With the healthcare sector alone accounting for 79% of reported breaches, organizations can never be too careful when it comes to managing sensitive healthcare data. HITRUST CSF Certification is an advanced system of controls created to address the demands for data security in healthcare.
However, HITRUST is a high bar to achieve, especially when pursuing the most rigorous version, the HITRUST r2 distinction. Obtaining HITRUST certification is costly both in terms of hard dollars spent as well as soft costs incurred due to the internal disruption.
In this blog we'll give an overview of all the costs involved in HITRUST certification and what type of investment you can expect.
Why HITRUST Certification?
There are three main benefits of HITRUST Certification: HITRUST protects your business, HITRUST simplifies compliance management, and HITRUST is your competitive advantage, helping you reach more customers and opportunities.
HITRUST protects your business
The HITRUST common security framework, or CSF, is an advanced set of controls that address how you store, process and transmit protected health information (PHI). The framework encompasses multiple regulatory frameworks and ensures that the most stringent data security policies have been met. Achieving HITRUST benchmarks means that your information security program is of the highest calibur.
HITRUST simplifies compliance management
HITRUST is a comprehensive tool that allows organizations to more easily attest to multiple compliance requirements simultaneously. "Assess once, report many" is what HITRUST likes to say. It also makes managing evolving regulations, such as HIPAA requirements, easier and allows companies to more efficiently stay up to date with the changes.
HITRUST is your competitive advantage
From a business standpoint, HITRUST certification allows you to differentiate yourself. If your business is certified and your competitors are not, you will beat them out nearly every time. It also provides ease during third-party security approval processes and can accelerate your sales cycles by making the CISO your ally instead of your skeptic.
In addition, many payers and providers require HITRUST certification of their vendors, making HITRUST crucial for any business associate looking to service the more prominent health systems in the space.
What is the Cost of HITRUST Certification?
The total price is anywhere from $70K - $160K. This depends on your organization's risk profile, which will be determined by your assessor through a readiness assessment at the beginning of the process. Your risk profile determines how many controls will be in your assessment which can be anywhere from 213 to more than $1,200.
What is Included in the Cost of HITRUST?
The cost of HITRUST certification includes direct costs, such as:Fees to your HITRUST Assessor for:
- Readiness Assessment
- Validation Testing
- Optional - Consulting costs to assist with:
- Corrective Actions (primarily covering Policy, Procedures, and Implementation)
- Validation Object
- MyCSF (corporate level) access
It’s also worth considering the indirect costs to your organization, which is equal to the productivity that is lost when employees focus on HITRUST instead of their day-to-day jobs. But more on that later.
The Cost of HITRUST Certification: Cost Breakdown
On the low end, for a small company with a lower-risk profile, the fee to The HITRUST Alliance will be $30K and the fee to the assessor will be around $40-60K. On the high end, for larger organizations with a higher risk profile, this will be much higher with the fee to the assessor being as much as $100K. The total for direct costs range from about $70K to more than $160K.
✔️ How much will HITRUST cost your organization? Try the HITRUST Cost Calculator estimation tool here.
How Long Does it Take to Get HITRUST Certified?
It can take anywhere from 7 to 18 months to get HITRUST Certified, depending on your organization’s size, complexity, and motivation to see the project to completion. See the typical time breakdown as follows:
- Phase 1, Readiness Assessment and Gap Analysis: 4-8 weeks
- Phase 2, Corrective Actions: 4-12 weeks
- Phase 3, Validated Assessment: 4-9 months
- Phase 4, HITRUST Accreditation Process: 1-3 months
Remember that you have to get reassessed every 2 years, with a mini reassessment in interim years. But nothing will be as difficult as the first time.
How Much Does HITRUST Certification Cost?
The cost of HITRUST Certification ranges from $70K to $160K, depending on your organization's risk profile. Keep in mind, you have to get recertified every 2 years, with a mini-assessment scheduled each intervening year.
How Do You Reduce the Cost of HITRUST?
While there's no way to reduce the fee to HITRUST itself for licensing the solution, there are ways to alleviate resource constraints in other areas. By partnering with the right HITRUST partners you can accelerate the process, save time, and reduce the internal disruption as well as reduce the fee to the assessor firm.
Here are three ways to reduce the time and cost of HITRUST:
- 1. Use public cloud services: The major cloud service providers like Amazon, Microsoft, and Google all offer HITRUST Certified services and inheritable HITRUST controls. You can inherit attestation and partial attestation to hundreds of HITRUST controls that your service provider has already met just by using those services, which reduces time and work needed to achieve HITRUST.
- 2. Work with a managed cloud service provider: You can accelerate the process further when you work with a Certified HITRUST Inheritance Provider. These providers offer inheritable controls on top of the ones already offered by your cloud service provider. See a list of certified providers here.
- 3. Work with an assessor firm that charges per control: Some HITRUST assessor firms charge a flat rate, while others charge on a per control basis. Choosing an assessor firm that charges per control can help organizations reduce the cost of HITRUST certification when they're inheriting from their cloud providers because they don't have to pay for those controls. (Tip: we recommend A-lign.)
Read the blog: Choosing a HITRUST Assessor - 7 Things to Look For.
Reduce the Cost and Time of HITRUST with Cloudticity
The Cloudticity Oxygen™ platform, our proprietary managed cloud solution, allows you to inherit or partially inherit 357 HITRUST CSF controls. This accelerates the path to HITRUST by 25-62% depending on your risk profile.
In addition, when you work with HITRUST assessor firm partner A-lign you can reduce your assessor fee by 30-60% when you're inheriting from Cloudticity.
To learn more about how the Cloudticity HITRUST Inheritance Program download the white paper. Or schedule a free consultation to learn more today.