Think You’re HIPAA Compliant? You May Not Be—and Even If You Are, It’s Probably Not Enough to Protect Patient Data

A version of this article was previously published in Washington Healthcare News on May 8, 2018.

Many health care organizations believe they’re compliant with HIPAA. However, there’s no way to certify compliance, so cybersecurity issues often only come to light after a data breach is discovered.

As the number of cyberattacks on health care organizations continues to increase, understanding how to secure sensitive data is paramount. In 2017, for example, at least 342 providers were impacted by an attack, according to the HIPAA Journal. Implementing best practices and employing the highest standards for cybersecurity protection is simply no longer a luxury; it’s a necessity, because health care organizations are now required by law to become proactive in the application of cybersecurity controls and the prevention of data breaches.

One solution is utilizing the HITRUST CSF®—a comprehensive and certifiable framework used to protect sensitive information, which provides a more robust set of controls that health care organizations can implement to help discourage cyberattacks and demonstrate that their controls comply with HIPAA requirements.

HIPAA Challenges

It’s a common misperception among health care providers that maintaining HIPAA compliance effectively protects patient data from most cyberthreats.

Maintaining compliance with HIPAA regulations often isn’t enough to protect patient data on its own because cyberattacks continue to be more complex and the technology perimeter security for many organizations continues to evaporate in lieu of cloud-based environments, integration of Internet of Things (IoT) devices, and mobile device usage. And because there’s no way to obtain a certification for HIPAA compliance, organizations must guess on whether or not their controls are actually compliant with HIPAA requirements.

The foundations of the HIPAA Security, Privacy, and Breach Notification rules date back to 1996. It’s a framework of information security controls that predates modern-day risks, such as ransomware, cloud computing, mobile devices, outsourced IT, and IoT—so it wasn’t specifically designed to deal with them.

Security Safeguards

While the HIPAA Privacy Rule pertains to all protected health information (PHI), including paper and electronic information, the Security Rule deals specifically with electronic protected health Information (ePHI).

In addition to requiring organizational requirements and policy and procedure documentation, the Security Rule lays out three types of safeguards required for compliance:

  • Administrative—policies and procedures designed to clearly show how organizations will comply with HIPAA
  • Physical—controlling physical access to protected health information
  • Technical—managing access to computer systems using technology-based safeguards and enabling covered entities to protect data communications containing PHI


Despite the numerous standards and implementation specifications for these three categories of control, there’s an insufficient amount of prescriptive guidance for the implementation of proper controls. The measurement of compliance to the controls outlined in the Security Rule is also often nebulous and lost in phrases such as reasonable and appropriate safeguards and adequate protection.

Given the ambiguity involved, it’s likely that many organizations that have experienced security breaches felt they were in compliance with the HIPAA Security, Privacy, and Breach Notification standards.

The US Department of Health and Human Services (HHS) doesn’t offer a HIPAA certification either. Instead, the determination of a health care organization’s compliance with HIPAA standards is left to auditors at the Office for Civil Rights (OCR). This results in an inconsistent application of perceived HIPAA standards across the industry, leaving many organizations unclear on whether or not they’re compliant with HIPAA standards and if their data is properly secured.

How the HITRUST CSF Can Help

The HITRUST CSF was specifically developed for the health care industry in 2007 and provides a framework that’s consistently updated to prescriptively improve an organization’s regulatory compliance and risk management practices in ways that can be applied to even the latest technologies.

In January 2018, HITRUST® introduced the latest interim version the CSF: v9.1. It provides clearer and more specific guidance on the implementation of security controls, which it achieves by drawing control objectives and guidance from the HIPAA Security Rule as well as other control frameworks and legislation, including:

  • COBIT 5
  • ISO/IEC 27002:2013
  • General Data Protection Regulation (GDPR)

The HITRUST CSF adds clarity by giving organizations specific, actionable control specifications that can be implemented to ensure data protection.

Control Categories

By leveraging multiple frameworks, the HITRUST CSF allows health care organizations to more effectively manage a broader range of controls, including:

  • Information security management program
  • Access control
  • Human resources security
  • Risk management
  • Security policy
  • Organization of information security
  • Compliance
  • Asset management
  • Physical and environmental security
  • Communications and operations management
  • Information systems acquisition, development, and maintenance
  • Information security incident management
  • Business continuity management
  • Privacy practices


While HHS doesn’t offer a certification of HIPAA compliance, HITRUST does offer HITRUST CSF Certification. At a minimum, organizations must meet 75 of the 149 HITRUST CSF control specifications to gain certification and address the HIPAA Security Rule.

HITRUST strongly recommends the performance of a self-assessment or using a third party to perform a readiness assessment prior to starting the official certification process. These types of assessments help verify that all control specifications necessary to gain HITRUST CSF Certification have been reviewed for implementation and are operating effectively within the organization.

Why It Matters

The value of a HITRUST CSF Certification has grown substantially and is becoming more recognized within the industry as a trusted level of organizational controls over IT.

Because of its growing prominence within the industry, the certification can be effectively leveraged as a marketing tool to help secure the trust of patients, customers, and business partners—all while simultaneously verifying that trust is warranted.

And by making controls, supporting processes, and documentation readily available and current, the certification process can also help reduce the time required for other types of audits or assessments.

We’re Here to Help

To learn more about how a HITRUST CSF assessment can help protect your organization from cyberthreats, contact your Moss Adams professional.

Contact Us with Questions

Enter security code:
 Security code