Healthcare Compliance · PHI · Law vs Certification

HIPAA vs HITRUST (2026): Law vs Certification — Which Do You Need?

HIPAA VS HITRUST

They get pitched as alternatives. They're not — one is the law, the other is the certificate that proves you're following it.

Quick Answer

HIPAA is the US law you must comply with if you handle protected health information — and there is no such thing as a HIPAA certification. HITRUST is a private, certifiable framework that maps to HIPAA (and NIST, ISO, PCI, more); a HITRUST certification is the third-party proof partners actually accept. You don't choose between them: you must comply with HIPAA, and you get HITRUST when partners demand verifiable proof.

Head-to-head comparison

Dimension	HIPAA	HITRUST
What it is	A US federal law (Privacy Rule + Security Rule) governing PHI	A private, certifiable security framework (the HITRUST CSF)
Mandatory?	Yes — legally required if you handle PHI	No — voluntary, but increasingly demanded by healthcare partners
Can you be "certified"?	No — there is no official HIPAA certificate	Yes — HITRUST issues a certification (e1 / i1 / r2)
Who enforces / issues	HHS Office for Civil Rights (enforcement, fines, audits)	HITRUST + an authorized external assessor (certification)
Rigor	Many requirements are "addressable" — implementation left to you	Prescriptive, scored controls — maps HIPAA to specific, assessable requirements
Proof to partners	A self-claim ("we're HIPAA compliant") with no independent artifact	A third-party-assessed, verifiable certificate
Covers beyond HIPAA?	No — HIPAA only	Yes — folds in NIST, ISO 27001, PCI DSS, state laws, and more
Levels	N/A — it's a regulation, not a tiered cert	e1 (~44 controls), i1 (~182), r2 (comprehensive, risk-tailored)
Best thought of as	The floor you must legally meet	The certified proof that you meet it (and more)

If a partner asks you to be "HIPAA certified," what they actually accept is a HITRUST certification or a SOC 2 scoped to the HIPAA Security Rule — because no HIPAA certificate exists. Text PJ if you're unsure what your customers really want.

The honest verdict

This is the comparison people get most wrong, because they're framed as a choice — and they aren't. HIPAA is the law. If your business creates, receives, stores, or transmits PHI (as a covered entity or a business associate), you are legally obligated to comply, full stop. There's no opting out and no certificate to earn — you implement the Privacy and Security Rules, sign Business Associate Agreements, and the HHS Office for Civil Rights can audit and fine you if you don't.

HITRUST is how you prove it. The problem with "we're HIPAA compliant" is that it's a self-claim — a sophisticated healthcare buyer has no way to verify it, and many have been burned. So they increasingly require a HITRUST certification: a prescriptive, scored, third-party-assessed framework that maps HIPAA's addressable requirements to specific controls (and layers in NIST, ISO, PCI). A HITRUST cert is a credential a partner can trust without taking your word for it. That's why it's becoming the de-facto entry ticket to enterprise healthcare contracts.

My operator take: you don't pick — you sequence. Get genuinely HIPAA compliant first (it's the legal floor and the foundation HITRUST is built on). Pursue HITRUST when a real healthcare partner is gating a deal on it — and start at the level they require, which is usually i1, stepping up to r2 only for high-risk PHI. If you're earlier-stage and a customer just wants "security assurance," a SOC 2 scoped to the HIPAA Security Rule is often the faster, cheaper proof — see HIPAA vs SOC 2: which first.

Best for — pick your scenario

HIPAA (required)

You touch PHI in any form

Covered entity or business associate — if PHI flows through you, HIPAA compliance is legally mandatory. This is the floor, not a choice.

HIPAA (don't chase a cert)

Someone's selling you "HIPAA certification"

There's no official HIPAA certificate. If a vendor sells you one, it's training or a self-assessment — not what enterprise partners verify against.

HITRUST

Healthcare enterprise is gating a deal

A payer, health system, or large partner won't sign without verifiable proof. "We're HIPAA compliant" won't cut it — they want a HITRUST certificate.

HITRUST (start at i1)

You want the certification most accept

The i1 (~182 controls) is the moderate, one-year cert most procurement teams accept. Step to r2 only for high-risk PHI environments.

Both (sequence them)

Serious healthcare vendor

Be HIPAA compliant (the legal foundation) AND HITRUST certified (the proof). Do HIPAA first; layer HITRUST when a partner requires the credential.

SOC 2 instead (for now)

Early-stage, buyer wants "security assurance"

If the ask is general security trust rather than a HITRUST mandate, a SOC 2 scoped to the HIPAA Security Rule is often the faster, cheaper proof to start with.

Confused about what your healthcare partner actually wants?

Text PJ — a real human, honest answer, no sales pitch. Tell me what you build, whether you touch PHI, and who's asking for what, and I'll tell you straight whether it's HIPAA alone, HITRUST, SOC 2, or a sequence — and roughly what each costs.

Text PJ for the honest read · 858-461-8054

Frequently asked questions

What is the difference between HIPAA and HITRUST?

HIPAA is a US federal law (the Privacy Rule and Security Rule) that anyone handling protected health information (PHI) must comply with — it's mandatory, and there is no official 'HIPAA certification.' HITRUST is a private, certifiable framework (the HITRUST CSF) that maps to HIPAA and many other regulations and standards; you can be HITRUST certified, and that certification serves as third-party proof that your security program meets HIPAA's requirements and more. In short: HIPAA is the law you must follow; HITRUST is the certificate that proves you're following it.

Can you be HIPAA certified?

No — there is no official HIPAA certification from the government. HIPAA is a regulation; you comply with it, and the HHS Office for Civil Rights enforces it, but no body issues a 'HIPAA certified' stamp. Vendors who claim to be 'HIPAA certified' are usually pointing to a third-party assessment or training. If a partner wants verifiable proof of your HIPAA posture, what they actually accept is a HITRUST certification or a SOC 2 report scoped to the HIPAA Security Rule — not a HIPAA certificate, because none exists.

Do I need HITRUST if I'm already HIPAA compliant?

Not legally — HIPAA compliance is the requirement, and you can be fully HIPAA compliant without HITRUST. But increasingly, healthcare enterprises and payers will not contract with a vendor unless they can show HITRUST certification, because 'we're HIPAA compliant' is a self-claim with no independent proof. HITRUST gives them a certifiable, third-party-assessed artifact. So you need HITRUST when your healthcare customers demand verifiable assurance — which is more and more common — not because the law requires it.

Is HITRUST harder than HIPAA?

HITRUST is more rigorous because it's a prescriptive, scored, certifiable framework, while HIPAA's Security Rule is largely 'addressable' and leaves implementation to your judgment. HITRUST takes HIPAA's requirements and turns them into specific, assessable controls (and folds in NIST, ISO, PCI, and more). So HITRUST certification proves HIPAA compliance plus a broader security baseline — it's harder to achieve, which is exactly why partners trust it as evidence. HIPAA compliance is the floor; HITRUST is the certified, higher bar.

HITRUST e1, i1, or r2 for HIPAA?

All three HITRUST assessment types demonstrate strong security, but partners asking for 'HITRUST certified' to satisfy HIPAA expectations usually mean i1 or r2. The e1 (~44 controls) is an entry-level, foundational assessment; the i1 (~182 controls) is the moderate, one-year certification most procurement teams accept; the r2 is the comprehensive, risk-tailored, two-year gold standard for high-risk PHI environments. Start at the level your specific healthcare customers require — most land on i1.