HITRUST vs HIPAA: what access governance teams need to know

At a glance

What this is: This is a comparison of HITRUST and HIPAA that focuses on scope, enforcement, certification, cost, and the access governance work behind compliance.

Why it matters: It matters because healthcare compliance depends on identity controls, access review discipline, and evidence that permissions are continuously governed across people and systems.

By the numbers:

• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

👉 Read Zluri's comparison of HITRUST vs HIPAA for healthcare compliance

Context

HITRUST and HIPAA are often treated as interchangeable, but they solve different governance problems. HIPAA is the legal requirement for protecting PHI, while HITRUST is a control framework that helps organisations evidence how they meet those requirements. In healthcare, that distinction matters because identity, access, and auditability are the mechanisms that make compliance real.

For IAM, IGA, and PAM teams, the issue is not just policy language. It is whether access is reviewed, revoked, documented, and traceable across employees, contractors, business associates, and the service accounts that support clinical and administrative systems.

Key questions

Q: How should healthcare teams evidence access governance for HIPAA and HITRUST?

A: They should show current entitlement data, approver records, remediation actions, and deprovisioning evidence for systems that touch PHI. A defensible programme can answer who had access, why they had it, when it was last reviewed, and how unnecessary access was removed. That evidence matters more than policy statements alone.

Q: When does HITRUST add value beyond HIPAA compliance alone?

A: HITRUST adds value when an organisation needs a structured way to translate HIPAA obligations into repeatable controls, assessments, and third-party assurance. It is most useful when healthcare operations span many vendors or systems and leaders need a single governance framework to organise security evidence.

Q: What do teams get wrong about access reviews in regulated healthcare environments?

A: They often treat access review as an annual paperwork exercise instead of a control that must reflect live entitlements. If review data is stale, incomplete, or disconnected from remediation, the organisation cannot reliably prove that PHI access was limited to what was needed.

Q: Who is accountable when third-party access to PHI is overbroad or unreviewed?

A: The covered entity remains accountable for governance, even when a business associate or vendor holds the access. Contracts help, but the organisation still needs entitlement scoping, review cadence, and offboarding evidence so external access is managed as part of the regulated environment.

Technical breakdown

HIPAA sets the legal baseline, HITRUST translates it into controls

HIPAA defines what covered entities and business associates must protect, especially around PHI and ePHI. HITRUST CSF sits above that legal baseline as a prescriptive control framework that maps multiple requirements into a single assessment model. In practice, that means HIPAA tells organisations to secure access, log activity, and limit disclosure, while HITRUST turns those expectations into measurable controls and validation steps. The two are related but not interchangeable. One is law, the other is a governance method for proving operational discipline.

Practical implication: Treat HIPAA as the obligation and HITRUST as the control mapping used to evidence it.

Access review and audit trails are the real compliance mechanism

The article’s examples point to a familiar pattern: compliance becomes operational only when access decisions are visible and reviewable. Access certification, audit logs, documented remediation, and deprovisioning workflows are the controls that turn policy into evidence. Without those controls, organisations may have written procedures but still be unable to prove who had access, when access changed, or whether unnecessary access was removed. In regulated healthcare environments, that evidence chain is often what auditors and business partners care about most.

Practical implication: Build repeatable access review and evidence collection into every compliance cycle.

Third-party access expands the compliance perimeter

HIPAA and HITRUST both become harder when vendors, outsourced teams, and connected services are part of the operating model. The article highlights business associate agreements and third-party assurance because the compliance boundary extends beyond internal users. That creates governance work for contract ownership, access scoping, and periodic review of external entitlements. In modern healthcare stacks, a compliant internal programme can still fail if third-party access remains overbroad or undocumented.

Practical implication: Review external access as part of the same lifecycle as internal access, not as a separate process.

NHI Mgmt Group analysis

Compliance labels do not reduce identity risk unless access governance is continuous. The article correctly separates HIPAA as a legal requirement from HITRUST as a framework, but both depend on the same control reality: who can access PHI, how that access is reviewed, and whether it is removed when no longer needed. In healthcare, that is an identity governance problem first and a certification problem second. Practitioners should treat compliance evidence as a by-product of control discipline, not as a substitute for it.

Access review is the control surface that links healthcare policy to auditability. HIPAA’s safeguards and HITRUST’s assessment model both collapse if organisations cannot show current access state and remediation history. That puts IGA, PAM, and logging in the same operational chain. The field should stop treating annual checks as sufficient when access changes continuously across staff, vendors, and systems. The practical conclusion is that evidence quality is now a governance requirement, not an audit convenience.

Third-party assurance is becoming a compliance dependency, not a nice-to-have. The article’s emphasis on business associates reflects a broader reality in healthcare: external access is part of the regulated attack surface. When vendors, contractors, and connected applications sit inside the PHI workflow, the organisation inherits their access discipline. That means lifecycle control, entitlement scoping, and offboarding have to extend past the employee boundary. Practitioners need to govern the full access chain, not just internal accounts.

HITRUST functions as a control translation layer, not a substitute for programme maturity. The framework helps organisations organise evidence, but it cannot compensate for weak identity hygiene, missing recertification, or poor segregation of duties. Where teams rely on certification as the objective, they risk optimising for paperwork instead of control integrity. The better model is to use HITRUST to surface gaps in access governance and then align them with HIPAA obligations and operational ownership.

From our research:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still lack a complete control inventory.
• That visibility gap is why the NHI Lifecycle Management Guide is the right next step for teams building repeatable offboarding and review processes.

What this signals

Access governance is increasingly a compliance evidence problem, not just an admin task. In healthcare environments, programmes that cannot produce current entitlement evidence will struggle to satisfy both HIPAA expectations and HITRUST assessments. The practical shift is toward continuous certification, because annual review cycles are too slow for live identity change.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, per Ultimate Guide to NHIs, healthcare teams should assume that hidden machine access can undermine otherwise well-structured compliance programmes.

Third-party access will keep stretching the compliance perimeter. Healthcare organisations should prepare for more scrutiny on business associate controls, offboarding evidence, and access ownership across connected systems. The governance model that wins is the one that can prove access is current, necessary, and revoked when relationships end.

For practitioners

• Map PHI access to accountable owners Assign explicit business and technical owners for every role, group, and privileged account that can reach PHI or ePHI. Make ownership visible in the access review workflow so approvers can confirm the business need, not just the name on the list.
• Automate access certification for regulated systems Run recurring access reviews against HR, vendor, and application data so approvals are based on current entitlements rather than spreadsheets. Prioritise systems that store or process PHI, and require remediation tickets for every exception that remains after the review.
• Extend offboarding to vendors and service accounts Include business associates, contractors, API keys, and service accounts in the same deprovisioning workflow used for employees. Confirm that access is revoked, not merely disabled in one system, and verify removal across connected applications and downstream integrations.

Key takeaways

• HITRUST and HIPAA are related but not equivalent: one is the legal requirement, the other is a framework for proving control discipline.
• Compliance evidence depends on live access governance, especially reviews, remediation, and revocation across internal and third-party identities.
• Healthcare teams should treat identity lifecycle control as part of regulated operations, not as a separate security exercise.

Key terms

• Protected Health Information (PHI): PHI is any health-related information that can identify a person and must be protected under healthcare privacy rules. In practice, it includes medical records, billing data, and related identifiers that can expose a patient if accessed or disclosed improperly.
• HITRUST CSF: HITRUST CSF is a prescriptive control framework used to organise and validate security and compliance work in healthcare and adjacent sectors. It translates regulatory expectations into measurable requirements that teams can assess, remediate, and document.
• Access Certification: Access certification is the process of reviewing who has access to systems or data and confirming whether that access is still justified. For regulated environments, it creates evidence that permissions were periodically revalidated and unnecessary access was removed.
• Business Associate: A business associate is a third party that handles regulated health information on behalf of a covered entity. That relationship extends the compliance perimeter, because the organisation remains accountable for how external access is scoped, reviewed, and revoked.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Zluri: Access Management HITRUST vs HIPAA: 6 Key Differences. Read the original.