How HIPAA, HITRUST CSF, and NIST CSF Boost Data Security

In the past decade, the healthcare sector has seen exponential technological growth. And, we can’t deny its advantages and convenience to patients and healthcare professionals.

So, what is the problem?

Well… we know that convenience and security do not always go hand in hand. Unfortunately, most of the time, the security part is seriously overlooked.

This is why we have created this simplified guide to help you understand how HIPAA, HITRUST CSF, and NIST CSF work together in data security to protect organizations’ critical data.

Let’s jump right in!

Table of Contents

  1. Data security in healthcare
  2. HIPAA and Data Security
  3. HIPAA in perspective
  4. How NIST CSF helps you with data protection
  5. How HITRUST CSF elevates data security
  8. One Framework to Rule Them All

Data Security in Healthcare

One study compiled data breaches across different sectors between 2015 and 2019 shows that the healthcare sector takes the lead. Additionally, a more current data breach report from IBM shows healthcare as the costliest industry, with a whopping $9.23 M global average cost. 

Does this mean that — across the different sectors — the healthcare industry has the weakest cybersecurity structure?


However, it is primarily due to the massive quantity of data that the healthcare sector shelters. 

Check out the following graph to see the number of data breaches per industry.

Image of data breaches between 2015 and 2019 showing the lack of security

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) aims to protect a patient’s Personal Health Information (PHI) and overcome the existing challenges. 

Failure to comply with HIPAA has resulted in numerous penalties and at least motivated the healthcare industry to take data security seriously.  

Check this Definitive Guide to the HIPAA Security Rule to learn everything you need to know!

HIPAA and Data Security 

HIPAA outlines institutions’ technical, administrative, and physical security measures. 

What for?

To ensure the Confidentiality, Integrity, and Availability (commonly known as the CIA triad) of the electronic PHI (ePHI).

More importantly, this set of regulations applies to any entity. Overall, it includes hospitals, insurance companies, and other third parties and business associates storing, processing, or transmitting any PHI.  

Some of the prominent rules included in HIPAA are shown below — including those added under the Health Information Technology for Economic and Clinical Health (HITECH) Act:

  • Privacy Rule: Ensure security measures are in place to protect all PHI and any associated medical records. More importantly, it prevents disclosing any information without the patient’s consent. 
  • Security Rule: Explains the security procedures for protecting PHI while in transmission, storage, accessibility, or processing. 
  • Enforcement Rule: Ensure you comply with the security rules by imposing financially threatening penalties. 
  • Breach Notification Rule: In case of a breach, all related and relevant parties shall be notified within 60 days of the occurrence of an incident. 
  • Minimum Disclosure Rule: Restrict sharing, usage, or processing of PHIs other than strictly required. 

But wait…

HIPAA does not define security controls; rather vaguely describes them. One example is to “Implement a mechanism to encrypt and decrypt electronically protected health information.”

Initially, this may not seem like a significant issue, but any seasoned information security professional can vouch for the convoluted mess it can cause.

HIPAA in Perspective

For example, a single healthcare institute outsources several services and products. As per HIPAA, all business associates must comply with this regulation. In short, since HIPAA is subjective, the institute will receive all those subjective I-can-vouch-for audit reports conducted by different audit firms. All this makes the assessment of vendor compliance a complete nightmare.

In short, this is where additional security frameworks come to save the day. Such frameworks define the requirements for the security controls, which makes it easier for compliance. Also, it ensures a robust cybersecurity structure for your organization.

NIST CSF is one of those frameworks.

How NIST CSF helps you with data protection

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) defines the best cybersecurity practices and recommendations for businesses and organizations of all sizes and domains. However, it is not a mandatory framework. 

This means that your organization will not face any penalties for not being compliant with NIST CSF. Instead, it is more of a guidance manual that you can use for establishing or improving an organization’s existing information security framework. Furthermore, it is helpful where mandatory regulations like HIPAA fail to specify the details.

NIST Special Publication 800-53, or SP 800-53, further covers controls at the granular level in each domain based on the risk analysis. Indeed, the fifth revision describes 256 definite controls and 666 additional enhancement controls. 

NIST CSF is more of a concise framework that executives or anyone without a technical background can understand as opposed to the current 492-pages SP 800-53. NIST also maps the controls for SP 800-53 to both the CSF and ISO 27001

Image of NIST cybersecurity Framework

This is all good for the security framework of your business, but does compliance with NIST CSF ensure compliance with HIPAA?  

Well… not exactly.

It is really a base guideline for businesses to understand which controls to implement. However, you still have to go the extra mile to ensure compliance with HIPAA. 

Then what are we doing here? Hold on, keep reading.

Maintaining compliance with multiple regulations and frameworks can be highly complex and time-consuming. Moreover, the audit cost starts to add up, especially for Small and Medium Businesses (SMBs) without unlimited budgets. 

The same is true for healthcare institutes since they have to prioritize saving lives. To address this, several security domain experts assembled to form Health Information Trust Alliance (HITRUST).

How HITRUST CSF elevates data security

HITRUST Common Security Framework (CSF) was devised to form a common framework for organizations to ensure their businesses’ security and effective risk management. 

It was initially created to make HIPAA compliance easier but has also expanded to cover other sectors. Moreover, HITRUST CSF lives up to its name since the latest version 9 incorporates requirements from several other regulations and frameworks, including HIPAA, HITECH, NIST, ISOGDPRPCI-DSS, and many more.  

But obviously, the certificate is not the only reason to aim for HITRUST CSF.


As mentioned previously, HITRUST aims to create a common framework that covers the best practices for ensuring effective information security mechanisms for any business.

Saying this, it already includes requirements from NIST CSF in its framework and, as a bonus, issues you a certificate for being compliant. Furthermore, more and more organizations, especially those in healthcare, are opting for this framework.


We established that HIPAA fails to explain any security requirements for its regulations. So, NIST CSF filled that role previously. However, now that HITRUST CSF has emerged as a more encompassing replacement, healthcare institutes are pursuing a more direct path towards compliance.

Does compliance with HITRUST CSF mean you satisfy requirements for HIPAA?

Theoretically, yes.

As long as you are not cutting corners. And as a bonus, it also ensures compliance with NIST CSF when the process is done right.

One Framework to Rule Them All

As a compliance professional, you may think that additional requirements make attaining compliance more complex and challenging.

Well, you wouldn’t be incorrect.

But, it dramatically reduces future effort, improves security, and helps prevent future incidents. You can also map the controls and requirements to HIPAA, NIST CSF, and many other frameworks and standards such as ISO 27001 and SOC 2.

Want a Better Security Management System?

Track compliance to multiple frameworks simultaneously, including HITRUST CSF, GDPR, CCPA and FedRAMP, and manage the entire risk and compliance lifecycle with a single tool.

StandardFusion offers software solutions to effectively manage your business’s Governance, Risk, and Compliance (GRC) — especially for tech-focused SMBs. 

We build enterprise-capable software solutions to help support your information security teams by managing compliance, risk management, audits, policies, and other vendor-related activities.

Even a complex framework like HITRUST CSF can be achieved by ensuring proper automation and timely generated insights and reports. Reach out to our team to learn more!