HITRUST Certification in Healthcare

Discover how HITRUST certification aligns different compliance requirements and what the certification process entails

Protected health information (PHI) is a valuable asset. Widespread data breach events prompt healthcare entities and their third-parties to improve their information security programs. To assure the effectiveness of their security programs and implemented controls, many healthcare organizations obtain a HITRUST certification.

What is HITRUST?

The Healthcare Information Trust (HITRUST) Alliance is a non-profit organization that provides a common framework for maintaining data security in the healthcare industry. The HITRUST approach harmonizes information risk management and compliance requirements of several frameworks. Doing this supports organizations’ readiness to react and addressing complex security and compliance challenges and meeting regulatory requirements. As the security landscape is becoming more complex, organizations should constantly increase their efforts to safeguard sensitive data and maintain compliance. To assist, HITRUST developed the Common Security Framework (CSF).


HITRUST CSF helps healthcare organizations to protect sensitive data and maintain compliance with laws and reg. It is often referred to as a comprehensive framework as it incorporates requirements from HIPAA, PCI, and other state and federal regulations. HITRUST CSF helps organizations assess and maintain their internal policies, procedures, and controls using a common framework. 

HITRUST requirements cover 19 security domains, which involve specific control categories necessary to achieve the HITRUST certification. These categories outline the desired results and list policies, procedures, and implementation guidance necessary to meet the objective. The CSF also provides predefined organizational, regulatory, and system risk factors that establish the inherent risk:

  • Organizational factors, among others, include the amount of sensitive information held or processed, the annual number of transactions, the volume of business/data.
  • Regulatory factors consider the compliance requirements (e.g., HIPAA, PCI, or GDPR ) applicable to the organization.
  • System factors focus on various system properties that would affect the likelihood or impact of risk: whether a system stores, processes, or transmits sensitive data; is it accessible from the Internet; does it use mobile devices, etc.

Finally, HITRUST CSF rationalizes the way organizations manage the compliance of their business associates. It provides an opportunity to “assess once and report to many”, while covered entities benefit from such a complete assessment process.

Drivers for Obtaining HITRUST Certification

Covered entities and business associates, as defined by HIPAA, are the most common organization types that pursue and obtain HITRUST certification. Besides strengthening the overall security program and reducing the possibility of data breaches, there are business advantages that induce organizations to get the certificate. By demonstrating compliance with HIPAA regulatory requirements, HITRUST certification:

  • provides a high degree of assurance to business partners and auditors; 
  • increases chances for third parties to provide services to leading healthcare organizations as it often becomes their contractual requirement;
  • reduces the time spent responding to several security questionnaires and audits;
  • in case of a data breach, HITRUST certification can demonstrate that the organization took the appropriate efforts to protect sensitive data; and 
  • enhances public trust and brand reputation.

The HITRUST certification often becomes an indicator of a mature data protection program within the healthcare environment.

HITRUST CSF Certification Process

The HITRUST certification process is a time- and resource-intense process. First, assessed organizations determine their scope, undergo readiness assessments, and conduct gaps remediation if necessary. Thereafter, organizations are required to have a HITRUST Validated Assessment performed by an authorized assessor. Finally, they need to submit the assessment results for HITRUST review and approval to get a formal certification. HITRUST MyCSF tool assists organizations in streamlining the assessment approach and identifying applicable implementation requirements. It provides organizations and their assessors with a web-based solution for performing assessments, managing remediation activities, and reporting and tracking compliance.

The certification process is often regarded with the deep disfavor of those who need to obtain the certification. To alleviate such inconveniences, organizations may choose a reliable third-party ally, such as Planet 9,  or systematize all steps and instruments necessary to obtain certification by using internal resources. The main aspects of the HITRUST certification process are discussed below. 

Readiness Assessment  

Identifying potential gaps and challenges before undergoing the HITRUST Validated Assessment is a good idea. In this regard, organizations can perform a readiness assessment (also known as a self-assessment) and assess their ability to comply with the certification requirements. 

Utilizing the tools and methodologies of the HITRUST CSF, organizations first gather detailed information about the current state of their policies, processes, and implemented controls. Interviews, evidence collection, testing, and inspection of controls are the HITRUST assessment methods. The gathered information should satisfy all the 19  domains provided in MyCSF and be scored per the HITRUST methodology. 

To score each control within the assessment scope, HITRUST’s PRISMA-based Maturity Model is used. It involves 5 general control measurement criteria (p. 13):

  • Policy: Does the organization know what it needs to do?;
  • Process/Procedure: Does the organization know how to do it?;
  • Implemented: Has the organization done it?;
  • Measured: Does the organization keep track of it?; and
  • Managed: Does the organization fix if something goes wrong?

The first three criteria are enough to satisfy the required maturity expectations but organizations can significantly benefit if they can demonstrate that their controls are measured and managed. It often occurs that organizations have control areas that fail to meet the HITRUST’s certification requirements. Clear identification and ranking of these areas provide organizations with remediation opportunities before undergoing the Validated Assessment. 

The HITRUST CSF Readiness Assessment results in a comprehensive report that outlines the current level of compliance with HITRUST CSF standards as well as remediation goals/tasks. 

Gaps Remediation

Gaps remediation is not a separate process but rather a critical part of the HITRUST assessment, both self- or validated. It should start with a gap analysis that identifies policies, controls, and other documentation that is necessary to meet the HITRUST CSF requirements. During this stage, the organization or assessors, depending on the type of assessment performed, identify general gaps in the organization’s controls and provide recommendations to remediate the gaps. The organization gaps are then ranked by risk level, prioritized, assigned to an owner, and tracked. All these activities are documented in a formal corrective action plan (CAP). 

Validated Assessment 

The next phase of the HITRUST certification involves completing a Validated Assessment. Its main difference from the self-assessment is that it is performed by authorized HITRUST assessors only. Also, it may be officially submitted to HITRUST for certification if the organization procures a CSF Validated Report with Certification. The HITRUST validation stage, just like the self-assessment, uses a testing approach. It aims to assess the organization’s controls using three main methodologies: examining, interviewing, and testing. 

  • Examining involves reviewing policies, guidelines, and procedures with the aim of evaluating how controls are addressed by the organization.
  • Interviewing means collecting information from organizations’ key personnel with responsibilities related to organizations’ controls.
  • Testing is applied to system configurations/operations to ensure that controls are appropriately implemented.

Based on the testing, the assessors gather the working papers, test results, and interviews and submit them to HITRUST for quality review. This documentation is submitted through the MyCSF portal. At that point, the HITRUST Assurance and Compliance team reviews the assessment and determines if the organization has met the requirements to achieve certification.

Quality Assurance Review

QA Review is the fourth phase of the HITRUST Certification that aims to scrutinize the validated assessment and check organizations for meeting the requirements to achieve the certification. HITRUST QA review entails several activities, namely automated checks, core QA, N/A’s testing, and measured and managed control testing. 

Automated Checks identify the assessment scoring, commentary errors, and omissions during the assessment process.

  • Core QA  reviews randomly selected HITRUST CSF requirement statements to confirm the sufficiency of the external assessor’s work for the agreement with the assessed organization’s scoring.
  • N/A’s Testing reviews documented reasoning for recognizing any HITRUST CSF statement as “non-applicable” for reasonableness and consistency.
  • Measured and Managed Controls Testing reviews all HITRUST CSF requirement statements to confirm the sufficiency of the external assessor’s basis for agreement with the assessed organization’s scoring.

 In case of approval, HITRUST issues a Validated Report with Certification.

The Main Challenges of QA

QA review is a challenging procedure, and sometimes the assessment fails the QA due to the fault of both organizations and their external assessors.  In this regard, organizations generally fail to:

  • implement the CSF to a degree satisfactory for the certification requirements;
  • effectively demonstrate the implementation of the CSF to the external assessor;
  • correctly leverage HITRUST’s Control Maturity Scoring Rubric when determining and confirming the organization’s control maturity scoring.

The external assessors’ faults in failed QA generally involve:

  • failing to identify the organization’s inaccurate/unsubstantiated control maturity scoring;
  • inappropriate conducting and documenting the validated assessment;
  • failing to incorporate changes and updates to the HITRUST CSF Assurance Program into its assessment methodology.

Therefore, both organizations and their external assessors must be highly attentive to all the HITRUST requirements and illustrative guidelines provided in MyCSF. 

Certification Process

The initial HITRUST certification process typically takes from 6 months to 1 year. Very few, if any, organizations obtain certification in under 6 months. However, cases when the certification process takes more than a year are also common. It occurs due to multiple factors, such as the organizations’ certification scope, size, complexity, existing controls’ maturity, and competing priorities. 

The HITRUST certification is valid for two years. However, to maintain the certificate, the organization’s status must be reviewed a year after the original assessment. This process is called an interim assessment. The interim assessment requires testing of only one control from each of the 19 domains as well as conducting CAP follow-up. To meet these requirements and conduct an interim assessment in time, organizations are recommended to start the process and engage the assessor at least three months in advance. Additionally, the interim assessment verifies that no breach or significant change has affected the organization’s environment since the certification was issued.

After two years, the organization must complete recertification and submit a new validated assessment for HITRUST. As the HITRUST approach promotes continual improvement, the prescriptive procedures associated with each control requirement statement provide a guideline for increasing maturity over time. Therefore, organizations should start the recertification process six months before the existing certification’s expiration date.  


Despite the intensity of the HITRUST certification process, it provides a high degree of assurance. Furthermore, it  increases the chances for smaller companies to cooperate with leading healthcare organizations. Those who undergo the  HITRUST certification must be attentive to managing their information security program and technical controls.

If you need any help with obtaining  a HITRUST certification or other security and compliance services, we’ll be happy to assist:

Website: https://planet9security.com

Email:  info@planet9security.com

Phone:  888-437-3646

Leave a Reply