A guide to HITRUST compliance

HIPAA is a regulatory framework enacted in the late 1990s that mandates the protection of electronic health information but provides vague security requirements with significant room for interpretation. HITRUST was developed in response to these challenges, addressing the healthcare industry’s difficulties with HIPAA’s limited prescriptive guidance. This lack of specificity made compliance difficult and created uncertainty across the sector.

Industry leaders established the HITRUST framework in 2007 to provide organizations with actionable steps to achieve regulatory compliance and effective security. While HIPAA sets the legal requirements, HITRUST provides a detailed, prescriptive framework with specific methodology to meet and exceed these requirements through its Common Security Framework (CSF). The CSF addressed this need, beginning with 35 controls and expanding in scope and detail with each version. Today, the CSF covers healthcare-specific risks while aligning with international standards like ISO, NIST, and GDPR.

HITRUST’s approach integrates regulatory requirements, industry best practices, and threat intelligence into one certifiable program. The framework receives regular updates—often annually but at minimum every 18 months—to address new technologies and evolving threats. Recent enhancements have focused on control sophistication, assessment efficiency, quality assurance, and capabilities like control inheritance—particularly beneficial for organizations using cloud providers such as AWS.

Is HITRUST certification required and is it only for healthcare?

HITRUST certification is not legally mandated like HIPAA compliance. However, it has become an industry standard, particularly in healthcare and related sectors. Many healthcare organizations and business associates now require their vendors and partners to obtain HITRUST certification as a way to verify security practices and demonstrate compliance with regulatory requirements. While voluntary, HITRUST certification has become a competitive necessity for organizations working with sensitive healthcare data or seeking business relationships with major healthcare entities.

While HITRUST originated in the healthcare industry, it has evolved beyond healthcare-specific risks to align with international standards like ISO, NIST, GDPR, and others. The framework is now applicable to any organization that handles sensitive information across various industries. HITRUST’s comprehensive approach addresses security controls that are relevant to multiple sectors, making it valuable for any organization seeking to implement robust security practices, regardless of industry. The framework’s flexibility allows it to be tailored to different risk profiles and regulatory environments.

Understanding the certification tiers: e1, i1, and r2

HITRUST offers three main assessment types, each designed for different business needs and risk profiles:

• e1 addresses foundational, low-risk environments requiring demonstration of essential security practices. It covers a subset of controls suitable for many smaller vendors or organizations with limited exposure.
• i1 serves organizations with moderate risk, requiring greater rigor and more comprehensive evidence of compliance than e1, while remaining streamlined compared to r2.
• r2 provides the most comprehensive assessment, appropriate for organizations with complex, high-risk data environments or extensive regulatory obligations. Assessments are detailed and highly customizable, incorporating tailored controls based on scope.

Proper scoping is essential. For example, a healthtech startup offering a non-medical wellness app that doesn’t handle PHI might pursue an e1 assessment. A SaaS provider delivering a telemedicine platform handling large volumes of PHI would likely require an r2, given its elevated risk profile.

How does HITRUST compare to SOC 2 compliance?

HITRUST and SOC 2 are both frameworks for assessing security controls, but they differ in several key ways:

1. Specificity: HITRUST provides a highly prescriptive framework with detailed requirements, while SOC 2 offers broader principles that organizations can implement in various ways.
2. Scope: HITRUST was originally focused on healthcare but has expanded to cover multiple industries and regulations. SOC 2 is designed for service organizations across all sectors.
3. Structure: HITRUST offers tiered assessment levels (e1, i1, r2) based on risk profiles, while SOC 2 is organized around five trust service criteria (security, availability, processing integrity, confidentiality, and privacy).
4. Certification: HITRUST results in a certification valid for one or two years, while SOC 2 produces an attestation report that describes the controls in place during a specific period.

Many organizations pursue both certifications, and modern compliance platforms allow for control mapping between frameworks to reduce duplicate efforts.

The compliance journey: process and key considerations

Achieving HITRUST certification involves multiple stages:

1. Defining Scope: Organizations identify which systems, processes, and locations are included in the assessment. Scoping affects control requirements, evidence needs, and resource commitments.
2. Readiness & Gap Assessment: Organizations analyze current practices against HITRUST controls, identify gaps, and develop remediation plans. Many use platforms that automate evidence collection, such as integrating with AWS to gather cloud configuration data.
3. Remediation and Implementation: Addressing compliance gaps may require deploying new technical controls, updating procedures, or enhancing monitoring. This might include ensuring all production databases in AWS RDS use encryption at rest and automated backup as required by HITRUST controls.
4. Assessment by External Assessor: A certified HITRUST assessor reviews controls, collects evidence, interviews relevant stakeholders, and works to close any residual findings.
5. Quality Assurance and Certification: The submitted report undergoes HITRUST’s Quality Assurance review. Recent process improvements, including automation and a reservation system, have reduced average review times from months to under 30 days.
6. Ongoing Maintenance: Certification requires continuous maintenance—controls must be sustained, evidence refreshed, and re-certification completed, typically every one or two years.

Poor scoping represents a common challenge. For instance, a digital health company seeking to certify its patient-facing dashboard might inadvertently include unrelated corporate systems in scope, significantly increasing workload. Early collaboration with trained assessors helps avoid unnecessary complexity.

Control inheritance and cloud infrastructure

HITRUST’s support for control inheritance offers practical benefits, especially for organizations leveraging cloud infrastructure like AWS. Inheritance allows companies to claim credit for controls already implemented and managed by service providers.

A telehealth startup hosting all workloads on AWS can assert inheritance for up to 85% of e1 controls (and significant proportions for i1 and r2) rather than individually documenting physical security of data centers, hardware configuration, or network segmentation—which are AWS’s responsibility. For partially shared controls, such as patch management, the startup must provide evidence for its portion while AWS covers the underlying infrastructure.

Resources like detailed matrices mapping HITRUST controls to AWS responsibilities, along with automated evidence integration, reduce audit complexity and redundant work.

For an organization seeking i1 certification:

• Inherited Controls: Network perimeter protections, facility access controls, and some encryption services are claimed via AWS, based on documentation and shared reports.
• Customer Controls: User management, application-level encryption, and incident response plans require direct evidence and testing.

Control inheritance streamlines the certification process while focusing attention on risk areas directly controlled by the business.

Automation and continuous monitoring

Traditional audits require extensive manual collection of screenshots, logs, and records. Modern approaches automate evidence gathering through direct integrations with AWS services—collecting real-time settings for EC2 patching, IAM role assignment, GuardDuty configurations, and more.

Current platforms provide continuous monitoring with dashboards tracking control status, change management logs, and automated alerts for configuration drift. This supports annual HITRUST review while providing ongoing assurance about control posture.

For example, a health insurance SaaS platform can automate evidence collection for all S3 bucket access using AWS CloudTrail and integrate this directly into their compliance system. When auditors request proof of least-privilege access, the required logs are readily available.

Modern compliance management extends beyond technology. Using a single assessment platform for multiple frameworks (like HITRUST, SOC 2, and PCI) aligns requirements and allows overlapping controls to be documented once and reused as needed—providing critical efficiency for vendors in highly regulated environments.

Scoping and project management

Scoping forms the foundation of successful HITRUST engagement. Overly broad scope results in organizations certifying assets with minimal risk or regulatory requirement, adding cost and complexity. Insufficient scope may fail to satisfy business or partner expectations.

Expert assessors help ensure that only relevant systems—such as cloud-hosted applications handling PHI—are certified, rather than including back-office systems or development environments.

Effective project management ensures deadlines are met, roles are clear, and remediation work is prioritized to keep the certification process on schedule.

AWS and HITRUST: shared responsibility

When deploying workloads on AWS, control responsibility is shared:

• AWS handles security “of the cloud”: data center operations, infrastructure, hypervisors, etc.
• The customer manages security “in the cloud”: data protection, identity access, encryption, application configurations.

HITRUST aligns with this model. Storage encryption at rest in AWS RDS can often be certified by referencing AWS’s audited controls. Organizations must still configure access permissions, manage user lifecycle, and respond to incidents within their application layer.

Resources like AWS’s Services in Scope documentation and the Shared Responsibility Matrix help organizations select certified services and accurately claim inheritance.

Future directions: AI, continuous assurance, and evolving requirements

The threat landscape and technology continue evolving rapidly. Ransomware, cloud breaches, and AI-driven threats require new approaches.

HITRUST is developing the first certifiable AI security controls, ensuring organizations developing or using AI systems address both traditional and unique risks—such as adversarial machine learning or large-language model vulnerabilities. AI certification will build upon baseline security (e.g., e1, i1, r2), as secure AI requires strong foundational controls.

Continuous assurance represents another emerging trend, moving away from annual point-in-time reviews. Real-time evidence collection and ongoing monitoring enable a more accurate and less disruptive certification process.

HITRUST maintains alignment with current threat data. This agility means control updates respond to both compliance changes and real-world breach trends. Statistics indicate that only 0.64% of HITRUST-certified organizations experienced a breach between 2022 and 2023, compared to 53% for similar non-certified organizations.

Summary

HITRUST compliance represents a comprehensive, continuously updated framework based on real-world risk rather than just regulatory language. The HITRUST process requires careful attention to scoping, remediation, evidence collection, and ongoing monitoring, but modern platforms, assessor guidance, and provider partnerships have streamlined the process significantly.

As organizations face increasingly sophisticated threats and evolving requirements—particularly in cloud, AI, and multi-framework environments—the ability to maintain rigorous security while streamlining compliance becomes a competitive advantage.

Success requires early partner engagement, leveraging automation and inheritance capabilities, and staying current with evolving best practices. HITRUST will continue to develop, and organizational approaches to compliance should evolve accordingly.