What is HITRUST CSF Certification? Overview

| Author , tagged in HITRUST, HITRUST certification
Cloudticity, L.L.C.

HITRUST certification is fast becoming a prerequisite for doing business in the healthcare industry. A growing number of providers, payers, and other healthcare organizations will work only with businesses who have achieved this certification.

But what exactly is HITRUST certification? How does it differ from HIPAA compliance? Is it truly necessary for your organization? And what does it take to become HITRUST certified?

Understanding the basics of HITRUST certification and gauging what it will mean for your business can help you make the critical decision of whether or not to undertake the potentially complex certification process.

What is the difference between HIPAA and HITRUST?

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a federal US law that mandated the creation of national standards for safeguarding sensitive patient health information.

The US Department of Health and Human Services (HHS) subsequently published privacy and security rules that established those standards. All organizations that handle protected health information (PHI) must comply with the standards.

HITRUST certification enables organizations to prove that they comply with HIPAA or other regulations and standards. Founded in 2007, HITRUST (which originally stood for the Health Information Trust Alliance) is a privately held company that provides a comprehensive, standardized, and certifiable framework for compliance.

This HITRUST Common Security Framework (CSF) brings together multiple regulations and standards into a single reference. Implementing privacy and security controls listed in the framework is a key part of achieving HITRUST certification—which is also sometimes called HITRUST CSF certification.

Why is HITRUST certification important?

Without a HITRUST certificate, it can be extremely difficult to demonstrate compliance with HIPAA or other regulations. Providers, payers, and patients do not have a simple way of knowing whether an organization is truly safeguarding PHI. And consequently, they might be reluctant to partner with that organization or use its services.

Certification gives your organization a clear means of indicating compliance. Because attaining certification is a rigorous process, earning that badge is an important competitive differentiator.

You can win new business and bolster the loyalty of current partners and customers by assuring them that you are complying with applicable regulations.

HITRUST certification can also provide additional business benefits. <link to other blog post>. First and foremost, implementing the requisite privacy and security controls in the HITRUST CSF will help you protect your business from the attacks and breaches that can hobble your business.

Certification can also help you maintain security, privacy, and compliance even as new threats emerge and new regulations are put in place: HITRUST frequently updates its framework, helping you streamline the process for staying current.

How do you achieve HITRUST certification?

Achieving HITRUST certification is a multi-step process. You begin by conducting a self-assessment using the HITRUST MyCSF software tool. The goal is to uncover compliance gaps for your particular organization and to identify specific controls that you will need to implement to achieve certification.

You then need to work with an external assessor to close compliance and control gaps. The assessor helps to prepare a validated assessment, which you must submit to HITRUST for auditing.

How long does HITRUST certification last?

HITRUST certification is not a one-time event, and it doesn’t last forever. If you’ve chosen the HITRUST Risk-based, 2-year (r2) Validated Assessment + Certification—the highest-level assessment and certification—then you need to go through the entire certification process again every two years.

Before the one-year anniversary of your certification, you also need to conduct an interim assessment. The interim assessment helps ensure that you still have the right controls in place, and those controls are still effective.

The HITRUST Implemented 1-year (i1) Validated Assessment + Certification, which is focused on staying up to date on cybersecurity threats, is valid for only one year. If you choose this type of assessment and certification, you need to repeat the entire process every year.

How much does HITRUST certification cost?

Working toward certification can require a significant investment in time, resources, and money. Calculating the monetary costs of HITRUST certification for your organization, before you get started, will be critical for planning.

The certification process includes both direct and indirect costs. For direct costs, you should factor in the fees you will pay to HITRUST as well as the fees you will pay to an external assessor.

All of those direct fees can vary depending on your risk profile and your choice of certification process. If you have a high-risk profile, for example, you will likely pay your assessor more.

In addition, you should estimate the indirect costs you will incur through the certification process. Each hour that your team members spend implementing new controls is an hour they are not spending on innovation. Given that achieving initial certification could require hundreds of hours, these indirect costs can be large.

Who should get HITRUST certification?

HITRUST certification is not technically mandatory—there is no law that requires your organization to go through the extensive process of becoming certified. But as more hospitals, insurance plans, and other healthcare businesses expect or demand this certification from their partners, all industry participants will be under pressure to attain certification.

Meanwhile, compliance with HIPAA regulations is mandatory for all “covered entities,” including healthcare providers, health plans, and healthcare clearinghouses.

The business associates of covered entities—such as contractors or other non-employees—might also need to follow parts of HIPAA rules. Organizations that fail to comply with HIPAA regulations are subject to civil and criminal penalties, and might need to pay restitution to any victims.

Since HITRUST certification is a clear way to demonstrate the mandatory HIPAA compliance, and because it is increasingly expected among industry participants, most organizations covered by HIPAA rules should consider HITRUST certification.

Similarly, organizations that must adhere to other industry and government regulations—such as the Health Information Technology for Economic and Clinical Health (HITECH) Act or the Payment Card Industry Data Security Standard (PCI DSS)—should consider certification. HITRUST incorporates these and other regulations into its certification framework.

Of course, not all organizations will have the same path or the same requirements for achieving HITRUST certification. Depending on your business, you might need to implement a few hundred new privacy and security controls, or more than a thousand.

You might also decide that the 1-year (i1) assessment and certification is a better fit than the more comprehensive 2-year (r2) process. Working with an outside expert as well as an external assessor can help you define your unique path to certification.

How many HITRUST controls are there?

HITRUST provides three different levels of assessments, each with varying degrees of comprehensiveness, assurance, and difficulty. Though HITRUST regularly updates the framework, the latest version is version 11 which was released in January 2023.

Here is the current number of controls in each assessment for HITRUST CSF v11.

◆ e1 assessment = 44 requirement statements
◆ i1 assessment = 182 requirement statements (including the 44 from the e1)
◆ r2 assessment = 213 – 1200+ (dependent on the scope and risk factors of the organization (This includes the 182 i1 requirement statements as a baseline)

Ready to move forward with certification?

HITRUST certification is an extremely useful and beneficial way to demonstrate your compliance with mandatory industry and federal regulations, including HIPAA.

Though the certification process can be time-consuming and costly, earning certification can help you better protect sensitive information, maintain compliance over time, and gain a competitive edge.

Fortunately, there are ways to streamline HITRUST certification. Working with the right cloud-based, HITRUST-certified managed service provider can help you achieve certification faster and more cost effectively than undertaking the certification process on your own.

To learn how Cloudticity can help you cut the cost, time, and complexity of HITRUST certification download the white paper, Accelerate & Simplify HITRUST Certification with Cloudticity. Or schedule a free consultation to learn more.

accelerate and simplify HITRUST certification


Subscribe Today

Get notified with product release updates and industry news.