HIPAA & HITRUST Healthcare Security Standards
Neither HIPAA nor its amendment (HITECH) have official compliance certifications by their governing bodies. Most organizations demonstrate HIPAA compliance by including HIPAA policies and evidence in annual third party assessments of a related standard that has an official certification. For example, Microsoft Azure includes HIPAA policies in their annual ISO 27001 audit, and AWS includes HIPAA policies in their annual FedRAMP (NIST 800-53) assessment. For the latter, NIST 800-66 provides guidance as to how to map HIPAA controls to NIST 800-53 controls.
HITRUST is a standard that is growing in demand amongst Healthcare CISOs as well as risk managers in the commercial space as a whole. HITRUST incorporates HIPAA requirements and the NIST framework in a more prescriptive manner. Like ISO 27001 and FedRAMP, HITRUST certifies third-party auditors who can then grant an official certification of compliance to an organization. In addition to third-party certifications, both HIPAA and HITRUST have self assessments that can be used to verify compliance with those standards.
SaaS-Level Azure Security Compliance Standards – HITRUST by Domain