HIPAA / HITECH / HITRUST CSF Security Standards

With more than 13 years of expertise in securing Microsoft cloud solutions, the Project Hosts security team understands the exact control responses, technical implementations, and evidence that are required to demonstrate full SaaS compliance the HIPAA and HITRUST CSF standards for an environment built on Microsoft Azure IaaS.

Neither HIPAA nor its amendment (HITECH) have official compliance certifications by their governing bodies.  The way that most organizations demonstrate HIPAA compliance is to include HIPAA policies and evidence in annual third party assessments of a related standard that does have an official certification.  For example, Microsoft Azure includes HIPAA policies in their annual ISO 27001 audit, and AWS includes HIPAA policies in their annual FedRAMP (NIST 800-53) assessment.  For the latter, NIST 800-66 provides guidance as to how to map HIPAA controls to NIST 800-53 controls.

HITRUST CSF is an emerging standard for the healthcare industry that incorporates HIPAA requirements in a more prescriptive manner.  Like ISO 27001 and FedRAMP, HITRUST certifies third-party auditors who can then confer an official certification of compliance to an organization.

In addition to third-party certifications, both HIPAA and HITRUST have self assessments that can be used to verify compliance with those standards.