October 2, 2023

What is HITRUST Certification?

In an era where data breaches and cyber threats are becoming increasingly prevalent, ensuring the security of sensitive information has never been more critical. And when it comes to preparing organizations to mitigate such risks, particularly in the healthcare industry, HITRUST CSF Framework  is widely recognized as the preeminent security standard. 

By adhering to this industry-leading security standard, organizations can demonstrate their commitment to data protection and instill confidence in their ability to manage and secure sensitive information.

Introduction to HITRUST and its Importance

The Health Information Trust Alliance, more commonly known as HITRUST, is a globally recognized standards organization focusing on security, privacy, and risk management. The main objective of HITRUST is to establish a robust, comprehensive framework that organizations can adopt to protect sensitive data and information. The organization is advised by its HITRUST External Assessor Council. Justin Graham, Tevora’s Manager Information Security & Compliance, and Jason Lee, Tevora’s Associate Healthcare Manager, are both vetted members of the HITRUST External Assessor Council. 

One of the key components of HITRUST is the Common Security Framework (CSF). The HITRUST CSF is a certifiable framework that harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), state, third party (PCI, COBIT) and government (NIST, FTC). This means that organizations following the HITRUST CSF are simultaneously compliant with numerous other important regulations, which saves time and resources, while reducing the risk of non-compliance.

By implementing HITRUST CSF, organizations can effectively manage their security posture and reduce risks associated with health data management. It provides a clear roadmap for compliance with multiple regulations, alleviating the burden of managing different standards individually.

A HITRUST certification demonstrates to partners, regulators, and patients that an organization has taken extensive measures to protect their data, building trust and confidence.

Understanding the HITRUST CSF

The HITRUST CSF is highly versatile and can be customized based on an organization’s type, size, and complexity. It considers various risk factors, including organizational, system and regulatory factors. This flexibility makes it applicable to many organizations, not just those in the healthcare sector.

One of the key emphases of the HITRUST CSF is enhancing data security and confidentiality. It provides a set of controls that ensure information integrity, availability, and confidentiality. These controls are regularly updated to keep pace with evolving threats and changes in the regulatory landscape.

By following the HITRUST CSF, organizations can create a secure environment for their data, which protects them from potential breaches and builds trust among customers and partners. Furthermore, the framework’s focus on continuous improvement ensures that organizations remain proactive in their approach to information security.

The HITRUST CSF is more than just a security framework. It’s a comprehensive, scalable, and certifiable solution that helps organizations protect their most valuable asset – their data. As cyber threats evolve, the HITRUST CSF provides a solid foundation for organizations to enhance their data security and confidentiality measures.

Differentiating HITRUST from HIPAA

HITRUST and HIPAA are vital in healthcare data security, but they have distinct purposes.

Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law in the US. It establishes the standards for utilizing, sharing, and securing protected health information (PHI). Any healthcare provider, insurance firm, or healthcare clearinghouse dealing with PHI must comply with HIPAA.

On the other hand, HITRUST is a standards organization. Unlike HIPAA, HITRUST is not a law but a voluntary framework that organizations can adopt to manage their security risks more effectively.

So, where does the interaction between HITRUST and HIPAA come into play?

While HIPAA sets the regulations for protecting PHI, it does not provide a detailed roadmap on how to achieve this. This is where HITRUST comes in. The HITRUST CSF incorporates the requirements of HIPAA, amongst others, and provides a clear, actionable set of controls for achieving compliance.

Although both HIPAA and HITRUST are crucial to healthcare data security, they serve different purposes. HIPAA sets the legal requirements for PHI protection, while HITRUST provides a robust framework for achieving and demonstrating compliance.

Applicability of HITRUST CSF

While HITRUST CSF was initially developed to address the unique security challenges faced by the healthcare industry, it has since evolved into an industry-agnostic certification. This means that organizations across a wide range of sectors can now adopt and benefit from the HITRUST CSF.

The broad applicability of the HITRUST CSF is largely due to its comprehensive nature. It integrates and aligns with various globally recognized standards, regulations, and business requirements, including HIPAA, SOC 2, ISO 27001, NIST, and PCI DSS. The HITRUST CSF provides a unified and simplified approach to managing information risk and compliance by harmonizing these diverse rules and guidelines.

For organizations in the healthcare sector, the HITRUST CSF continues to be a leading choice for demonstrating HIPAA compliance. However, organizations in finance, technology, retail, and other industries have also started adopting the HITRUST CSF to enhance their security posture and meet their unique compliance needs.

Regardless of industry or size, any organization that handles sensitive data can leverage the HITRUST CSF to enhance its data protection measures and demonstrate its commitment to information security.

Advantages of HITRUST Certification

Achieving HITRUST certification brings with it a host of benefits that extend beyond just demonstrating regulatory compliance. Below are some key advantages of a HITRUST certification:

Regulatory Compliance Fulfillment

One of the most immediate benefits of HITRUST certification is its role in fulfilling regulatory compliance requirements. The HITRUST CSF incorporates and harmonizes multiple internationally recognized standards, regulations, and business requirements, including HIPAA, SOC 2, ISO 27001, and PCI DSS.

This comprehensive coverage makes it easier for organizations to demonstrate compliance with a wide range of regulations, reducing the risk of non-compliance penalties.

Competitive Differentiation

Information security is not just a requirement but a competitive advantage. Organizations that achieve HITRUST certification signal to their customers, partners, and stakeholders that they prioritize data protection and take proactive steps to manage information risks. This can enhance the organization’s reputation, increase customer trust, and provide a competitive edge in the market.

Cost and Time Savings

While achieving HITRUST certification requires an investment of resources, it can lead to significant cost and time savings in the long run. By consolidating multiple standards into a single framework, the HITRUST CSF simplifies the compliance process and reduces the need for multiple audits. This can save organizations considerable time and resources that would have been spent on navigating and complying with multiple separate standards.

Consolidation of Regulatory Standards

The HITRUST CSF is unique in its ability to consolidate a multitude of complex regulatory standards into one manageable framework. This consolidation simplifies the compliance landscape for organizations, making it easier to understand and implement necessary controls. It also ensures a comprehensive approach to data security, addressing all potential areas of risk.

Diverse Types of HITRUST Assessments

The Health Information Trust Alliance (HITRUST) offers three types of CSF Validated Assessments, each tailored to different organizational needs and risk profiles. These assessments – e1, i1, and r2 – range from basic cybersecurity essentials to comprehensive, risk-based high assurance. Here is a detailed breakdown of these assessments:

e1 Assessment

The e1 Assessment is designed for organizations seeking to demonstrate an understanding of basic cybersecurity principles and practices. This assessment focuses on low-risk cybersecurity essentials, providing a starting point for organizations beginning their journey toward robust data protection. The e1 Assessment covers a limited set of controls from the HITRUST CSF, focusing on those fundamental to a basic security program.

i1 Assessment

The i1 Assessment is a more in-depth examination of an organization’s security practices. It’s designed for organizations that wish to showcase leading security practices with moderate assurance. This assessment covers a broader set of HITRUST CSF controls, including access control, incident management, and risk management. The i1 Assessment provides a higher level of assurance than the e1 Assessment but is less comprehensive than the r2 Assessment.  Additionally, the i1 Assessment offers a Rapid Recertification option on year two, which offers a more efficient assessment roadmap over time. 

r2 Assessment

The r2 Assessment is the most comprehensive of the three types of HITRUST assessments. It provides a thorough, risk-based evaluation of an organization’s security practices, offering the highest level of assurance. The r2 Assessment covers controls in the HITRUST CSF, including those related to business continuity, disaster recovery, and third-party assurance. Organizations that undergo an r2 Assessment are committed to the highest data protection standards.

Navigating the HITRUST Assessment Process

HITRUST certification can seem challenging, but by taking a few simple steps, organizations can move through the process quickly and efficiently.

Defining Scope

The first step in the HITRUST assessment process is defining the scope. This entails identifying the systems, applications, and processes that manage or interact with sensitive data within your organization. The extent of this assessment will be determined by the unique risks associated with your organization’s operations and the regulatory requirements that apply to your business.

Gaining Access to MyCSF Portal

Once the scope is defined, the next step is to gain access to the MyCSF portal. This online tool, provided by HITRUST, is where you will conduct your self-assessment, manage remediation efforts, and ultimately undergo the validated assessment. You’ll need to purchase an annual subscription to access the portal.

Readiness Assessment and Gap Analysis

Next, you’ll conduct a readiness assessment through the MyCSF portal. This self-assessment helps identify potential gaps between your current security practices and the requirements of the HITRUST CSF. The results of this readiness assessment serve as the basis for a gap analysis, which will guide your efforts to address any deficiencies before proceeding to the validated assessment.

Validated Assessment Testing

After addressing any gaps identified in the readiness assessment, you’ll proceed to the validated assessment. This involves testing your organization’s controls against the HITRUST CSF requirements. The validated assessment is conducted by a HITRUST-approved assessor who will test your controls.

Interim Assessment (for r2 certification)

For organizations seeking r2 certification, there is an additional step – the interim assessment. This occurs 12 months after the validated assessment and serves as a check-in to ensure that controls are operating effectively. The interim assessment is critical to maintaining r2 certification, as it demonstrates ongoing adherence to the HITRUST CSF.

Establishing HITRUST Policies and Procedures

Creating comprehensive and effective policies and procedures for HITRUST compliance can be complex. It requires a deep understanding of the HITRUST CSF and your organization’s specific operational, legal, and regulatory context. The challenge lies in translating the broad principles and specific requirements of the HITRUST CSF into actionable, practical policies and procedures that staff can follow daily.

The Importance of Policies and Procedures

Policies and procedures are crucial in meeting HITRUST requirements because they define the who, what, when, where, and why of your organization’s approach to information security and privacy.

They establish clear guidelines for behavior, provide a roadmap for implementation, and create a basis for assessing compliance. Without well-defined policies and procedures, an organization may struggle to meet the standards set by the HITRUST CSF consistently.

Specific Policies and Procedures Required

The HITRUST CSF necessitates a comprehensive array of specific policies and procedures. These encompass, but are not confined to, policies concerning access control, incident response, risk management, information protection, and third-party assurance.

Each policy should clearly outline the purpose, scope, roles and responsibilities, guidelines, and enforcement mechanisms. Procedures should provide step-by-step instructions for implementing these policies.

Addressing the 19 HITRUST Control Domains

A key part of establishing HITRUST policies and procedures is addressing the 19 HITRUST control domains, which cover a comprehensive set of security, privacy, and regulatory requirements.

These domains range from information protection processes and procedures to endpoint protection, network protection, and incident management. Each domain has specific controls that need to be addressed in your policies and procedures.

Ensuring HITRUST-Compliant Vendor Relationships

Achieving HITRUST certification is a significant milestone, but the journey doesn’t end there. Post-certification, it’s crucial to manage third-party risks effectively. Any vendor with access to your data or systems can potentially introduce vulnerabilities, making them a potential weak link in your security chain. Therefore, ensuring that these vendors are HITRUST compliant is a key part of maintaining your certification and protecting sensitive data.

For healthcare corporations, enforcing HITRUST compliance among vendors is particularly important. These corporations often handle highly sensitive patient information, making them attractive targets for cybercriminals.

By insisting on HITRUST compliance from their vendors, healthcare corporations can ensure that all parties handling this sensitive data adhere to the same high data protection standards.

HITRUST Certification and its Cross-Requirement Benefits

HITRUST CSF’s unique design incorporates and aligns with multiple other widely recognized security frameworks, providing cross-requirement benefits that can streamline the compliance process.

Here’s how obtaining HITRUST CSF certification can simultaneously fulfill requirements for SOC 2, ISO 27001/NIST 800-53, and FedRAMP:


Service Organization Control (SOC) 2 is a framework for managing customer data based on five “trust service principles” – security, availability, processing integrity, confidentiality, and privacy.

HITRUST CSF integrates these principles into its own framework, meaning that organizations can leverage their HITRUST certification to demonstrate SOC 2 compliance. This eliminates the need for separate audits and assessments, saving time and resources.

ISO 27001/NIST 800-53

ISO 27001 is an international standard for information security management, while NIST 800-53 is a US standard for protecting federal information systems. These standards significantly overlap with the HITRUST CSF regarding their requirements for risk management, access control, incident response, and more.

By achieving HITRUST certification, organizations can also satisfy many of the controls required by ISO 27001 and NIST 800-53, simplifying the compliance process.


The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services.

HITRUST CSF includes many of the same controls as FedRAMP, enabling organizations to use their HITRUST certification as evidence of compliance with many FedRAMP requirements.

Validity Duration and Cost of HITRUST Certification

The HITRUST r2 certification is valid for two years from the date of issuance. However, to maintain the certification, organizations must conduct an interim review or ‘mini-audit’ at the end of the first year. This review ensures that the organization continues to meet the requirements of the HITRUST CSF.

The cost of HITRUST certification can vary widely between $50K – $150K, depending largely on the size and scope of the assessment. Generally, larger organizations with more complex IT environments will face higher certification costs due to the increased time and resources required for the assessment.

It’s also worth noting that there are several components to the overall cost of HITRUST certification:

  • Assessment Costs: These are the direct costs associated with conducting the HITRUST assessment, including the fees charged by the HITRUST-approved assessor organization.
  • Remediation Costs: If gaps or deficiencies are identified during the assessment, the organization may need remediation efforts to achieve compliance. These costs include technology upgrades, policy development, and staff training.
  • HITRUST Fees: HITRUST itself charges fees for using the MyCSF tool, reviewing and scoring the assessment, and issuing the certification.
  • Maintenance Costs: Maintaining the certification requires an interim review at the end of the first year, which incurs additional costs.

Partnering with Tevora for HITRUST Assessments

Navigating the HITRUST certification process can be a complex and expensive task. It requires a deep understanding of the standards, an ability to accurately assess your organization’s current compliance status, and the expertise to address any gaps effectively while staying within budget. This is where partnering with a seasoned expert like Tevora can make all the difference.

Tevora is a specialized management consultancy firm with extensive experience in guiding organizations through the HITRUST certification process. They provide end-to-end assistance, from initial readiness assessments to the final certification audit, ensuring your journey toward HITRUST compliance is smooth and successful.

Why Choose Tevora?

Expertise: Tevora’s team of experts deeply understands the HITRUST CSF and its implementation. In fact, Justin Graham and Jason Lee, two leaders in Tevora’s Healthcare practice, are members of the HITRUST Assessor Council, granting them close familiarity with the rules and standards. They and their teams can help you navigate the complexities of the framework, ensuring that you meet all the necessary requirements.

Experience: With years of experience guiding organizations through the HITRUST certification process, Tevora has developed a proven methodology to help streamline your path to compliance.

Personalized Approach: Tevora understands that every organization is unique. They take the time to understand your specific needs and tailor their approach accordingly, ensuring your HITRUST journey is as efficient and effective as possible.

Ongoing Support: Achieving HITRUST certification is just the beginning. Tevora provides ongoing support to help you maintain your compliance status and adapt to any changes in the HITRUST standards.

Achieving HITRUST certification can be a significant milestone for your organization, demonstrating your commitment to data protection and regulatory compliance. By partnering with Tevora, you can ensure you have the right guidance and support to make this journey successful.