themselves against these damaging cyberattacks.

However, failing to do so, can cause reputational damage and steep fines.

What is HIPAA?

HIPAA (the Health Insurance Portability and Accountability Act) is an American law that was introduced in 1996 to safeguard patients' Protected Health Information (PHI). The legislation requires healthcare organisations to implement effective measures to protect sensitive data like personal information and medical records.

There are four key pillars of HIPAA:

• The Privacy Rule: Aims to protect patient data, without preventing it from being used to facilitate high-quality healthcare. It requires covered entities to, for instance, record PHI disclosures and receive patients’ consent before sharing their information.
• The Security Rule: Focuses on protecting electronic PHI. Covered entities must ensure that this data is protected during transmission over networks and that devices storing it are secure. They must also conduct regular risk assessments and educate employees on proper safeguarding procedures for electronic PHI.
• The Breach Notification Rule: Requires U.S. healthcare companies to notify all affected individuals, the U.S. Department of Health and Human Services (HHS), and any other relevant regulatory agencies within 60 days of a data breach.
• The Enforcement Rule: Outlines how the Office for Civil Rights (OCR) investigates organisations that don’t comply with HIPAA. This includes investigating businesses and the breach in question following complaints, enforcing penalties, and recommending corrective actions to ensure future compliance.

For a more in-depth look at HIPAA, read our full guide.

What is HITECH?

The 2009 HITECH Act (Health Information Technology for Economic and Clinical Health Act) was established to promote technological advancements in healthcare and science. In essence, HITECH has served to strengthen and update HIPAA.

It encouraged HIPAA-covered entities to adopt Electronic Health Records (EHRs), replacing traditional paper-based records and bringing about a more secure and innovative healthcare system.

HITECH made HIPAA enforcement tougher in a number of ways. For example, it amended the penalty structure to hold entities accountable for failing to implement safeguards, even for violations that occur without their direct knowledge.

HITECH also significantly strengthened Business Associate Agreement (BAAs), contracts that partners of HIPAA-covered entities must sign agreeing not to share PHI without authorisation. Under HITECH, both Business Associates and HIPAA-covered entities can now be fined for infractions originating at the Business Associate level.

What is HITRUST?

The Health Information Trust Alliance (HITRUST) is a certification agency whose Common Security Framework helps healthcare organisations certify that they’ve achieved high cybersecurity standards and compliance with HIPAA and HITECH. It also integrates requirements from other frameworks like PCI-DSS, ISO/IEC 27001, and GDPR.

The CSF program guides an organisation and its members through modules designed to enhance information security, and it’s customised to the scope and size of an organisation. The CSF comprises 19 domains, including endpoint protection, mobile device security, and access control, with HITRUST certifying IT offerings against these areas.

What are the key differences between them?

Distinguishing between HIPAA, HITECH and HITRUST can get somewhat confusing. With that in mind, let’s clarify and summarise the key differences between them.

Legal weight and compliance requirements

• HIPAA is a federal law that requires healthcare organisations to safeguard patient data. Compliance is mandatory for covered entities.
• HITECH is a federal law introduced after HIPAA, aimed at strengthening and complementing its provisions (for example, by adding breach notification requirements).
• HITRUST is a voluntary certification and cybersecurity framework that helps healthcare organisations comply with HIPAA and HITECH. Although it’s voluntary, it has been widely adopted globally because of its rigour.

Focus and objectives

• HIPAA is focused on compelling healthcare organisations to protect patient data.
• HITECH is focused on promoting healthcare and science digitalisation, as well as strengthening and modernising HIPAA.
• HITRUST aims to help healthcare organisations understand what they need to do to comply with HIPAA and HITECH and guide them through a certification process for doing so.

These differences notwithstanding, HIPAA, HITECH and HITRUST are all ultimately aimed at getting healthcare organisations to have comprehensive, up-to-date cybersecurity protections in place.

Who has to comply?

There are two main groups that need to comply with HIPAA/HITECH: Covered and Non-Covered Entities:

• Covered Entities: including health plans, clearinghouses, and certain healthcare providers like doctors, pharmacies, and dentists who submit electronic claims.
• Non-Covered Entities: organisations not bound by the Privacy Rule, like wearable tech companies, health apps, or providers not dealing with electronic data.

As we’ve previously mentioned, HITECH extended the HIPAA Security Rule to cover business associates of affected healthcare organisations.

If you’re not sure whether you’re a covered entity, here’s a tool to help you determine this.

What are the consequences of not complying?

Failing to comply with HIPAA and HITECH can result in steep legal penalties and fines. HITECH strengthened HIPAA enforcement by increasing the financial penalties for non-compliance, with the maximum annual penalty standing at ​​$2,067,813 (as of 2024).

Penalties for HITECH and HIPAA violations vary based on the severity of the incident and the promptness of corrective measures.. Tier 4 - ‘Wilful Neglect’ that isn’t remedied within 30 days - carries the highest penalties per violation. However, being unaware that they’re non-compliant doesn’t get accidental violators off the hook. Committing enough Tier 1 - ‘Lack of Knowledge’ - penalties can still result in receiving the $2,067,813 maximum annual penalty.

The reputational damage of failures to protect sensitive patient data can be even costlier than legal penalties. Aon and Pentland Analytics research highlights that some companies saw a 25% fall in market value in the year after suffering a data breach, pointing to significant long-term reputational damage.

HITRUST is a voluntary certification so it’s not legally mandatory to follow it. However, as it’s a widely-followed framework for healthcare cybersecurity, not being HITRUST certified could harm an organisation’s reputation.

Key steps for compliance

While the HITRUST certification will help you with taking these measures, we feel it’s worth highlighting some key actions to focus on.

These include:

1. Conduct regular risk assessments to identify any potential patient data vulnerabilities. By thoroughly assessing security risks to their cloud infrastructure and applications, healthcare organisations can proactively address them and implement more effective security controls.
2. Implement comprehensive safeguards such as encryption, access controls, and intrusion detection systems to protect sensitive patient data in the cloud. These safeguards prevent unauthorised access and ensure patient data is secure.
3. Establish Business Associate Agreements (BAAs) when collaborating with cloud service providers to ensure HIPAA compliance. BAAs define the responsibilities of both parties regarding data protection and privacy, setting clear expectations for securely handling patient information.
4. Respond rapidly to detected breaches. Healthcare organisations must have response plans in place to contain breaches, mitigate damage, and notify affected individuals as required by HIPAA regulations.
5. Give employees comprehensive training on cyber awareness and HIPAA compliance. As 88% of breaches stem from human error, education is crucial for protecting patient data. Read our full guide to HIPAA training to learn more.

How can Metomic help organisations to comply?

Metomic's data security software enables healthcare organisations to secure sensitive data, helping with regulatory compliance.

Metomic provides a comprehensive tool for managing sensitive patient data in the cloud. Our platform includes features such as automated discovery of PII and PHI, strong access controls, and real-time monitoring of data risks.

These tools allow healthcare teams to proactively identify and mitigate risks, ensuring the confidentiality, integrity, and availability of patient information.

With Metomic, healthcare organisations can streamline compliance efforts and data security management. This allows them to provide high-quality patient care without compromising data security.

To find out more how Metomic can help you stay HIPAA compliant, download our one-pager today.