Healthcare organizations remain prime targets for cyberattacks. According to the HIPAA Journal, there were 725 large security breaches in healthcare reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in 2023—a new record. Given the rising number of attacks, healthcare providers, payers, and other businesses must do everything in their power to strengthen their security posture and protect sensitive healthcare data.
Achieving HITRUST Common Security Framework (CSF) certification can help organizations fortify their defenses. The HITRUST framework is an advanced system of controls that addresses the rigorous demands for data security in healthcare.
Of course, HITRUST certification is a high bar to achieve—especially when pursuing the most rigorous version, the HITRUST r2 distinction. Obtaining HITRUST certification can also be costly both in terms of hard dollars spent as well as soft costs incurred due to internal disruptions.
What are all the costs involved with HITRUST certification? What type of investment should we expect? Once you understand direct and indirect costs, you can explore ways to accelerate the timeline for certification and reduce expenditures.
Why HITRUST Certification?
There are three main benefits of HITRUST Certification: HITRUST protects your business, simplifies compliance management, and provides a competitive advantage, helping you reach more customers and seize more opportunities.
HITRUST protects your business
The HITRUST CSF defines an advanced set of security controls that address how you store, process, and transmit protected health information (PHI). The CSF encompasses multiple regulatory frameworks and ensures that the most stringent data security policies have been met. Achieving HITRUST benchmarks means that your information security program is of the highest caliber.
HITRUST simplifies compliance management
HITRUST allows organizations to attest to multiple compliance requirements simultaneously. “Assess once, report many” is what HITRUST likes to say. HITRUST also makes managing evolving regulations, such as HIPAA requirements, easier. It allows companies to more efficiently stay up to date with the changes.
HITRUST provides competitive advantage
From a business standpoint, HITRUST certification allows you to differentiate yourself from your competitors. If your business is certified and your competitors are not, you will have greater success landing contracts with organizations that demand rigorous security. HITRUST also streamlines third-party security approval processes and can accelerate your sales cycles by making the CISO your ally instead of your skeptic.
Though HITRUST certification is not mandatory, many payers and providers now require HITRUST certification of their vendors. HITRUST is crucial for any business looking to serve more prominent health systems in the marketplace.
What Is the Cost of HITRUST Certification?
The total cost can be anywhere from $70K–$160K. The total largely depends on your organization’s risk profile, which will be determined by your assessor through a readiness assessment at the beginning of the process. Your risk profile and your choice of certification determines how many security controls will be in your assessment. You might need hundreds of controls.
Costs can also vary according to the assessment and certification option you choose. HITRUST offers three options:
- HITRUST Essentials 1-year (e1) Assessment: An entry-level validated assessment and certification.
- HITRUST Implemented, 1-year (i1) Assessment: An assessment that provides a moderate level of assurance that organizations have adequately addressed cybersecurity threats.
- HITRUST Risk-based, 2-year (r2) Assessment: The most rigorous assessment, with the most comprehensive set of control requirements. An interim assessment must be conducted every other year.
What Is Included in the Cost of HITRUST?
HITRUST certification has multiple direct costs, including:
- Fees to your HITRUST assessor for:
- Readiness assessment
- Validation testing
- Fees to HITRUST for:
- Validation object
- MyCSF (corporate level) access
MyCSF is an app offered by HITRUST that enables you to assess, manage, and report information risk and compliance. MyCSF is available on a subscription basis.
If you decide to work with your HITRUST assessor to implement corrective actions to policy, procedures, and implementation, you will also have direct costs for that consulting work.
In addition, you will likely have indirect costs. When estimating your total likely expenditures, take into account the cost of lost productivity when your employees focus on HITRUST instead of their day-to-day jobs.
The Cost of HITRUST Certification: Cost Breakdown
On the low end, for a small company with a lower-risk profile, the fee to HITRUST will be $30K. The fee to the assessor will be around $40K–60K. On the high end, for larger organizations with a higher risk profile, these fees will be much higher. The fee to the assessor could begin around $100K.
The total for direct costs range from about $70K to more than $160K.
Try the HITRUST Cost Calculator tool for a free cost estimate.
How Long Does It Take to Get HITRUST Certified?
The HITRUST certification process can take anywhere from 7 to 18 months. The length of time will depend on the certification and assessment option you choose, as well as your organization’s size, complexity, and motivation to see the project to completion.
The typical time breakdown for the HITRUST risk-based, 2-year (r2) assessment would be:
- Phase 1: Readiness assessment and gap analysis: 4–8 weeks
- Phase 2: Corrective actions: 4–12 weeks
- Phase 3: Validated assessment: 4–9 months
- Phase 4: HITRUST accreditation process: 1–3 months
Remember that for the r2 assessment, you need to be fully reassessed every two years, with a mini reassessment in interim years. The first assessment will require the most time and will likely incur the greatest costs.
How Do You Reduce the Cost of HITRUST?
While there’s no way to reduce the licensing fee to the HITRUST organization, there are ways to alleviate resource constraints in other areas. Partnering with the right HITRUST partners can help you accelerate the assessment process—saving time, reducing internal disruption, and reducing the fee to the assessor firm.
Here are three ways to reduce the time and costs of HITRUST certification:
- Use public cloud services: The major cloud service providers—such as AWS, Azure, and Google Cloud—all offer HITRUST-certified services and inheritable HITRUST controls. You can inherit attestation and partial attestation to hundreds of HITRUST controls just by using those services. Inheriting security controls can significantly reduce the time and work needed to achieve HITRUST certification.
- Work with a HITRUST inheritance partner: You can accelerate the process further when you work with a Certified HITRUST Inheritance Provider. These providers offer inheritable controls on top of the ones already offered by your cloud service provider. See a list of certified providers here.
- Work with an assessor firm that charges per control: Some HITRUST assessor firms charge a flat rate, while others charge on a per-control basis. Choosing an assessor firm that charges per control can help you reduce the cost of HITRUST certification when you’re inheriting controls from cloud providers because you don’t have to pay for those controls. (Tip: We recommend BEYOND HC LLC.)
Read the blog: Choosing a HITRUST Assessor – 7 Things to Look For.
Reduce the Cost and Time of HITRUST with Cloudticity
Cloudticity offers managed cloud security services that allow you to inherit or partially inherit hundreds of HITRUST CSF controls. Working with Cloudticity streamlines the path to HITRUST certification, accelerating the process by 25–62% depending on your risk profile.
In addition, when you work with HITRUST assessor firm partner BEYOND HC LLC you can reduce your assessor fee by 30–60% when you’re inheriting controls from Cloudticity.
Start Planning Your HITRUST Certification
HITRUST certification is a highly recommended means of strengthening your security posture while demonstrating compliance with healthcare regulations. But the costs of pursuing certification can be high. As you move forward toward HITRUST certification, first be sure to plan for all potential costs. Then consider adopting a few key strategies that enable you to reduce those expenses and accelerate your journey to certification.
To learn more about the Cloudticity HITRUST Inheritance Program, download the white paper. Or schedule a free consultation today to learn how we can help alleviate costs.