
HIPAA (Health Insurance Portability and Accountability Act)
This is a mandatory U.S. federal law. Basically, it sets the legal baseline for how you must protect Protected Health Information (PHI).
HITRUST (CSF)
In contrast, HITRUST is a voluntary, industry-agnostic security framework. Instead of just listing requirements, it provides the technical “how-to” for implementing security controls.
