What is HITRUST Certification and Why Does It Matter So Much for Healthcare Marketing?


As a healthcare professional, you most certainly are familiar with the Health Insurance Portability and Accountability Act (HIPAA), as well as regulations you must follow according to the rule. However, HITRUST is not as well-known, so you may be asking yourself, “What is HITRUST certification anyway, and how does it affect me, my practice and our marketing efforts?”

To start with, HITRUST is the perfect acronym for the Health Information Trust Alliance’s Common Security Framework: The certification provides healthcare practices, their patients and their partners with a higher level of trust in the security of data.

Let us answer a few common questions for you.

What is HITRUST certification?

The HITRUST Common Security Framework (HITRUST CSF) is a widely recognized framework designed to help organizations manage risk and compliance with industry-specific security standards and regulations. It primarily focuses on protecting sensitive health information but is also applicable to other types of sensitive data.

HITRUST incorporates various standards to provide a comprehensive set of security and privacy controls. HITRUST also helps organizations manage risks by ensuring that appropriate security measures are in place.

In order to obtain certification, organizations undergo a rigorous assessment process conducted by a HITRUST-approved assessor, who evaluates the implementation and effectiveness of security controls. The organizations also must undergo annual audits in order to be recertified. 

Achieving HITRUST certification demonstrates an organization's commitment to safeguarding sensitive information and meeting high standards of information security and compliance.

HITRUST gathers more than 40 control objectives and sections those into 19 control categories, totaling 845 guidelines overall. The result is a common security framework for risk management and a way to streamline protocols, regulations, and checks and balances. 

Each entity seeking certification must follow many of the 845 guidelines to earn HITRUST certification. For example, Phoenix Innovate uses Version 9.3 of the framework. Based on the scope of our environment, we must comply with 240 controls derived from these 19 assessment domains in order to maintain HITRUST certification.

How is HITRUST related to HIPAA?

HIPAA is one of many factors included in the common security framework. HIPAA outlines the rules, and the HITRUST framework details how to comply with them. HITRUST has processes in place to confirm that organizations are effectively managing HIPAA data. 

In other words, HIPAA compliance states that you have certain behaviors to follow as you manage data, and HITRUST makes you prove that you’re doing it.

A signed Associate Agreement outlines data security protocols to protect patients, and it can protect healthcare practices and their marketing solutions providers in the event of a breach.

What is the value of using a HITRUST-certified provider for healthcare marketing?

On average, there is a new identity theft victim in the U.S. every two seconds, according to the U.S. Consumer Protection Team.

The release of data from any type of business can be devastating for the affected individuals and the business. In the healthcare space, however, that data is more extensive and personal. It could include patients’ blood types, details about medical procedures, financial records, Social Security numbers, family members’ contact information and much more.

A data breach could also result in monetary losses, damage to the business’s reputation, the need to shut down systems or possibly the entire business and an extensive amount of time spent for immediate and follow-up remediation actions. After a breach, businesses may legally be required to report the breach within a certain number of days, as well as communicate it to the public, affected individuals and stakeholders, depending on the extent of the breach, how many people it affects and the type of data that was stolen/released.

Most businesses have some protections in place, but a HITRUST-certified healthcare marketing provider will take every necessary precaution to protect clients’ data. HITRUST-certified business associates such as Phoenix Innovate will consider every possible way that data could be compromised in order to secure it digitally and physically. We foresee avenues where cyberthieves can cause problems and secure the issue to stop them in their tracks before they can get anywhere. In the rare event that a problem does occur, we have protocols in place to minimize the effects and remediate them as soon as possible.

Covered entities under HIPAA can not only take peace of mind in working with HITRUST-certified marketing providers, but they can also protect themselves financially and legally. If a covered entity’s business associate experiences a data breach and that business associate did not take necessary precautions to protect data, the covered entity could be liable. For that reason, many covered entities are now asking business associates to sign agreements that outline safety protocols that the business associate will implement.

Because Phoenix Innovate is a HITRUST-certified provider, we sign business associate agreements that acknowledge our efforts to safeguard clients’ data. Because we are one of very few marketing solutions providers with HITRUST certification, clients take comfort in knowing they can trust us with this sensitive information and that we are willing and able to sign that required document. 

Is HITRUST only relevant to healthcare?

It started out that way, but that’s not the case anymore. Other frameworks are built within it that support the needs of other industries. 

Industries that HITRUST is applicable to include:

  • Healthcare: Hospitals, clinics, insurance companies and any other entities handling protected health information, such as business associates
  • Pharmaceuticals and Life Sciences: Companies involved in drug development, manufacturing and research
  • Financial Services: Banks, credit unions and financial institutions that manage sensitive customer data
  • Technology: Cloud service providers, IT companies and software developers that handle sensitive data or provide services to the healthcare industry
  • Insurance: Companies offering health, life and other types of insurance
  • Business Associates: Organizations that provide services to covered entities and handle PHI, such as billing companies, marketing solutions providers, third-party administrators and data analytics firms
  • Government Agencies: Departments and agencies dealing with public health information or collaborating with the private healthcare sector
HITRUST standards apply to several types of businesses, including insurance providers, financial institutions, business associates, government agencies and pharmaceutical developers and manufacturers.

What is the difference between the HITRUST and the NIST common security frameworks?

The National Institute of Standards and Technology (NIST) has multiple frameworks that help organizations achieve their cybersecurity goals. NIST is part of the U.S. Commerce Department, and it is a requirement of many government/military contract agreements. 

HITRUST offers a unified approach to managing multiple compliance frameworks.Applicable NIST frameworks are included within the HITRUST framework, as are International Organization for Standardization (ISO), General Data Protection Regulation (GDPR) and Payment Card Industry (PCI) standards and regulations. Therefore, the HITRUST CSF is a more comprehensive framework than NIST, and, essentially, if an organization is following HITRUST protocols, it is following applicable NIST protocols as well.

Another difference is that you can obtain HITRUST certification, but NIST is not certifiable.

What is the difference between HITRUST and SOC 2?

HITRUST has more of a specific focus on the healthcare industry and is more comprehensive, although some of its standards apply to various industries. The American Institute of Certified Public Accountants’ Systems and Organization Controls 2 is more general and applicable to a broader range of industries. Additionally, HITRUST offers certification, whereas SOC 2 is a third-party opinion without a certification option.

In many cases, marketing agencies referred to SOC 2 prior to the HITRUST standard being developed, using a certified SOC 2 auditor to review their security systems and provide their SOC 2 “attestation.” The Health Information Trust Alliance and its certification program were founded in 2007 as a response to increased needs for data security in the marketplace. It was designed by taking the requirements from multiple reporting agencies and synthesizing them into one set of protections that is clear and consistent.

Regardless of which certifications they have, providers are audited to ensure that they are following the respective processes. When compared with the SOC 2, however, HITRUST outlines more of the solutions that the marketplace demands today. 

Your Data Security Questions Answered

Data security standards, protocols and implementations can be very complex and detailed, and there are many in place that we follow here at Phoenix Innovate. If you need more information about what HITRUST certification is and how it applies to healthcare marketing, contact a member of our business development team. 

When you contact us, we can discuss our security standards and solutions that will give you peace of mind and help you achieve your goals. We can also tell you more about our digital and direct marketing solutions and the proprietary technologies we have designed, such as our proprietary Inform 247—HITRUST Certified platform, which securely transmits and manages data as it travels through our organization to the USPS.

Contact us for additional information or to schedule a meeting with a member of our team!

John Holloway
John Holloway

Vice President – IT Infrastructure & Security

Phoenix Innovate

LinkedIn logo
Mark M Gaskill
Mark M Gaskill

EVP of Marketing Solutions

LinkedIn logo