The typical HITRUST certification process consists of the following three phases:
In this phase, the company is assessed to establish if necessary policies, processes, and controls have been implemented to meet the HITRUST requirements. The readiness assessment may be conducted by the company’s internal resources, a HITRUST assessor, or a consulting company.
This phase involves addressing the gaps identified in the first phase. To avoid any potential conflict of interest, the HITRUST assessor performing the certification assessment cannot be involved in this phase. For this reason, this step is performed either by the company or by a consulting firm.
In this step, a selected HITRUST Assessor performs the assessment. After the assessment is completed, it is submitted to the HITRUST Alliance for Quality Assurance and Certification. If the assessment is accepted, a certification report is issued by the HITRUST Alliance. In some cases, a certification report can be issued even when the company has compliance gaps. In that case, the company will need to provide a Corrective Action Plan (CAP) that will be monitored by the Alliance.