Your HITRUST assessment: A complete guide

Stylized image of medicine being distributed according to a digital application

HITRUST is a widely recognized security framework and certification program originally designed for the healthcare industry. It provides a comprehensive set of controls and requirements for managing and protecting sensitive data, including personal health information (PHI).

HITRUST certification is a voluntary process that involves an independent assessment of an organization’s adherence to the HITRUST CSF controls. Achieving HITRUST certification demonstrates an organization’s commitment to maintaining high standards of security and privacy, especially in the healthcare industry. It can be particularly important for healthcare providers, health plans, and business associates that handle sensitive patient information and want to establish trust with their partners and customers.

By adopting the HITRUST framework and obtaining certification, organizations can enhance their security posture, demonstrate regulatory compliance, and mitigate the risk of data breaches and other security incidents.

Short summary

  • HITRUST assessments are essential for healthcare organizations to ensure they have a robust cybersecurity posture.
  • Understand the timeline & cost of HITRUST certification – it can take up to 9 months, and maintenance costs range from $40K-$250K/year.
  • Engage a certified assessor & prepare ahead by scoping the environment, conducting gap analysis, and remediating issues before assessment.

Which HITRUST assessment is right for me: e1, i1, r2?

Thorough information about the three levels of HITRUST assessment can be found here. Here’s a breakdown of the differences between E1, I1, and R2 assessments:

E1 (Essential)

The E1 assessment is the most basic level of assessment within the HITRUST CSF Assurance Program. It is designed for organizations that want to gain an understanding of their security posture but do not require a full-scale validation against the entire set of CSF controls.  Learn more here.

Key features of the E1 assessment include:

  • Certifiable assessment: 1 year
  • Lower level of assurance: The E1 assessment provides a lower level of assurance compared to the I1 and R2 assessments.

I1 (Intermediate)

The I1 assessment is an intermediate level of assessment within the HITRUST CSF Assurance Program. It involves a more thorough evaluation of an organization’s security controls and practices compared to the E1 assessment. Learn more here.

Key features of the I1 assessment include:

  • Certifiable assessment: 1 Year  + Rapid Recertification in Year 2
  • Intermediate level of assurance: The I1 assessment provides a higher level of assurance compared to the E1 assessment.

R2 (Risk Based Formerly known as: Validated Assessment)

The R2 assessment is the highest level of assessment within the HITRUST CSF Assurance Program. It offers the most comprehensive evaluation and validation of an organization’s security controls and practices. Learn more here.

Key features of the R2 assessment include:

  • Certifiable assessment: 2 Years
  • Highest level of assurance: The R2 assessment provides the highest level of assurance among the three assessment types.

Is HITRUST right for your business?
Take the quiz
Find out which HITRUST assessment is right for you
Take the quiz icon-arrow-long

Understanding the HITRUST assessment process: Requirements, timeline, and cost

Navigating the world of healthcare cybersecurity can be a daunting task, especially when it comes to understanding the HITRUST assessment process. But fear not! We’re here to break it down for you and provide insight into the requirements, timeline, and costs involved in this critical aspect of healthcare industry compliance.

By the end of this article, you’ll have a solid understanding of the different types of HITRUST assessments, the steps required to prepare for an assessment, and the role of certified assessors. We’ll also discuss the timeline and costs associated with HITRUST certification, so you can make informed decisions for your organization.

coworkers looking at HITRUST CSF requirements documents

The importance of HITRUST assessments

In today’s digital age, the healthcare industry faces increasing challenges in protecting sensitive data, especially when sharing that data with third parties. This is where HITRUST comes into play. Companies that can produce a HITRUST certification will prove they’re committed to information security. 

The assessment process involves completing a questionnaire in the HITRUST MyCSF Portal and providing evidence for all required controls. Once an external assessor evaluates the evidence, it is submitted to HITRUST for quality assurance review. HITRUST R2 validated assessment reports remain valid for two years, with an interim assessment required one year after completion.

So, why are HITRUST assessments so important? Digital healthcare organizations must protect sensitive data from cyber threats and comply with a myriad of regulations. The HITRUST assessment process ensures that organizations have a robust cybersecurity posture, addressing regulatory risk factors and streamlining the compliance process.

Health industry cybersecurity practices

The healthcare industry has its unique cybersecurity practices, such as the HITRUST Common Security Framework (CSF). The HITRUST CSF provides healthcare organizations with a comprehensive, certifiable information security framework that addresses critical security and privacy requirements. By adhering to the HITRUST CSF, organizations can demonstrate to their business partners and regulators that they have implemented the necessary security controls to protect sensitive data and comply with industry regulations.

Regulatory risk factors

Regulatory risk factors, such as HIPAA and other information security regulations, play a significant role in the HITRUST R2 assessment process. Compliance with these regulations requires organizations to ensure the proper implementation and enforcement of security and risk management measures. Failing to comply can lead to increased costs and potential penalties.

By undergoing a HITRUST assessment, organizations can identify and address any gaps in their security controls, ensuring compliance with regulatory standards. This not only reduces the risk of non-compliance but strengthens the organization’s overall security posture and mitigates potential threats to sensitive data.

The 3 levels of HITRUST assessments

There are levels types of HITRUST assessments:

  1. Self-assessment
  2. Readiness assessment
  3. Validated assessment

Each assessment serves a specific purpose and plays a crucial role in the overall HITRUST certification process.

Understanding the differences between these assessments is vital for organizations looking to achieve HITRUST certification. Let’s dive into each of these assessment types and explore their unique characteristics and purposes.

1. Self-assessment

A self-assessment is an internal review of an organization’s security controls and processes. This type of assessment can be conducted independently or with the help of HITRUST Authorized External Assessors, who can provide guidance throughout the process.

Submitting the self-assessment to HITRUST will provide a formal report, showing customers that the organization is making progress toward HITRUST certification.

The self-assessment, and other levels of assessment, can be performed using any assessment type, e1, i1 or r2. 

2. Readiness assessment

A HITRUST readiness assessment is conducted by a third-party assessor to identify gaps in an organization’s security controls. This assessment helps organizations understand their compliance with the HITRUST CSF and identify any control gaps that need to be addressed before a validated assessment can take place.

The benefits of conducting a readiness assessment are twofold:

  • First, it helps organizations identify security gaps before investing in a more comprehensive and costly validated assessment.
  • Second, it enables organizations to make any necessary adjustments and remediate identified issues during the remediation phase of the certification process.

3. Validated assessment

A validated assessment is a comprehensive evaluation of an organization’s security controls and processes conducted by a certified assessor. This type of assessment involves data-gathering techniques such as document reviews, interviews, and testing. Once the validated assessment is complete, it is submitted to HITRUST for review to ensure it meets the certification criteria.

In addition to the initial validated assessment, organizations must undergo an interim assessment one year after certification to maintain their HITRUST compliance. This interim assessment, conducted by a HITRUST assessor, helps ensure that organizations continue to meet HITRUST standards and maintain a strong security posture.

Preparing for a HITRUST assessment

A successful HITRUST assessment begins with thorough preparation. Organizations should start by scoping their environment, conducting a gap analysis, and remediating any identified issues. Each of these steps is crucial in ensuring a smooth and successful assessment process.

Let’s take a closer look at the importance of each preparation step and how organizations can effectively navigate this process to achieve HITRUST certification.


Scoping is the first step in the HITRUST assessment process and involves understanding the scope of protected data and how it is used within the organization’s environment. This includes mapping out protected data flows, identifying the departments involved, and analyzing the systems that process protected data.

Worker scoping protected data for HITRUST assessment

By gaining a comprehensive understanding of how protected data is collected, processed, and stored, organizations can better identify potential security risks and vulnerabilities. This information will be invaluable during the gap analysis and remediation efforts, ensuring that the organization is well-prepared for the HITRUST assessment.

Gap analysis

Gap analysis is an essential component of the HITRUST assessment preparation process. It identifies control gaps and helps organizations plan for encryption and remediate high-risk issues. The gap assessment involves assessing the organization’s current security posture against HITRUST controls and identifying any issues that need to be addressed.

After identifying any gaps, organizations should prioritize addressing high-risk issues and plan for longer-term remediation efforts, such as implementing proper data encryption. Timely and effective gap remediation is crucial in ensuring that organizations meet HITRUST requirements and achieve certification.

Remediation efforts

Remediation efforts involve implementing the necessary controls to address identified gaps and ensuring that these controls are functioning properly. This includes creating a remediation action plan, executing the plan, and monitoring progress to ensure compliance with HITRUST requirements.

Maintaining a strong focus on remediation efforts is critical, as it enables organizations to address any security gaps and mitigate potential risks to sensitive data. By dedicating time and resources to remediation efforts, organizations can significantly increase their chances of achieving HITRUST certification.

Engaging a certified assessor

Engaging a certified assessor is an essential component of a successful HITRUST assessment. These professionals have the qualifications and experience necessary to conduct a comprehensive evaluation of an organization’s security controls and processes.

By working with a certified assessor, organizations can ensure that all HITRUST requirements are met and achieve certification more efficiently.

Assessor qualifications

Certified assessors must possess the appropriate qualifications and experience to conduct a HITRUST assessment. This includes passing the CCSFP Exam and being approved by HITRUST for assessment and services related to the HITRUST Assurance Program and the HITRUST CSF.

To ensure that you select the right assessor for your organization, it is crucial to research potential assessors and verify their qualifications, experience, and references. This will help guarantee that your organization receives the highest-quality assessment, ultimately increasing your chances of achieving HITRUST certification.

Working with an assessor

Working with a certified assessor like the team at Thoropass requires clear communication and collaboration to ensure a smooth assessment process and successful certification. Assessors should be involved in the preparation process, including scoping, gap analysis, and remediation efforts. By maintaining open lines of communication, organizations can address any issues or concerns that arise during the assessment process promptly and effectively.

In addition to clear communication, organizations should collaborate closely with their assessor throughout the assessment process. This includes sharing relevant documentation, providing evidence to support control requirements, and actively participating in the assessment procedure. By working together, organizations and assessors can ensure a successful HITRUST assessment and certification.

Timeline and cost of HITRUST certification

Obtaining HITRUST certification requires a significant investment of time, resources, and capital. However, the benefits of certification, such as improved security and regulatory compliance, often outweigh the costs. It is important for organizations to understand the timeline and costs associated with HITRUST certification to make informed decisions and allocate resources effectively.

Preparation time

Preparation for first-time HITRUST certification typically takes 6-9 months. This includes the time required for self-assessment, which can take 2-8 weeks, and the validated assessment, which can take an additional 6-8 weeks. Organizations should also consider the time needed to remediate any identified gaps and implement necessary controls.

By understanding the time required for HITRUST certification, your organization can better plan its resources and ensure a smooth and efficient assessment process. This will ultimately increase the chances of achieving certification and compliance with industry regulations.

Assessment duration

The duration of the HITRUST assessment process varies depending on the type of certification. Additionally, ongoing assessments can range from four to eight weeks, depending on the complexity of the assessment.

By understanding the assessment duration and factoring it into their timeline, organizations can better allocate resources and plan for the successful completion of the HITRUST certification process.

Maintenance costs

Maintenance costs for HITRUST certification involve achieving, sustaining, and integrating a security and compliance culture within the organization. These costs can range from around US$40,000 to upwards of $250,000 a year or more, depending on the type of assessment and its scope.

It’s important to factor in the costs of maintaining HITRUST certification when planning their security and compliance strategy. By allocating the necessary resources and continuously monitoring their security posture, organizations can ensure ongoing compliance and maintain their HITRUST certification.

Conclusion: HITRUST requires significant effort and investment

Achieving HITRUST certification requires dedication, effort, and investment. However, the benefits of improved security, compliance, and risk management far outweigh the costs. By embracing the HITRUST assessment process, organizations can demonstrate their commitment to protecting sensitive data and maintaining a strong security posture in today’s increasingly complex digital landscape.

Frequently asked questions about HITRUST assessments

What is a HITRUST assessment?

A HITRUST assessment is a comprehensive audit that measures an organization’s compliance with the rigorous security requirements of the Health Information Trust Alliance (HITRUST). It evaluates an organization’s ability to protect sensitive health data and provides guidance for any gaps they need to close in order to achieve certification.

The assessment covers a wide range of topics, including data security, privacy, and risk management. It also includes a review of the organization’s policies and procedures, as well as its technical infrastructure. The assessment is designed to ensure that organizations are compliant.

What are the levels of HITRUST assessment?

HITRUST assessments range from self-assessment to CSF-validated and CSF-certified levels. These levels of assessment increase in rigor from the lowest to the highest level. This ultimately ensures an organization meets the highest standards for risk management assurance.

How long does a HITRUST adoption take?

Typically 9-12 months. On average, a HITRUST assessment typically takes anywhere from 9 to 12 months to complete depending on the complexity of the organization. The time can also depend on how long it takes for companies to respond to requests and complete requested actions. Working with a partner like Thoropass can streamline your HITRUST journey. Speak to an expert today to find out how!

Share this post with your network: