Compliance competency: What is HITRUST?

healthcare worker at computer

Being compliant is a major priority across any organization that makes heavy use of private data in order to optimize business function. Regulatory compliance is one of the many cornerstones of a reliable business, and safeguarding sensitive information should never be undervalued. So how can a company achieve this?

Enter — The HITRUST Common Security Framework. 

But what is HITRUST, exactly? The acronym stands for the Health Information Trust Alliance, a non-profit company founded in 2007. HITRUST helps organizations manage digital information risk and protect their sensitive data. Organizations can become compliant through HITRUST CSF Validation and by following data protection standards outlined by the HITRUST CSF.   

HITRUST CSF is a globally utilized and recognized framework, having expanded its reach considerably since its inception sixteen (16) years ago. The company has branched out from its sole focus in the healthcare industry, with countless other industries now adopting its methods. The HITRUST CSF assurance programs and frameworks are relevant to international organizations of all sizes.

In this article, we’ll discuss a few key elements of the HITRUST CSF and highlight many of the important factors you should know about.  


The HITRUST CSF (Common Security Framework) was developed to manage security risks objectively and measurably. It originally lent itself specifically to healthcare information, but has since grown to include many other types of sensitive data across a variety of industries. 

HITRUST CSF validation allows any organization, regardless of size, to prove that their systems meet the framework’s standards. All tiers of HITRUST validation call for many levels of assessment to receive a completed report, which ultimately helps companies improve their security posture and allow for greater stakeholder confidence. 

The latest version of the HITRUST CSF unifies many other authoritative, pre-existing security regulations and frameworks—such as NIST, GDPR, HIPAA, ISO 27001, and more. Think of the HITRUST CSF as an all-encompassing compliance package. With its risk-based approach, it helps organizations manage security challenges by implementing robust security and privacy controls.  

HITRUST vs. HIPAA: What are the differences?

HITRUST is a comparatively newer compliance solution that has incorporated, and enhanced, many of the existing HIPAA (Health Insurance Portability and Accountability Act) guidelines and regulations. Though both HITRUST and HIPAA compliance are linked to healthcare, they are far from being identical.  

HITRUST CSF is a framework that helps mitigate risk for an organization, developed by professionals in the security industry. HIPAA-mandated security controls, on the other hand, represent a full-fledged law built specifically to protect PHI (Protected Health Information). Thus, while HITRUST CSF can be implemented by any industry, HIPAA is PHI-specific. 

hipaa compliant healthcare worker

HITRUST CSF validation must also include an approved External Assessor, or firm that has been authorized by HITRUST to certify that the framework is being followed. 

On the other hand, HIPAA compliance is determined through internal or external reviews. Organizations that are not compliant run the risk of incurring a financial penalty if they are found in breach of certain regulatory requirements. Unlike HIPAA, HITRUST does not dole out financial penalties but can remove its certification which may put a dent into an organization’s trustworthiness amongst consumers. 

HIPAA vs HITRUST_ Navigating the World of Healthcare Information Security
Recommended for you
HIPAA vs HITRUST: Navigating the world of Healthcare Information Security
Read More icon-arrow-long


HITRUST CSF scoring follows a mathematical calculation that transposes a raw score onto PRISMA-based maturity requirement statements.

  • Is a policy or standard in place?
  • Is there a process or procedure to support the policy? 
  • Has it been implemented? 
  • It is being measured and tested by management to ensure it is operating? 
  • Are the measured results being managed to ensure corrective actions are taken as needed? 

For each maturity level, the organization will indicate its level of compliance with the five options being: 

  1. Non-compliant (0%); 
  2. Somewhat compliant (25%) 
  3. Partially compliant (50%) 
  4. Mostly compliant (75%)
  5. Fully compliant (100%)
5 stages

These statement scores are then averaged across a domain with the ideal score being 100% on Policy, Process, and Implementation. This score ensures the best chance that the organization will be HITRUST certified. While obtaining a high score is important, it is just as important to maintain the score overtime as security and policy needs shift at both the organizational as well as industry level. 

HITRUST vs. SOC 2: What sets them apart?

HITRUST CSF was originally introduced as a risk-solver for the healthcare industry, focusing on health record and ePHI (electronic protected health information) security. It has since evolved, now catering to a much wider range of industries. The intention behind SOC 2, on the other hand, is to help software companies and vendors exhibit their customer data protection via their security controls.

While both SOC 2 and HITRUST CSF tackle cybersecurity issues in cloud-based systems, their scopes are different in many ways. For starters, HITRUST is a risk-based framework, whereas SOC 2 is a compliance-based framework. The former assesses security controls based on a company’s maturity rating, whereas the latter tests security controls for overall efficacy. 

HITRUST and SOC 2 also have differing certification expirations. HITRUST has different certification tiers with different expirations — e1 (Essentials) and i1 (Implemented) expire in 1 year, whereas r2 (Risk-based) expires in 2 years. On the other hand, SOC 2 operates on an annual basis, requiring re-examination every 12 months.  

Who needs a HITRUST CSF Validation with Certification?

HITRUST CSF Validation can benefit just about any sector. Although originally formed with a focus on the healthcare industry, its security controls framework can be implemented across a variety of verticals.

While the HITRUST CSF Validation process is not technically mandated by law for any one industry, health insurance payers over the last decade have required their vendors to become HITRUST CSF Validated. As a result of this motion, HITRUST CSF Validation with Certification has become standardized in the healthcare industry.

healthcare worker with hitrust csf

Adhering to HITRUST requirements can benefit all organizations, as it establishes premium security standards for a company’s data and systems while putting key stakeholders at ease.

What are the HITRUST CSF control categories?

There are 14 HITRUST CSF control categories with 49 objectives and 156 control references (135 for security and 21 for privacy.), Each category has a designated objective (desired result) and multiple specifications (policies, guidelines, practices, etc.).

There are up to three levels of implementation for control requirements and there are over 1,900 requirement statements within the HITRUST CSF. However, based on risk and regulatory requirements, only a subset of the total list will be in scope for your organization.  

Note: This list of controls is not in order of importance, as all controls are considered equally important. 

  1. Information Security Management Program
  2. Access Control
  3. Human Resources Security
  4. Risk Management
  5. Security Policy
  6. Organization of Information Security
  7. Compliance
  8. Asset Management
  9. Physical and Environmental Security
  10.  Communications and Operations Management
  11.  Information Systems Acquisition, Development, and Maintenance
  12.  Information Security Incident Management
  13.  Business Continuity Management
  14.  Privacy Practices

Each of the above HITRUST CSF controls are assessed based on the following five areas:

  • Policy
  • Procedure
  • Implemented
  • Measured
  • Managed
privacy policy for hitrust compliance

How many assessment domains are in HITRUST?

The HITRUST CSF has 19 assessment domains of information security. These domains make it easier for teams to isolate concerns around data protection and are averaged based on the scores of the requirement statements to determine certification or not.

  1. Information Protection Program
  2. Endpoint Protection
  3. Portable Media Security
  4. Mobile Device Security
  5. Wireless Protection
  6. Configuration Management
  7. Vulnerability Management
  8. Network Protection
  9. Transmission Protection
  10.  Password Management
  11.  Access Control
  12.  Audit Logging & Monitoring
  13.  Education, Training & Awareness
  14.  Third-Party Security
  15.  Incident Management
  16.  Business Continuity & Disaster Recovery
  17.  Risk Management
  18.  Physical & Environmental Security
  19.  Data Protection & Privacy 

How long is HITRUST CSF Validation valid?

HITRUST Validated Reports with Certification retain their relevance based on the type of assessment — e1 and i1 are valid for 1 year, and r2 is valid for 2 years.

Over this time frame, if an interim review is conducted, there must be no breaches of the scoped controls since the initial HITRUST assessment. 

What is the HITRUST CSF Validation with Certification cost? 

HITRUST certification is known for being rather expensive, given its depth and complexity. Costs can vary greatly from company to company, depending on the size and scale of your organization. 

The range can be from $36,000 – $200,000 and will hit the higher end of the scale when a third-party auditor is involved. Conducting a readiness assessment without an External Assessor will trim down your fees, however, the level of security assurance will also decrease so it’s highly recommended you work with an Approved External Assessor when embarking on your HITRUST journey. It’s important to conduct a thorough assessment of your own needs and not jump to saving costs when it comes to protecting sensitive data. 

That being said, if the HITRUST Validated Assessment and certification feel too pricey, any organization can still download the HITRUST CSF for free. So if you decide that the fulsome HITRUST package exceeds your budget, not to worry—this framework PDF can still help you fulfill many important security goals. However, keep in mind that you may not get the same specific requirement statements in the free version so while it can provide guidance, you’ll still need to do more work to become HITRUST CSF Validated.

How can my organization become HITRUST CSF validated through certification?

As previously mentioned, if you’d like to become fully HITRUST CSF Validated, an independent assessment will be performed by a HITRUST-approved External Assessor. The time it takes to complete the HITRUST certification process can take six (6) to twelve (12) months, depending on the nature of your organization. 

calendar with glasses on top

Here is a breakdown of how to obtain HITRUST certification. These steps may help you feel more prepared for your assessment and understand what’s involved in the certification process. If these steps seem a little daunting, however, we would be happy to walk you through your assessment process.

1. Download the HITRUST CSF Framework (v11)

            The simplest, most straightforward of all the steps!

2. Perform a readiness assessment 

Through the HITRUST MyCSF platform, conduct one of the following: a HITRUST Risk-based 2-year Readiness Assessment (r2), a HITRUST Implemented 1-Year Readiness Assessment (i1), or a HITRUST Essentials 1-year (e1) Readiness Assessment. This step allows your company to self-assess under the HITRUST CSF Assurance Program, and from here you’ll learn which controls and requirements need implementation.

3. Get an external assessor

You’ll need to select a HITRUST Alliance licensed third-party auditor. The information gathered from your self-assessment, in combination with your security processes and controls, will all be thoroughly reviewed by your assessor based on the readiness tier you are seeking (e1, i1, or r2). As you mitigate the issues and close the gaps in your security, you move directly into HITRUST Validated Assessment. 

4. Get validated

Your assessor’s assessment will be reviewed by the HITRUST Assurance Team.

5. Receive your HITRUST letter of certification

If you pass the final review by the HITRUST Assurance Team, you will then be issued your validated report and certification (only if certain criteria are met.) 

The importance of HITRUST CSF compliance

Getting compliant is a key step in ensuring a viable, long-lasting business. And HITRUST is a surefire way to get you there. No company wants to be subjected to a cyberattack or security threat, so protecting your digital information and technology is critical. 

With the pace of technology rapidly evolving and new threats arising every day, it’s important to make sure your systems are up to date and ready for the new challenges of the day. Keeping sensitive data and secure information shielded from harm is paramount. Planning for data breaches will prevent your company from becoming vulnerable. 

HITRUST compliance helps organizations with internal and external risk management while keeping on top of new regulations, and ensuring that a high standard of data security is met. HITRUST protects sensitive information, reduces risk, and is always in step with the latest in cybersecurity best practices. 

Being certified also demonstrates that your organization prioritizes digital security and privacy, which builds trust inside and out. HITRUST’s streamlined framework helps simplify compliance for your business, both now and in the future. 

Share this post with your network: