HITRUST adoption in healthcare is in full swing. 81% of healthcare providers and 83% of payers have adopted the framework with business associates quickly following suit.
Whether it's pressure from a customer or potential customer that's causing you to pursue HITRUST certified status, or you just want to be proactive about security, you're probably wondering, how long will HITRUST certification take?
In this blog we’ll answer that question and give an overview of what’s to be expected at each stage.
How long does HITRUST certification take?
It can take anywhere from seven to eighteen months - or more - to get HITRUST Certified. The length of the process really depends on a few things: your organization’s size, how many people and systems interface with sensitive data, how much the project is prioritized by leadership, and which of the assessments from the HITRUST family of assessments you are pursuing.
What is the HITRUST process and timeline like?
After you choose a HITRUST assessor firm to work with, the HITRUST timeline can be broken up into four phases.
- Phase 1: Readiness Assessment and Gap Analysis - 4-8 weeks
Your HITRUST Assessor will conduct a preliminary review of your organization’s security controls, policies, and procedures to identify areas that need improvement before the actual HITRUST assessment. The results from the readiness assessment become the foundation for the gap remediation plan, where your assessor creates a plan for you to address the issues identified.
- Phase 2: Gap Remediation - 4-12 weeks
Your assessor creates a gap remediation plan based on the issues discovered during the Gap Analysis. This plan will include detailed findings and recommended remediation steps.
- Phase 3, the HITRUST Validated Assessment - 4-9 months
The assessor reviews of your organization’s Policies, Procedures, and implementation. Your team members will be required to provide evidence, usually through screenshots, to prove that you’ve implemented the controls that are part of your assessment. Your assessor will also conduct interviews with staff members to ensure they understand and enforce security policies and procedures. When you’re ready, you submit your evidence to your HITRUST Assessor for review and approval.
This marks the beginning of a 90 day “quiet period”, where you’re not allowed to make any updates to controls while the assessor reviews your submission. There may be some back and forth here as you work with the assessor to verify you’ve provided sufficient evidence or to remediate any issues.
- Phase 4: HITRUST Validated Assessment - 1-3 months
Submit your work to HITRUST and get results back within one to three months.
How much does HITRUST certification cost?
HITRUST Certification can cost $70K-$160K depending on your organizations size, complexity of its IT environment, and risk factors.
Read the blog: What's the Cost of HITRUST Certification?
How Can You Reduce the Time of HITRUST?
You can reduce the time, and cost, of HITRUST CSF certification by leveraging the right network of partners. Here are three ways to reduce the burden of HITRUST.
- 1. Work with public cloud service providers (CSPs): The major CSPs, such as Amazon, Microsoft, and Google, all offer HITRUST Certified services that are compliant with HITRUST on the CSPs end. When you use these services, you can inherit controls that your CSP has already met rather than putting in the work to attest to them yourself.
- 2. Work with CSP partners: Several HITRUST Certified CSP partners have been certified by HITRUST to provide HITRUST inheritance programs that allow organizations to inherit even more HITRUST controls. When you inherit from your cloud partners, you can check off even more boxes on your assessment before you even begin. Cloudticity, a certified HITRUST Inheritance Provider, offers over 350 inheritable and partially inheritable that customers can leverage to streamline their assessments.
- 3. Work with a HITRUST assessor that charges per control: Some HITRUST Assessor firms charge a flat rate, while others charge per control. Working with an assessor that charges per control, like A-lign, can help you reduce costs while you're inheriting from your cloud partners because you won't have to pay for controls you are inheriting.
See the blog: 7 Things to Look For in a HITRUST Assessor Firm)
Get on the Fast Track to HITRUST Today
Cloudticity can help you reduce the timeline of HITRUST by 25-62% (depending on your organization's risk profile) with our managed cloud services for AWS and Azure. Schedule a free consultation today to map out your path to HITRUST!
Or try the Cost of HITRUST estimation calculator for a free cost estimate.