CSF Expertise: How to get HITRUST CSF certified

Stylized image of a certification or diploma being handed off

No organization should underestimate the weight of regulatory compliance. Having a business that operates without a compliant framework could become troublesome on many levels. Without compliance measures in place, an organization risks being exposed, and potentially discrediting themselves.  

It’s crucial for a business to find a steadfast solution to its compliance challenges. HITRUST has a highly valuable set of programs and services, aimed at creating a harmonized, comprehensive approach to risk management and compliance.   

Which organizations can benefit from HITRUST certification?

HITRUST certification can benefit many industries and is no longer implemented exclusively by healthcare organizations. Its security controls framework can be utilized by a variety of organizations globally.

Unlike other certifications, the HITRUST certification process is not technically ordered by law for any industry. Most health insurance payers over the last decade, however, have required their vendors to become HITRUST certified. By virtue of this, HITRUST CSF has become the de-facto certification standard in the healthcare sphere.

Complying with HITRUST regulations can benefit many types of organizations, as it establishes high-level and high-quality security standards for a company’s data and systems.

workers brainstorming

The HITRUST Common Security Framework (CSF)

The HITRUST CSF (known fully as the Health Information Trust Alliance Common Security Framework) emerged as a means to manage security risks objectively and measurably. It’s a widely adopted security framework that is recognized worldwide. The framework originally concentrated only on healthcare information but has since expanded, now including many other types of sensitive data across countless industries. 

Any organization, regardless of size or scope, can prove that its systems meet the CSF’s standards via official HITRUST certification. There are varying levels of assessment and reporting with this type of certification, allowing companies to improve their security posture.

The recent version of the HITRUST Common Security Framework (CSF) connects many other authoritative, pre-existing security regulations and frameworks. The HITRUST framework is truly one of the broadest compliance frameworks available, helping organizations manage security challenges through the use of security and privacy controls.  

How can my organization obtain HITRUST certification?

If you’d like to become fully HITRUST certified, an independent assessment will be required. The HITRUST assessment process and becoming officially certified can take up to four months, depending on the nature of your organization. 

Here are the five (5) steps on how to obtain HITRUST certification. These steps may help you get ready for your assessment process ahead of time. Knowing what to expect in this lengthy certification process may allow for a smoother experience. 

Having some guidance through what’s involved may also be beneficial to your organization. If this sounds like something you’d like to pursue, we would be happy to walk you through your assessment process.

HITRUST certification steps:

  1. Download the HITRUST CSF Framework 
  2. Perform a readiness assessment (e1, i1, or r2) via MyCSF
  3. Select an authorized HITRUST external assessor (aka a licensed third-party auditor)
  4. Undergo a validated assessment (e1, i1, or r2) via MyCSF
  5. Receive your HITRUST letter of certification, if review is passed

Remember, becoming certified is just the first step. Maintaining those practices that got you certified in the first place is equally as important.

What are the HITRUST validated assessment certification options? 

There are three (3) HITRUST validated assessment options available. Familiarizing yourself with each assessment level and what it has to offer will help you decide which tier best suits your organization. 

Setting aside the type of organization you have, your choice may in fact come down to timing. Depending on when your compliance journey begins, you may only be able to select one tier over the other, for a variety of reasons. 

Below you will find the three (3) HITRUST assessments: 

1. HITRUST Essentials, 1-Year (e1) Validated Assessment + Certification

The e1 Validated Assessment focuses on the most important cybersecurity controls and is a great starting point for organizations in their infancy of implementing security controls. Its purpose is to demonstrate that critical cybersecurity hygiene is in effect. This assessment is efficient and meant for lower-risk organizations. 

Main focus:

  • Basics of Foundational Cybersecurity Practices

Unique attributes of the HITRUST e1 Assessment:


Level of assurance:

  • Low, entry-level

Level of effort: 

  • Low

Supporting assessment(s) at this tier:

  • The Readiness Assessment is its sole supporting assessment

2. HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification 

The i1 Validated Assessment imparts reliable assurances against cyber threats, helping to establish a sturdy and broad information security program. 

Main focus:

  • Ensures an organization is exercising Leading Security Practices using specific controls 

Unique attributes of the HITRUST i1 Assessment:


Level of assurance:

  • Moderate, mid-range level

Level of effort: 

  • Medium

Supporting assessment(s) at this tier:

  • A Readiness Assessment and a Rapid Recertification Assessment 

3. HITRUST Risk-Based, 2-Year (r2) Validated Assessment + Certification 

The r2 Validated Assessment conducts the most in-depth review. Offering an adaptable, risk-based control selection, it meets the demands of organizations that deal with sensitive information, or who may be facing regulatory requirements challenges.

Main focus:

  • Utilizes an Expanded Practices approach to cybersecurity and compliance evaluation

Unique attributes of the HITRUST r2 Assessment:


Level of assurance:

  • Highest standard

Level of effort: 

  • Great

Supporting assessment(s) at this tier:

  • A Readiness Assessment, an Interim Assessment, a Bridge Assessment, and a NIST Cybersecurity Framework Report 

Not sure which assessment is right for you? No problem! Take this short quiz to get started on the right track

What are HITRUST’s authoritative sources?

As an organization that may embark on getting HITRUST CSF certified, it’s helpful to know exactly how sophisticated the HITRUST Common Security Framework is. (We can assure you, it’s highly refined!) 

Below you’ll find a list of several of HITRUST’s authoritative sources, functioning under the CSF as a unified collective. You can find the exhaustive list of authoritative sources in the Introduction to HITRUST CSF document on the HISTRUST website. 

The Common Security Framework (its most up-to-date version being v11.0.0) integrates multiple security and privacy-related standards, regulations, and frameworks as authoritative sources. The HITRUST CSF integrates this diverse set of sources, collecting and interlinking key objectives under one framework, and addressing all areas of data protection. 

worker researching hitrust csf requirements

HITRUST integrations:

  • CIS CSC – Center for Internet Security Critical Security Controls v7.1: Critical Security Controls for Effective Cyber Defense [CIS Controls v7.1]
  • GDPR – General Data Protection Regulation: European Union [EU GDPR]
  • HITRUST – Health Information Trust Alliance De-Identification (De-ID) Framework: De-identification Controls Assessment (DCA) [HITRUST De-ID Framework v1]
  • HIPAA – Federal Register 45 CFR Part 164, Subpart C: HIPAA Administrative Simplification: Security Standards for the Protection of Electronic Protected Health Information (Security Rule) [45 CFR HIPAA.SR]
  • HIPAA – Federal Register 45 CFR Part 164, Subpart D: HIPAA Administrative Simplification: Notification in the Case of Breach of Unsecured Protected Health Information (Breach Notification Rule) [45 CFR HIPAA.BN]
  • HIPAA – Federal Register 45 CFR Part 164, Subpart E: HIPAA Administrative Simplification: Privacy of Individually Identifiable Health Information (Privacy Rule) [45 CFR HIPAA.PR]
  • IRS Publication 1075 v2016: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for protecting Federal Tax Returns and Return Information [IRS Pub 1075 (2016)]
  • ISO/IEC 27001:2013: Information Technology – Security Techniques – Information Security Management Systems – Requirements [ISO/IEC 27001:2013]
  • ISO/IEC 27002:2013: Information Technology Security Techniques Code of Practice for Information Security Controls [ISO/IEC 27002:2013]
  • ISO/IEC 27799:2016: Health Informatics – Information Security Management in Health using ISO/IEC 27002 [ISO/IEC 27799:2016]
  • ISO/IEC 29100:2011: Information Technology – Security Techniques – Privacy Framework [ISO/IEC 29100:2011]
  • NIST Framework for Improving Critical Infrastructure Cybersecurity v1.1 [NIST Cybersecurity Framework v1.1]
  • NIST Special Publication 800-53 Revision 4 (Final), including Appendix J – Privacy Control Catalog: Security Controls for Federal Information Systems and Organizations [NIST SP 800-53 R4]
  • NIST Special Publication 800-53 Revision 5 Security and Privacy Controls for Information Systems and Organizations [NIST SP 800-53 R5]
  • NIST Special Publication 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations [NIST SP 800-171 R2]
  • OCR – Office of Civil Rights Audit Protocol April 2016 – HIPAA Security Rule [OCR Audit Protocol (2016)]

How does the HITRUST CSF factor into the HITRUST Approach?

The HITRUST Approach leverages superior components to create a complete information risk management and compliance program. 

The HITRUST CSF is one of these critical components that make up such an effective data protection program. HITRUST’s integrated approach guarantees that each component is aligned, maintained, and thorough. Even once the framework has been implemented, this approach continues to support an organization’s information risk management and compliance program. 

The HITRUST Approach integrates the following: 

  • HITRUST CSF — a robust privacy and security controls framework
  • HITRUST Assurance Program — a scalable and transparent means to provide reliable assurances to internal and external stakeholders
  • HITRUST MyCSF — an assessment and corrective action plan management SaaS platform
  • HITRUST Threat Catalogue — a list of reasonably anticipated threats mapped to specific CSF controls
  • HITRUST Assessment XChange — an automated means of obtaining third-party assurances between organizations
  • HITRUST Shared Responsibility Program — a matrix of CSF requirements identifying service provider and customer control sharing responsibilities
  • HITRUST Third-Party Assurance Program — a third-party risk management process

Is getting HITRUST certified the right move for you?

When you achieve HITRUST certification, you move your organization into the final frontier and gold standard of digital environmental security data protection. Some might even say HITRUST CSF certification is the holy grail of compliance and risk management. Needless to say, missing out on these benefits may mean having to cope with unforeseen consequences down the road. 

If you have high hopes for the future of your business, sound information security is surely a priority for you. Partner with us and we can help get your organization where it needs to be. 

We look forward to helping you along your path to HITRUST compliance!

Share this post with your network: