HITRUST Certification Requirements

Securing the Protected Health Information (PHI) of patients is vital to preserving the trust that exists between healthcare providers and the people they care for. The protection of this information is regulated by the Health Insurance Portability and Accountability Act, or HIPAA, signed into law in 1996.

Healthcare providers, payers and business associates who manage sensitive data often want to go beyond HIPAA requirements to ensure they are exercising the greatest care possible regarding this data.

This is where HITRUST comes in. HITRUST stands for Health Information Trust Alliance. It’s a set of certifications that healthcare organizations can earn. These ensure they are following the absolute best practices when it comes to risk management as it pertains to information security.

Understanding a little more about what’s required to achieve HITRUST certification; and how it can benefit most organizations is beneficial when deciding whether or not to undertake this endeavor. While becoming fully compliant will take time and other resources, it’s usually well worth it for all nonprofit organizations or businesses within the healthcare sector.

What is the HITRUST Common Security Framework (CSF)?

The HITRUST Alliance determined that the best way for organizations to achieve a high level of security standards and demonstrate compliance with various regulatory factors was to create a globally adopted data protection framework. This structure is termed the “Common Security Framework.”

The HITRUST CSF framework includes many factors that are geared towards achieving best practices in handling patient data. Its risk-based approach covers many different arenas in which information is transmitted and stored. Here are the 19 subject areas that are part of the CSF framework:

1. 1. Information Protection: processes and systems that protect protected health information.
2. 2. Endpoint Protection: protection from viruses and malware. It includes firewalls, detection, and patches.
3. 3. Portable Media Security: how the organization deals with forms of portable media like removable drives or flash storage devices.
4. 4. Mobile Device Security: smartphones and laptops are highly portable and if improperly configured, can present a huge risk.
5. 5. Wireless Security: while WiFi connectivity makes workplaces more efficient, it also raises the threat level. Proper protection of wireless networks is a must.
6. 6. Configuration Management: ensuring that configurations are consistently audited is a large part of domain control.
7. 7. Vulnerability Management: ensuring the installation and maintenance of virus and malware mitigation measures. 
8. 8. Network Protection: DDoS attacks are on the rise. Detecting and stopping these and other instructions is essential.
9. 9. Transmission Protection: ensuring the security of internal messaging, emails, and other forms of file transmission.
10. 10. Password Management: requirement for robust password requirements, and hashing of stored passwords.
11. 11. Access Control: encouraging the use of other access control methods like biometrics, two-factor authorization, and more.
12. 12. Audit Logging and Monitoring: logging is at the core of HIPAA compliances and overall best practices. Ensuring complete logging is crucial.
13. 13. Education, Training, and Awareness: when employees understand how to identify threats and mitigate risk with their own actions, the overall security posture is raised.
14. 14. Third-Party Assurance: while third-party vendors provide a level of scalability and efficiency, they also raise the risk profile. It’s essential to verify security compliance with all business associates.
15. 15. Incident Management: Monitoring for incidents and quickly responding to them ensures damage is minimized.
16. 16. Business Continuity and Disaster Recovery: continuity is a huge part of HIPAA compliance. Having a plan and testing the plan is a best practice.
17. 17. Risk Management: the cybersecurity threat matrix is highly dynamic. Risk management requires constant assessment and analysis.
18. 18. Physical and Environmental Security: it can be easy to forget that cybersecurity has a physical component as well. This includes document destruction and access control.
19. 19. Data Protection and Privacy: whether it’s HIPAA or the General Data Protection Regulation in the EU (GDPR), compliance is key because mishandling information comes with steep financial or criminal penalties.

Within each one of these rubrics are multiple control objectives. The CSF Certification will take a look at all of these objectives and determine their implementation levels. We’ll cover the exact scoring process later in this article.

Levels of HITRUST Certification

There are three different tiers of certifications available from the HITRUST organization. These range from a basic level to an extremely thorough validation. Let’s explore the levels of certification that HITRUST offers.

Basic Current State Assessment (bC)

For organizations that simply want a cursory look at their security framework, taking the bC self-assessment is a good first step. This is not an actual certification, per se. It simply validates any major holes in certification.

This is considered a quick and low effort to offer assurance to third parties that an organization deals with. It can also be a great way to ensure business associate compliance for the purposes of HIPAA.

Validation is evaluated with the HITRUST Assurance Intelligence Engine. It combs through all supporting documentation for any errors or oversights. It doesn’t require validation from any outside organizations, saving thousands in fees. While the effort and cost are low, it’s still a fairly thorough self-assessment, looking at thousands of various data points. 

It’s recommended for:

• A quick, easy self-assessment before the more in-depth levels of full assessment using HITRUST
• Responding to requests from third-party business associates
• Performing due diligence during mergers and acquisition activities

HITRUST Implemented, 1-year (i1) Validated Assessment and Certification

This is the newest certification available from the HITRUST Alliance. It was created with the core belief that security threats are constantly evolving. For this reason, the controls it requires adapt over time to ensure that healthcare vendors, for instance, who routinely deal in protected health information, are addressing the most current significant issues surrounding information security.

The certification is valid for one year, and requires a moderate level of effort and expense. There are 219 static requirements that need to be met as part of the HITRUST assessment process. These are based on a host of different regulatory requirements from two administrative bodies:

• HIPAA Security Rules
• NIST SP-800-171

HITRUST Risk-based, 2-Year (r2) Validated Assessment and Certification

For companies within the healthcare industry that deal in high amounts of sensitive information, and for whom security is a major concern, this is the formal certification they’ll want to consider. While the certification process is longer and more expensive, the peace of mind is well worth the investment.

The r2 certification has well in excess of 2000 different requirements. These are based on multiple regulations contained in the following agencies:

• NIST SP 800-171
• HIPAA Security Rule
• FedRAMP
• GDPR
• AICPA
• Many others

The r2 certification is good for two years. It’s viewed as the absolute highest level of assurance that a business or non-profit organization has met all implementation requirements to mitigate information risk.

What is the Process to Obtain HITRUST Certification?

Whether a company is seeking bC, i1, or r2 compliance validation, they’ll want to start with a readiness assessment process. For all implementation levels, they’ll want to start by gathering documents and reviewing exactly what sensitive information is part of their workflow. The more effort that’s spent on getting organized, the easier the process will be. The typical duration of this process is roughly eight weeks.

In this initial phase, the HITRUST MyCSF assessment tool will help to identify gaps in an organization’s security controls. It then provides documentation on the nature and location of any potential security breaches.

The next phase is to take the information in the initial stage and remediate the identified gaps. This is a fairly lengthy and involved process, potentially taking up to a half year or more. The specific timing depends on the depth of the security issues and gaps. 

After remediation is completed, organizations will embark on a validated assessment process. This involves using a certified, qualified outside organization to perform the assessment and validation. We’ll discuss finding an organization a little later in this article. 

The fully validated assessment involves interviews by the HITRUST Assessors of the IT team and other employees and leaders, performing penetration testing, and thorough investigation of any other vulnerabilities.

HITRUST Assessor Scoring:

There are five areas that are scored by the security assessors. These different areas are assigned different weights to form the overall score. Let’s look at each of the score rubrics:

• Policy: Do the policies cover all elements of information security? Are these policies effectively communicated with all key personnel?
• Procedures: Are employees adequately trained and informed on procedures?
• Implemented: Are the policies and procedures actually implemented?
• Measured: are routine audits being carried out to ensure implementation?
• Managed: Are corrective actions being taken when appropriate?

Each of these rubrics is then assigned a score, based on compliance with industry-standard security practices. The scoring levels are:

• Fully compliant
• Mostly compliant
• Partially compliant
• Somewhat compliant
• Noncompliant

Once the scores are tabulated, all of the data from the security testing process is sent to the HITRUST Alliance for approval. The decision to approve or deny HITRUST Certification is left to the alliance itself, not the assessor. 

After submission, the application is reviewed for one to two months. HITRUST will then issue its quality assurance review.

What is a CSF Validated External Assessor?

One of the central aspects of the integrity of the HITRUST assessment is the fact that a third party performs the assessment. This ensures that the assessment is made without any biases and can be relied on by others.

HITRUST External assessors are companies that specialize in risk management and security assessment. They need to go through a detailed and thorough approval process carried about by the HITRUST alliance.

The process for becoming approved involves the following steps:

• A letter of intent to perform assessment and HITRUST certification
• A written agreement that all HITRUST Policies and procedures will be followed
• Documentation of all policies that govern integrity and ethics
• List of individuals who will be seeking HITRUST assessment training.

Since the HITRUST certification process can be complex, there are a couple of different types of individuals who will interact with them during the assessment.

The Certified HITRUST Practitioner (CCSFP): 

These individuals help organizations gather what they need, organize information, and make sure they are following the steps in the correct order. HITRUST offers training and certification to perform this task.

While many of these individuals are found outside an organization, they can come from within as well. Since they are not performing the assessment themselves, and are simply ensuring that the process is moving smoothly, there’s no chance for bias.

The Certified HITRUST Quality Professional (CHQP)

The CHQP performs a quality assurance review of submitted documents. They track the financial transaction and act as an overall project coordinator for the assessment. For this reason, they are always external and usually work directly for the Assessor firm. They are certified by HITRUST for two years at a time.

How Much Does HITRUST CSF Certification Cost?

There are a few different factors that go into determining the cost of HITRUST CSF Certification. First off, there is a fee that will need to be paid to your external assessor. Then, there is a fee paid to the HITRUST Alliance itself for the cost of the validated assessments.

The cost to achieve certification can range from about $50,000 to over $200,000, depending on the type of certification an organization seeks.

Want to find out how much HITRUST might cost for your organization? Try our free HITRUST Cost Calculator tool for a free estimate.

The elements of HITRUST certification are squarely aligned with those of HIPAA, but they aren’t the same thing. The regulatory requirements of HIPAA are most certainly incorporated into the HITRUST CSF. However, it’s important to remember that gaining HITRUST certification doesn’t automatically mean that you are in HIPAA compliance. 

What covered entities find is that by taking steps to earn HITRUST certification, they’ll be well on their way to being in complete compliance with HIPAA requirements. HITRUST certification means they are following industry standard best practices that meet or exceed what’s required for HIPAA.

One important thing of note is that not everything in HIPAA is related to information security. HITRUST assessments, on the other hand, focus entirely on security controls.

So, while HITRUST certification means that an organization might completely comply with healthcare industry regulations from a security standpoint, there may be other unrelated issues they have failed to address.

Is it Worth it for an Organization to Get HITRUST Certified?

With the fairly sizable amount of money and time required to become HITRUST certified, it’s not surprising that some organizations ask: “Is it worth it?” Let’s examine why it’s most likely a worthwhile investment to become HITRUST CSF Validated in healthcare.

The first major benefit of HITRUST Certification is that it drastically simplifies compliance management. So, if your organization has to attest to multiple frameworks such as HIPAA, NIST, and FISMA, you can meet all of those requirements through the HITRUST process, instead of them being separate workflows. As the HITRUST Alliance likes to say, you can “assess once, and report many.” And, given that regulatory frameworks contain a lot of overlap with each other, the HITRUST process reduces the work needed to stay compliant with multiple frameworks.

Secondly, many healthcare payers and providers refuse to do business with any vendor that has not met HITRUST benchmarks. So, when it comes to marketability of your product, obtaining HITRUST certification can give your business a competitive edge and open up new possibilities with new clients.

Thirdly, the most obvious benefit is improved security and reduced risk of a breach. With 79% of breaches affecting the healthcare industry last year, information security is of utmost importance in healthcare. A breach can be devastating, with 60% of SMBs out of business within six months of a breach, and the average cost of a data breach being $4.35M.

Read 4 Reasons Healthcare Vendors Need HITRUST Certification That You Can't Ignore.

The Bottom Line: 

While a HITRUST assessment represents a significant expense of organizational resources, it’s a worthy investment. By ensuring security measures are properly implemented, organizations of all sizes can protect and enhance the quality of care they deliver, while growing their business

Want to understand the HITRUST certification process in depth? Download Conquering the HITRUST Mountain to learn about the process, how to build the right team, and how to lead the process to completion.

Want to understand how much HITRUST costs? Try our free HITRUST Cost Calculator tool for a free estimate.