HIPAA vs HITRUST: Which Certification Do You Need?

The HIPAA vs HITRUST question trips up almost every healthcare technology buyer. They sound like two competing certifications you have to choose between. They are not.

HIPAA is a federal regulation that any organization handling protected health information (PHI) must comply with. HITRUST is a voluntary certification program that proves you comply with HIPAA and roughly 40 other frameworks at the same time. This HIPAA vs HITRUST guide explains the real difference, when each certification matters, and how the two work together for healthcare-adjacent companies pursuing serious enterprise contracts.

If you are a SaaS company selling into hospital systems, an MSP supporting medical practices, or a digital health startup raising a Series A, you have likely been asked to "show your HITRUST" by a prospect's procurement team. That request is shorthand for "prove your HIPAA program is real, audited, and trustworthy." The HITRUST CSF (Common Security Framework) is the most common way enterprise health buyers vet that.

💡 Pro Tip

Quick orientation: HIPAA is the legal floor. HITRUST is the gold standard for proving you cleared the floor. Most healthcare startups need HIPAA compliance from day one. They pursue HITRUST certification only when an enterprise contract demands it, usually somewhere between $50K ARR and $500K ARR with a hospital system or large payer.

If you are still figuring out HIPAA basics, start with the HIPAA compliance guide. For the technical control side, see the HIPAA security rule technical safeguards checklist. If you are weighing HIPAA against SOC 2 instead, read HIPAA vs SOC 2 for a different decision framework.

HIPAA vs HITRUST: starting from definitions

The HIPAA vs HITRUST distinction starts with what each thing actually is.

What HIPAA actually is

The Health Insurance Portability and Accountability Act of 1996 is United States federal law. It governs how covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates handle PHI. The HIPAA Privacy Rule and the HIPAA Security Rule are the two enforcement-heavy parts. The Privacy Rule sets the limits on how PHI can be used and disclosed. The Security Rule sets administrative, physical, and technical safeguards for electronic PHI.

HIPAA is not a certification. There is no official HIPAA certificate. The Office for Civil Rights (OCR) at the Department of Health and Human Services enforces HIPAA after the fact, usually triggered by a breach, a complaint, or a random audit. Penalties run from $137 per violation up to $2,067,813 per violation per year for the most severe tier (2024 inflation-adjusted figures from HHS), with criminal penalties for willful neglect.

What HIPAA gives you is a legal obligation and a list of required safeguards. What it does not give you is a clean way to prove to a prospect, partner, or insurer that you are actually doing the work. That gap is exactly what HITRUST fills.

What HITRUST actually is

HITRUST is a private organization (the HITRUST Alliance) that publishes the HITRUST CSF, a control framework that maps to HIPAA, NIST 800-53, ISO 27001, PCI DSS, GDPR, and roughly 40 other authoritative sources. When you get HITRUST certified, an external HITRUST-authorized assessor evaluates your controls against the CSF and HITRUST validates the report.

There are three certification tiers as of 2024:

HITRUST e1 (Essential): A 1-year certification covering 44 controls, designed for low-risk vendors and earlier-stage companies. Roughly $25K to $40K all-in for the first year.
HITRUST i1 (Implemented): A 1-year certification covering 182 controls. The mid-tier path, popular with growth-stage SaaS. Roughly $60K to $90K for first year.
HITRUST r2 (Risk-based, 2-year): The flagship certification, 200+ to 2,000+ controls depending on scoping, valid for 2 years with an interim assessment in year 2. The certification enterprise health buyers usually mean when they say "HITRUST." Roughly $100K to $250K+ all-in.

HITRUST gives you a third-party-validated certificate that your security and privacy program meets a defined bar. Hospital systems, payers, and large pharma companies treat that certificate as the cost of doing business in their procurement process.

HIPAA vs HITRUST: the side-by-side

Dimension	HIPAA	HITRUST
What it is	US federal regulation	Private certification program
Required by law?	Yes, if you handle PHI	No, voluntary
Issuing body	HHS Office for Civil Rights	HITRUST Alliance
Certificate?	No official certificate	Yes, 1-year (e1, i1) or 2-year (r2)
External audit?	Not required, but recommended	Required by HITRUST-authorized assessor
Control count	~50 specified safeguards	44 (e1), 182 (i1), 200-2,000+ (r2)
Frameworks covered	HIPAA only	HIPAA + ~40 others (NIST, ISO, PCI, etc.)
Cost	Internal program cost only	$25K-$250K+ depending on tier
Timeline	Ongoing obligation	9-18 months for first certification
Enforcement	OCR investigations + fines	Loss of certification, contract loss
Who asks for it	Federal regulators	Hospitals, payers, large enterprises

The cleanest way to think about this: HIPAA tells you what to do. HITRUST tells the world you actually did it.

When you need HIPAA only

If you fall in any of these buckets, HIPAA compliance alone is probably enough:

You are a covered entity (a healthcare provider, payer, or clearinghouse) that does not contract with hospital systems or large payers as vendors.
You are a small business associate (a SaaS or service provider handling PHI) selling to small medical practices, dental groups, or independent clinics. These buyers typically accept a signed BAA plus a HIPAA self-attestation.
You are pre-revenue or under $1M ARR and your roadmap shows no enterprise health deals in the next 12 months.
Your customer contracts and BAAs do not mention HITRUST.

For startups, SMBs, and small business associates, the HIPAA program is the work. You document policies, train staff, sign business associate agreements with vendors, perform an annual risk assessment, and put technical safeguards in place. See the HIPAA risk assessment guide for the methodology and the HIPAA training requirements post for the workforce side.

The cost of staying inside HIPAA-only is low. The cost of getting it wrong is not. The OCR resolution agreements page shows multimillion-dollar settlements every year for breaches that traced back to missing risk assessments or unencrypted laptops.

When you need HITRUST

You need HITRUST (usually r2, sometimes i1) when:

Your prospect's procurement, security, or vendor risk team explicitly asks for it.
You are signing a master services agreement with a hospital system, large payer (Aetna, UnitedHealthcare, Anthem, etc.), or large pharma company.
Your contract value is high enough that the buyer is required by their own internal policy to vet you to a third-party-validated standard.
You operate at scale (millions of patient records, hundreds of provider customers) and need a defensible posture.

The trigger is almost always external, not internal. Companies do not pursue HITRUST because they want to. They pursue it because a $200K, $1M, or $10M deal told them to.

⚠ Warning

Do not pursue HITRUST as your first compliance project. Build a working HIPAA program first, layer SOC 2 on top if your buyers want it, and only move to HITRUST when a specific enterprise deal requires it. Going for HITRUST cold typically costs 2 to 3 times what it should because you have not built the underlying control documentation HITRUST evaluates.

HITRUST is built on top of HIPAA

A common misconception is that HITRUST replaces HIPAA. It does not. A HITRUST-certified company is still subject to HIPAA enforcement by OCR. The HITRUST CSF is a way to organize, document, and prove the same set of safeguards HIPAA requires, plus controls from many other frameworks. The HITRUST report can be used as evidence in an OCR investigation, but it does not give you legal immunity.

Some practical implications of this layering:

A HITRUST r2 audit will produce evidence that satisfies most HIPAA Security Rule requirements automatically.
A HITRUST i1 certification covers the most-asked HIPAA controls but leaves gaps in some Privacy Rule areas you must close separately.
A HITRUST e1 certification covers the fundamentals but is generally not accepted as sufficient by hospital systems for high-risk vendor categories.
You still need signed BAAs with subcontractors regardless of HITRUST tier. HITRUST does not handle the contractual layer.

For the BAA side specifically, see the HIPAA business associate agreement guide.

How HITRUST relates to SOC 2 and ISO 27001

If you already have SOC 2 Type 2, the move to HITRUST i1 typically takes 6 to 9 months instead of 12 to 18 months. About 70 percent of HITRUST i1 controls overlap with SOC 2 Type 2 if you scoped SOC 2 properly. The SOC 2 audit work is reusable. The HITRUST-specific work is mostly around the privacy controls (which SOC 2 does not require) and the assessor's interpretation rules (which are more rigid than SOC 2).

ISO 27001 maps cleanly to HITRUST too. An ISO-certified ISMS gives you a head start on roughly 60 percent of HITRUST CSF controls. See SOC 2 vs ISO 27001 for the choice between those two as a starting point, and the SaaS compliance frameworks guide for stacking strategy.

HIPAA vs HITRUST decision framework: which do you need?

A pragmatic HIPAA vs HITRUST decision tree for healthcare-adjacent companies:

Are you handling PHI? If yes, HIPAA compliance is mandatory regardless of size. Build the program now.
Are you selling to enterprise health buyers? If yes, ask procurement teams what they need. The most common answers, in order: SOC 2 Type 2, HITRUST i1, HITRUST r2. They almost never ask for "HIPAA self-attestation" alone.
What is the contract value? Below $50K ARR per buyer, SOC 2 + a HIPAA program is usually enough. Above $250K ARR per buyer with a hospital system, HITRUST r2 is typically the bar.
How fast do you need to be ready? A working HIPAA program: 3 to 6 months. SOC 2 Type 2: add 6 to 12 months. HITRUST i1: add 6 to 9 months on top of SOC 2. HITRUST r2: add 9 to 18 months on top of SOC 2.
Can you afford to stack? The full stack (HIPAA program + SOC 2 + HITRUST r2) costs $150K to $400K in audit fees plus 1 to 2 full-time-equivalents for the first 18 months. If you cannot afford that, narrow your buyer list to where SOC 2 + a HIPAA self-attestation will close the deal.

The most common pattern for healthcare SaaS: HIPAA program from day one, SOC 2 Type 2 at $1M to $3M ARR, HITRUST i1 at $5M to $15M ARR, HITRUST r2 only when a single deal will pay for it.

What auditors actually want to see

For HIPAA, OCR investigations almost always start with three documents: your most recent risk assessment, your incident response logs, and your training records. If those three are weak, the rest of your program will be too. For OCR enforcement examples and the framework's official text, see the HHS HIPAA enforcement page.

For HITRUST, the assessor walks through every applicable control and rates implementation maturity on a 5-point scale (Policy, Procedure, Implemented, Measured, Managed). The real differentiator from SOC 2 is the maturity scoring. SOC 2 asks if a control exists. HITRUST asks if it is documented, deployed, measured, and continuously improved.

A few common pitfalls that cost startups months on first HITRUST audit:

Policies exist but are unsigned or not version-controlled.
Training records exist but cannot prove every employee completed required modules.
Risk assessment exists but is over a year old.
BAAs exist but are missing for some subcontractors.
Encryption is in place but key management is undocumented.
Vulnerability scans run but findings are not tracked to remediation.

A working SOC 2 program closes most of these gaps. If you are starting from nothing, expect 12 months of preparation before HITRUST is realistic.

Cost reality check

A rough budget guide for a 25-to-100-person health SaaS in 2026:

HIPAA-only program (internal cost): $30K to $80K per year for tools, training, and partial-FTE time.
HIPAA + SOC 2 Type 2: add $25K to $60K per year for the SOC 2 audit and platform.
HIPAA + SOC 2 + HITRUST i1: add $60K to $90K for first-year HITRUST.
HIPAA + SOC 2 + HITRUST r2: add $100K to $250K for first-year HITRUST, then ~$60K to $120K per year ongoing.

Compliance automation platforms cut HITRUST preparation time meaningfully. See the best GRC software platforms for vendor options and the Vanta vs Drata vs Secureframe comparison for detail. Vanta and Drata both publish HITRUST-specific modules. Secureframe added HITRUST i1 support in 2023.

Frequently Asked Questions

Does HITRUST replace HIPAA?

No. HITRUST is a certification that demonstrates HIPAA compliance, but you remain legally subject to HIPAA enforcement by HHS Office for Civil Rights. A HITRUST certificate does not give you legal immunity. It is supporting evidence, not a shield.

Is HITRUST mandatory for healthcare companies?

No. HITRUST is voluntary. It becomes effectively mandatory when a specific enterprise customer (hospital system, payer, large pharma) requires it in their vendor risk assessment process. Most small medical practices and clinics do not require HITRUST from their vendors.

Which is harder, HITRUST or SOC 2?

HITRUST r2 is significantly harder than SOC 2 Type 2. HITRUST scores controls on a 5-point maturity scale (Policy through Managed), while SOC 2 asks whether a control exists and operates. HITRUST i1 is roughly 1.5 times the work of SOC 2. HITRUST e1 is roughly equivalent to SOC 2 Type 1 in effort.

How long does HITRUST certification take?

HITRUST e1 takes 3 to 6 months for a prepared organization. HITRUST i1 takes 6 to 12 months. HITRUST r2 takes 12 to 18 months for a first-time certification. These timelines assume you already have a working HIPAA program. Starting from zero adds 6 months.

Is HITRUST cheaper than SOC 2?

No. HITRUST is more expensive than SOC 2 across the board. SOC 2 Type 2 typically runs $20K to $60K per year. HITRUST e1 starts around $25K to $40K. HITRUST i1 runs $60K to $90K. HITRUST r2 runs $100K to $250K plus.

Do I need both HIPAA compliance and HITRUST certification?

Yes if you pursue HITRUST. HITRUST is built on HIPAA controls, so a HITRUST audit assumes a working HIPAA program. The two are not alternatives. HIPAA is the legal floor. HITRUST is a way to prove you cleared the floor and a lot more besides.

What is the difference between HITRUST e1, i1, and r2?

e1 (Essential) covers 44 fundamental controls, valid for 1 year, designed for low-risk vendors. i1 (Implemented) covers 182 controls, valid for 1 year, designed for mid-risk SaaS. r2 (Risk-based) is the flagship: 200 to 2,000+ controls scoped by risk, valid for 2 years with an interim review. r2 is what enterprise health buyers usually mean by "HITRUST."