Skip to content
Talk to an Expert
ARROWS-Green
Mapping HealthTech Compliance

Finding Your Best Path to Comprehensive Compliance

This curated collection of content will help you build a roadmap to pursue the best frameworks for your company and know when to leverage them. Plus, learn how to accomplish more of your compliance goals from a single assessment.

A Telehealth Session in progress
00. Your compliance roadmap

Compliance for HealthTech

Are you "compliant enough"? Startups to mature HealthTech companies (and everywhere in between) can struggle to answer that question. 

With so many frameworks to choose from, you must get your compliance program right from Day 1. With the average healthcare data breach costing over $10 million1, mistakes can be costly.

The following content will guide your HealthTech company towards its ideal compliance posture and set you up to build and execute a strategic compliance roadmap for your company. 

Read on for more helpful information, or contact one of our experts if you're ready to get started! 

 Speak to an expert

Achieving compliance across multiple frameworks enhances your company's trustworthiness and credibility among customers, partners, and regulatory bodies in the market and sales process.

Zach Rutz | Manager, HITRUST Assurance
01. Understand your frameworks

Which frameworks are best for your organization?

When it comes to healthcare compliance for small and mid-sized companies, the most impactful certifications and/or attestations to start will be SOC 2, HIPAA, and HITRUST (or a combination of the three.)

Because HealthTech companies handle vast amounts of highly sensitive data, they face more potential risks than other industries.  Healthcare organizations are constantly hit with cyberattacks that leak this sensitive patient information and cost companies thousands—if not millions—of dollars and put their reputations on the line.

This free guide breaks down SOC 2, HIPAA, and HITRUST and how they can augment your HealthTech compliance program and protect your organization from hefty fines and reputational damage.

Get the guide
Comparing SOC 2, HIPAA, and HITRUST
SOC 2
HIPAA
HITRUST

SOC 2

According to the American Institute of Certified Public Accountants (AICPA), SOC 2 (Service Organization Control) aims to provide service management, user entities, business partners, and other parties with information about controls at the service organization relevant to security, availability, processing integrity, confidentiality, or privacy to support users’ evaluations of their own systems of internal control.

Where does SOC 2 fit in?

There is a significant overlap between SOC 2 and HITRUST e1 — as much as 90%. You can save your organization time and money by doing your SOC 2 and HITRUST e1 with a single audit. If you work with health plans or hospital systems (or plan to in the future), the HITRUST e1 is a valuable stepping stone toward achieving your HITRUST r2.

HIPAA

The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US law that outlines how protected healthcare information (PHI) can be stored, used, and disseminated, providing civil and criminal penalties for violations. 

Where does HIPAA fit in?

HIPAA is different from the other frameworks in that it's not a framework at all. Rather, it's a set of rules required by law if you're handling a certain type of information, called PHI, in a certain way. Following HIPAA rules is not voluntary. Obtaining a SOC 2 report is often done in tandem, as that is what will be required to close deals, especially larger enterprise ones. There is enough overlap between SOC 2 Trust Services Criteria (TSC) and HIPAA that it's worth considering completing both at the same time as the most efficient use of your company's resources.

HITRUST

The HITRUST Common Security Framework (CSF) is a globally utilized and recognized framework with dozens of authoritative sources covering multiple industries. The CSF unifies and harmonizes many authoritative sources, pre-existing security regulations, and frameworks—such as NIST, HIPAA, ISO 27001, FedRAMP, PCI DSS, GDPR, and dozens of others.  There are three levels of certifications with varying levels of assurance: e1, i1 and r2.

How does HITRUST fit in?

HITRUST is one of the newer frameworks to emerge and is quickly becoming the 'gold standard' in regulated compliance—and not just in HealthTech. HITRUST has greatly reduced the barrier to entry with the new e1 assessment, having only 44 controls in both Year 1 and Year 2. With significant overlap with SOC 2 (up to 90%!), achieving HITRUST e1 and SOC 2 simultaneously with one audit is a no-brainer

You get the highest level of assurance by achieving your HITRUST r2 certification. The HITRUST CSF framework covers more than 40 authoritative sources – so one r2 certification report may cover multiple needs.

Find your framework(s)

Thoropass_Multiframework-Flow (6)

 

ARROWS
Not sure where to start?

Build your custom roadmap

Thoropass can build a custom roadmap to help your telehealth, value-based care, or population health company achieve multiple compliance goals with a single audit.

Talk to an expert

Director of Compliance and CISO, Jay Trinckes, on best practices to maintain continuous compliance. 

02. SOC 2 for HealthTech

Achieving and maintaining SOC 2

Embarking on the journey to achieving SOC 2 can be challenging—then monitoring and maintaining it is another hurdle entirely.

HealthTech companies deal with the added challenge of navigating all of this within a highly regulated industry, from managing a complex procurement process to having to prove your compliance posture to partners with extensive third-party risk assessments.

We know SOC 2 isn’t a one-size-fits-all approach, and businesses implement and maintain SOC 2 in various ways. As a first step, it’s important to ensure that all your boxes are checked. As a next step, you’ll need to understand how to customize your SOC 2 journey to ensure your HealthTech company maintains continuous compliance.

 Use your interactive SOC 2 checklist

 

SOC 2 SUCCESS STORY

SOC 2 helps drive shortened sales cycles in a highly regulated space

AcuityMD is in the MedTech space, so if anyone understands navigating enterprise procurement in a highly regulated space, it’s their CEO, Michael Monovoukas. By achieving SOC 2, they ensured they didn’t leave any deals on the table.
03. HIPAA compliance

HIPAA compliance for HealthTech

You’re likely already aware that HIPAA, or the Health Insurance Portability and Accountability Act, protects patient privacy and keeps patient data safe. HIPAA sets national security and privacy standards for protected health information (PHI) and is enforced by the Office for Civil Rights (OCR) of the U.S. Department of Health.

You may not know how HIPAA maps to other frameworks like SOC 2 and HITRUST. There is significant overlap between HIPAA rules, SOC 2 Trust Service Criteria, and HITRUST CSF controls. HealthTech organizations can take advantage of this overlap by satisfying more than one certification or attestation with a single audit2. For example, if you pursue SOC 2, you'll be 80-90% of the way to achieving your HITRUST e1 certification as well! 

 

Group 1439

Consolidating audits for multiple frameworks and certifications into one process is more efficient and cost-effective. It reduces the need for multiple audit cycles, which can be time-consuming, disruptive, and expensive

image (3)

Zach Rutz

Manager, HITRUST Assurance
HIPAA Privacy and Security Rules

HIPAA Privacy and Security Rule is covered under the Administration Simplification provision. It's broken up into three different rules: the Security Rule, the Privacy Rule, and the Breach Notification Rule.

Security Rule
Privacy Rule
Breach Notification Rule

HIPAA Security Rule or HIPAA-S

The purpose of the HIPAA Security Rule³ is to safeguard PHI through the implementation of administrative, physical, and technical measures. It applies to both Covered Entities and Business Associates.

HIPAA Privacy Rule or HIPPA-P

The purpose of the HIPAA Privacy Rule⁴ is to protect privacy and PHI and set conditions on the uses and disclosures that may be made with PHI without an individual's authorization. It applies to Covered Entities.

Breach Notification Rule

Once part of the Privacy Rule, the Breach Notification Rule defines a breach and what to do if it occurs. This rule details who needs to be notified, how, and when. It applies to both Covered Entities and Business Associates.
Guide to HIPAA compliance

Understand HIPAA compliance for your business

Depending on the age and stage of your business, you may need HIPAA Security, HIPAA Privacy, or both. Download the guide to understand what your company must follow (and what happens if you don’t.)

Download the guide
HealthTech-1
04. HITRUST

HITRUST vs. HIPAA

While HITRUST is not a government regulation, it’s based on many regulatory and industry standards, including HIPAA. Obtaining HITRUST certification requires a more comprehensive set of requirements and a more thorough evaluation process than HIPAA—that’s why many refer to it as the ‘gold standard’ in healthcare tech compliance5.

Whether or not you need HIPAA, HITRUST, or a combination of the two will depend on the type of data you process and the type of vendors and customers you work with.

As mentioned, HIPAA is a federal regulation setting standards for protecting protected health information and is essentially self-reported. Whereas HITRUST is a voluntary third-party certification you can obtain to demonstrate your organization’s commitment to protecting sensitive information and, therefore, can carry more weight if you do business with health plans or hospital systems.

See how HITRUST and HIPAA compare by downloading the PDF.

 Download the PDF
Thoropass-Learn-Guide-HITRUST-2
HITRUST eBook

HITRUST as a business differentiator

HITRUST is becoming the most globally recognized way for HealthTech companies to show they proactively manage security risks and comply with industry standards and leading practices for information security. In many cases, it's a requirement to do business.

Download this free guide for a deep dive on how your HealthTech company can leverage HITRUST to stay ahead of the curve.

 Get the FREE eBook

The HITRUST Certification includes three types of assessment, each with unique requirements and timelines. The following explains each one to help you decide how to get started.

e1
i1
r2

HITRUST Essentials, 1-Year (e1) Assessment

The e1 assessments is the newest and covers basic foundational cybersecurity practices. The e1 includes the fewest number of CSF requirements (44) for both year one and two. 

If you already have or plan to achieve your SOC 2 attestation, you’ve already done 90% of the work that you’ll need for the HITRUST e1.

This makes SOC 2 + HITRUST e1 an excellent framework mix for emerging HealthTech companies that will need to prove higher levels of security in the future.

Aligned to Authoritative Sources: CISA Cyber Essentials Health Industry Cybersecurity Practices for Small Healthcare Organizations, NIST 171’s Basic Requirements, NIST IR 7621

Year 1 requirements: 44
Year 2 requirements: 44
Level of assurance: Low

HITRUST Implemented, 1-Year (i1) Validated Assessment

The HITRUST i1 Assessment provides reliable measurements and moderate assurance against a broader set of cybersecurity controls than the e1. The i1 includes 182 HITRUST CSF requirements for year one and about 60 additional requirements in year two (with rapid recertification). 

This certification protects against both current and emerging threats and can help you meet both contractual and compliance obligations. It can help you ensure that your business partners use appropriate security practices to protect information reliably and establish a meaningful benchmark for third-party service providers. It can also provide you with a certification while your organization works on an r2 assessment, functioning as a stepping stone to the next level of assessment.

Aligned to Authoritative Sources: Health Industry Cybersecurity Practices for Medium-Sized Organizations, HIPAA Security Rule, and NIST SP 800-171 (Basic and Derived Requirements)

Year 1 requirements: 182
Year 2 requirements: 60
Level of assurance: Medium

HITRUST Risk-based, 2-Year (r2) Validated Assessment

The HITRUST r2 Assessment is the most stringent of the three assessments. It entails rigorous control requirements, in-depth review, and consistent oversight to provide what is considered the gold standard for information protection assurances. The r2 includes approximately 200+ HITRUST CSF requirements for year one (on average) and typically between 19-35 additional requirements in year two, depending on a variety of factors. It includes thorough policy and procedure consideration, while the other two assessments do not.

The r2 offers risk-based control selection that is flexible and can be tailored to help organizations meet the most stringent risk and compliance factors, offering assurances over specific authoritative sources or international requirements. This certification is appropriate for organizations processing significant amounts of sensitive data and personal information.

If your organization requires a NIST Scorecard Report or HIPAA compliance, you may be able to save a lot of time, money, and human resources by  evidence automatically.

Aligned to Authoritative Sources: NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, PCI DSS, GDPR, and dozens of others

Year 1 requirements: 220+
Year 2 requirements: 19+ (19-35 on avg)
Level of assurance: High

The ability to demonstrate compliance across multiple, trusted frameworks has become table stakes for effective entry and growth within the HealthTech industry.

Zach Rutz | Manager, HITRUST assurance
05. Get your custom roadmap

Thoropass is the most experienced and qualified partner for any HealthTech company pursuing SOC 2, HIPAA, HITRUST (and more!)

With our in-house auditors, you’ll be able to achieve multiple frameworks with a single audit—with no surprises along the way.

"If my previous audits were offered to me for free—I’d still pay for Thoropass."
Josh Horowitz
Josh Horowitz CTO, Stylo
AuditManagement_BestResults_Total

Resources

More resources to help you navigate your compliance journey

FREE QUIZ Which HITRUST assessment is right for your business?
 Find out which HTIRUST Assessment is right for your business with this free assessment.
 Take the quiz
Blog Post HITRUST custom controls and expert guidance

Learn why working with an approved assessor is critical while navigating HITRUST Certification.

 Learn more
Guide How SOC 2 can unlock business growth

Learn how to leverage your SOC 2 report as a business accelerator.

 Get the guide