What is HITRUST CSF Certification? Overview

| Author , tagged in HITRUST, HITRUST certification
Cloudticity, L.L.C.

HITRUST certification is fast becoming a prerequisite for doing business in the healthcare industry. A growing number of providers, payers, and other healthcare organizations will work only with businesses that have achieved this certification.

But what exactly is HITRUST certification? How does it differ from HIPAA compliance? Is it truly necessary for your organization? And what does it take to become HITRUST certified?

Understanding the basics of HITRUST certification and gauging what it will mean for your business can help you make the critical decision of whether or not to undertake the potentially complex certification process.

What Is the Difference Between HIPAA and HITRUST?

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a federal US law that mandated the creation of national standards for safeguarding sensitive patient health information. The US Department of Health and Human Services (HHS) subsequently published privacy and security rules that established those standards. All organizations that handle protected health information (PHI) must comply with the standards.

HITRUST certification enables organizations to prove that they comply with HIPAA or other regulations and standards. Founded in 2007, HITRUST (which originally stood for the Health Information Trust Alliance) is a privately held company that provides a comprehensive, standardized, and certifiable framework for compliance.

This HITRUST Common Security Framework (CSF) brings together multiple security regulations, privacy regulations, and regulatory standards into a single reference. That framework covers a wide range of areas, including risk management, access control, network security, and incident management. Implementing the privacy and security controls listed in the framework is a key part of achieving HITRUST certification—which is also sometimes called HITRUST CSF certification. 

In the healthcare industry, HITRUST certification is the gold standard for demonstrating regulatory compliance. Many healthcare organizations would benefit from integrating HITRUST certification into their compliance program. 

Read the Blog: HIPAA Vs. HITRUST – Unpacking the Difference

Why Is HITRUST Certification Important?

Without a HITRUST certificate, it can be extremely difficult to demonstrate compliance with HIPAA rules or other regulatory requirements. Providers, payers, and patients do not have a simple way of knowing whether an organization is truly safeguarding PHI. And consequently, they might be reluctant to partner with that organization or use its services.

Certification gives your organization a clear means of indicating compliance. Because attaining certification is a rigorous process, earning that badge is an important competitive differentiator.

You can win new business and bolster the loyalty of current partners and customers by assuring them that you are complying with applicable regulations.

HITRUST certification can also provide additional business benefits. First and foremost, implementing the requisite privacy and security controls in the HITRUST CSF will help you strengthen your security program. You will be able to better protect your business from attacks and breaches. 

Certification can also help you maintain security, privacy, and compliance even as new threats emerge and new regulations are put in place: HITRUST frequently updates its framework, helping you streamline the process for staying current.

Finally, the HITRUST certification program could help your organization attest to multiple security, privacy, or regulatory requirements simultaneously. As part of the assessment process, you can select from a wide range of “regulatory factors”—i.e., laws, regulations, and standards—that are relevant to your organization. You can then assess just once, but report multiple results. 

Read the Blog: Why Your Healthcare Organization Should Consider HITRUST

How Do You Achieve HITRUST Certification?

HITRUST certification is a comprehensive, multi-step process that takes a risk-based approach to evaluating an organization’s security controls and practices. Through the process, you identify the risks to security, determine the likelihood of a breach, evaluate the potential impact of a breach, and implement safeguards that could mitigate that impact.

For most organizations, the first step is selecting an external assessor firm. The assessor can then help conduct a readiness assessment using the HITRUST MyCSF software tool. MyCSF is a subscription-based app designed for assessing, managing, and reporting information risk and compliance. The goal of the readiness assessment is to uncover compliance gaps for your particular organization and to identify specific controls that you will need to implement to achieve certification.

Next you need to work with the assessor to develop a gap remediation plan. Once the plan is in place, you can begin implementing recommended controls and practices to address gaps. 

The assessor then conducts the validated assessment, reviewing your organization’s policies, procedures, and implementation. Your team is responsible for demonstrating that your organization meets the requirements for each HITRUST control. After you’ve addressed any final issues, the assessor can complete the assessment and submit it to HITRUST for auditing.

Read the Blog: How to Get HITRUST Certified – Seven Steps

How Long Does HITRUST Certification Last?

HITRUST certification is not a one-time event, and it doesn’t last forever. If you’ve chosen the HITRUST Risk-based, 2-year (r2) Validated Assessment + Certification—the highest-level assessment and certification—then you need to go through the entire certification process again every two years.

Before the one-year anniversary of your certification, you also need to conduct an interim assessment. The interim assessment helps ensure that you still have the right controls in place, and those controls are still effective.

The HITRUST Implemented 1-year (i1) Validated Assessment + Certification, which is focused on staying up to date on cybersecurity threats, is valid for only one year. If you choose this type of assessment and certification, you need to repeat the entire process every year.

How Much Does HITRUST Certification Cost?

Working toward certification can require a significant investment in time, resources, and money. Calculating the monetary costs of HITRUST certification for your organization, before you get started, will be critical for planning.

The certification process includes both direct and indirect costs. For direct costs, factor in the fees you will pay to HITRUST as well as the fees you will pay to an external assessor.

All of those direct fees can vary depending on your risk profile and your choice of certification process. If you have a high-risk profile, for example, you will likely pay your assessor more. 

In addition, you should estimate the indirect costs you will incur through the certification process. Each hour that your team members spend implementing new controls is an hour they are not spending on more strategic tasks. Given that achieving initial certification could require hundreds of hours, these indirect costs can be large.

cost of hitrust

Who Should Get HITRUST Certification?

HITRUST certification is not mandatory—there is no law that requires your organization to go through the extensive process of becoming certified. But as more hospitals, insurance plans, and other healthcare businesses expect or demand this certification from their partners, all industry participants will be under pressure to attain certification. The following organizations should consider becoming HITRUST Certified.

  • The business associates of covered entities: Contractors, vendors, or other non-employees might also need to follow parts of HIPAA rules. Organizations that fail to comply with HIPAA regulations are subject to civil and criminal penalties, and might need to pay restitution to any victims. Since HITRUST certification is a clear way to demonstrate the mandatory HIPAA compliance, and because it is increasingly expected among industry participants, most organizations covered by HIPAA rules should consider HITRUST certification.
  • Organizations that must adhere to other industry and government regulations: Such as the Health Information Technology for Economic and Clinical Health (HITECH) Act or the Payment Card Industry Data Security Standard (PCI DSS)—should consider certification. HITRUST incorporates these and other regulations into its certification framework and makes attesting to multiple regulations easier.
  • Health Information Exchanges that want to become QHINs: With the recent adoption of the Trusted Exchange Framework and Common Agreement (TEFCA), all Health Information Exchanges (HIEs) and Health Information Networks (HINs) that want to become qualified health information networks (QHINs) will be required to obtain HITRUST CSF Certification.

Of course, not all organizations will have the same path or the same requirements for achieving HITRUST certification. Depending on your business, you might need to implement a few hundred new privacy and security controls, or more than a thousand.

You might also decide that the Essentials 1-year (e1) Assessment or the Implemented 1-year (i1) Assessment is a better fit than the more comprehensive 2-year (r2) process. Working with an outside expert as well as an external assessor can help you define your unique path to certification.

How Many HITRUST Controls Are There?

HITRUST provides three different levels of assessments, each with varying degrees of comprehensiveness, assurance, and difficulty. Though HITRUST regularly updates the framework, the latest version is version 11 which was released in January 2023.

Here is the current number of controls in each assessment for HITRUST CSF v11.

  • Essentials 1-year (e1) Assessment = 44 requirement statements
  • Implemented, 1-year (i1) Assessment = 182 requirement statements (including the 44 from the e1)
  • Risk-based, 2-year (r2) Assessment = 213 – 1,200+ (dependent on the scope and risk factors of the organization; this includes the 182 i1 requirement statements as a baseline)

Ready to Move Forward with Certification?

HITRUST certification is an extremely useful and beneficial way to demonstrate your compliance with mandatory industry and federal regulations, including HIPAA.

Though the certification process can be time-consuming and costly, earning certification can help you better protect sensitive information, maintain compliance over time, and gain a competitive edge. For many healthcare organizations, working toward HITRUST certification will be an important part of their compliance efforts.

Fortunately, there are ways to streamline HITRUST certification. Working with the right cloud-based, HITRUST-certified managed security services provider can help you achieve certification faster and more cost effectively than undertaking the certification process on your own.

To learn how Cloudticity can help you cut the cost, time, and complexity of HITRUST certification download the white paper, Accelerate & Simplify HITRUST Certification with Cloudticity. Or schedule a free consultation to learn more.

accelerate and simplify HITRUST certification


Subscribe Today

Get notified with product release updates and industry news.