The HITRUST Certification Steps

A HITRUST certification is a powerful way healthcare organizations can show their commitment to protecting patients’ sensitive data. HITRUST is a highly regarded framework because it is very thorough and requires dedication. For a successful certification, businesses should expect to dedicate time and resources, develop new policies and procedures, and even change their IT infrastructure. Before beginning the journey, your organization needs to know the HITRUST certification steps it will need to take to achieve its goals.

Determine if You Need a HITRUST Certification

HITRUST can be one of the most challenging cybersecurity frameworks to complete. If your organization has key customers or prospects that require a HITRUST certification from their partners, then obviously the need is there. If there isn’t a customer pushing you to get certified, HITRUST might not be worth the effort. This is especially true if your organization lacks a mature security program. A more manageable framework like SOC 2 or NIST is likely a more practical option. Compliance with those frameworks can be a solid foundation for HITRUST certification down the road.

Identify the Right Assessment Option

HITRUST isn’t a one-size-fits-all framework. There are three HITRUST assessment options to choose from. Organizations can select the one that makes the most sense based on their goals, customer requirements, and current security program.

The three HITRUST assessment options are:

HITRUST Essentials, 1-year (e1): The e1 is designed as a lower-effort assessment focusing on basic cybersecurity hygiene and addressing what HITRUST identifies as the most critical cybersecurity practices. There are 44 standardized e1 controls with no scoping required.

The e1 is a good choice for organizations that have limited access to or use of Protected Health Information (PHI) and are just starting with HITRUST. Establishing compliance with the e1 controls can serve as a good starting point if you plan on obtaining a more rigorous certification in the future.

HITRUST CSF Implemented, 1-year (i1) Validated Assessment: The i1 is a certifiable assessment option that represents a midrange in terms of time, effort, and cost. There are approximately 180 non-customizable i1 controls, including all the controls in the e1.

An i1 assessment makes sense for companies that have cybersecurity controls in place but have limited policy and process documentation.

HITRUST CSF Risk-based, 2-Year (r2) Assessment: The r2 is the most challenging to obtain, but it is a highly regarded certification that demonstrates an organization’s dedication to the highest level of data security. The r2 contains more than 2,000 controls, but your organization’s scope can be customized to match its operations. Typically, businesses will have a control count between 200-800.

It’s worth noting that the controls are consistent between assessments. So if a control is in an e1 it will also be in an r2. As a result, organizations often start with an e1 or i1 to provide that initial evidence of HITRUST certification and as they continue to grow in cybersecurity maturity may choose to eventually obtain an r2 certification.

The controls for all three assessment types are organized into nineteen domains and organizations must receive a passing score for each domain. An e1 and i1 assessment are scored only upon the implementation of the control and an r2 is scored on the policy and procedure documentation in addition to the implementation.

Find an Authorized Assessor

To obtain HITRUST certification, your validated assessment must be completed by an organization that HITRUST has verified as an authorized CSF Assessor. Find a directory of HITRUST Authorized External Assessors here.

The earlier you can engage with an assessor in the HITRUST process, the better. You can lean on their experience and expertise to complete the required tasks faster.  While it is possible to do your initial review of your control maturity without an Assessor firm, using an experienced firm will help you fully understand and comply with the HITRUST CSF requirements. 

When vetting assessors, consider how many organizations they’ve successfully guided to certification, their experience working with businesses in your industry, and their use of technology.

Conduct a Readiness or Gap Assessment

You’ve determined your organization needs a HITRUST certification, identified the proper assessment option, and found an authorized assessor. Now it’s time to roll up your sleeves and really get to work, beginning with a readiness or gap assessment.

Analyze how your current security controls, policies, and procedures hold up against HITRUST requirements. Your assessor can help with this process. Use the findings from the assessment to identify what controls will need to be added or modified to reach HITRUST compliance.

Remediate Gaps

With your security gaps identified, it’s time to design and implement controls that will remediate those gaps. This is another area to leverage your assessor’s knowledge and experience.

After implementing the controls, you’ll need to:

  • Produce the proper documentation
  • Test the controls to ensure they’re effective
  • Provide any necessary training for your staff

Validated HITRUST Assessment

Your assessor will conduct your HITRUST validated assessment which will validate the implementation of your security controls and test their effectiveness. Controls must be implemented and functioning for at least ninety days before validated assessment testing. Additionally, your policy and procedure documentation needs to be finalized and provided to your workforce at least 60 days before the related controls are tested. The assessment will include walkthroughs and interviews with key personnel to ensure they understand the organization’s policies and procedures.

Your organization needs to provide evidence that it is meeting HITRUST requirements which can include screenshots, policy and procedure documentation, training materials, and more.

If the assessor determines that your security controls meet HITRUST requirements, they will submit the assessment to HITRUST for review. If remaining gaps are found in your security program, you will be notified about additional remediation efforts.

HITRUST Quality Assurance Review

During the HITRUST Quality Assurance Review, HITRUST assessors analyze the assessment process, the effectiveness of the implemented controls, the thoroughness of risk management practices, and the appropriateness of remediation efforts for identified vulnerabilities. They verify that the assessment was conducted following established protocols and that its conclusions are well-supported by evidence.

CompliancePoint is an authorized HITRUST CSF Assessor. We have an experienced team of healthcare and cybersecurity professionals who can guide you through all the HITRUST certification steps. Contact us at to learn more.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.