Since a HITRUST Certification is costly, and there is no official certification for HIPAA compliance

+2 votes
asked Feb 17 in Law & Legal by poliq (5,400 points)
Since a HITRUST Certification is costly, and there is no official certification for HIPAA compliance, are there alternative certifications that early-stage health IT startups can pursue before opting for HITRUST?

2 Answers

0 votes
answered Feb 18 by LarryWrig (500 points)
HITRUST Certification is costly but if you need to be HIPAA compliant then you really don't want to cheap out on the certifications because the mistakes you might make with HIPAA compliance could cost you more in lawsuits than the HITRUST Certification cost you.

I have never found any alternatives to HITRUST Certification that is any cheaper.

So you will likely need to go with HITRUST Certification if you want to become HIPAA compliant in the health IT sector.
0 votes
answered Feb 18 by lulumeon (31,470 points)
The closest thing HIPAA has is the annual Enterprise Risk Assessment or ERA which is as the OP notes is not a certification but is useful in preparing for both the HITRUST and SOC 2 examinations.

Once your annual enterprise assessment is good, plan to work through SOC2 and eventually HITRUST.

Most BAA and CEs will accept, at least the annual assessment as proof of overall compliance and most would prefer to see your SOC2, even if its bi-annual.

If you have a client that will only accept HITRUST you should point out the very low overall passrate and pass on the opportunity until your organization is more mature.

25,491 questions

27,438 answers

133 comments

859,154 users

...