What is HITRUST?
HITRUST stands for the Health Information Trust Alliance. It is a Common Security Framework (CSF) primarily designed to help healthcare companies protect and manage sensitive data. HITRUST was designed to encompass other information security and privacy regulations including NIST, ISO 27001, PCI DSS, HIPAA, and GDPR. It gives organizations the ability to demonstrate regulatory compliance with multiple standards and regulations through one certification.
A HITRUST CSF certification verifies that organizations have the highest standards for data security.
Getting HITRUST Certified
There are 3 HITRUST assessment options. Selecting the assessment that makes the most sense for your organization is a key step to achieving HITRUST compliance. All options require the organization to use a HITRUST assessor firm to evaluate their control maturity for submission to HITRUST for certification.
HITRUST Essentials, 1-year (e1)
The e1 is the newest assessment option. It was included in the HITRUST CSF v11 release in January 2023. The e1 is designed as a low-effort assessment focusing on basic cybersecurity hygiene and addressing what HITRUST identified as the most critical cybersecurity practices.
The e1 is designed for vendors whose risk may not be high enough to warrant the more extensive assessments but do need to demonstrate a verifiable commitment to basic security standards. There are 44 e1 controls that are standardized with no scoping required. e1 certifications must be renewed annually.
HITRUST CSF Implemented, 1-year (i1) Validated Assessment
The i1 is a certifiable assessment option that represents a midrange in terms of time, effort, and cost. There are approximately 180 i1 controls that cannot be customized. The i1 does not require that you have detailed policy and procedure documentation for all controls as it is scored on implementation only.
The i1 assessment should be considered by companies with cyber security controls in place but without thorough policy and process documentation. The i1 can serve as a good starting point for businesses that eventually want the r2.
HITRUST CSF Risk-based, 2-Year (r2) Assessment
The r2 is the gold standard for security certifications in the healthcare industry. It requires the most significant commitment to obtain, but it is a highly regarded certification that demonstrates an organization is dedicated to the highest level of data security.
The r2 contains more than 2,000 controls, but your organization’s scope can be customized to match its operations. Most businesses will have a control count between 200-800. To identify applicable control requirements, you can purchase a self-assessment from HITRUST.
Another option is to work with an assessor firm like CompliancePoint that will help you select the controls your organization needs to implement. The benefit of working with an assessor is they can also help you understand what is required to satisfy each control.
The Benefits of HITRUST Certification
HITRUST certification is a rigorous process, but the payoff for any healthcare organization is a powerful tool for securing and retaining business. Your certification will give customers the utmost confidence that you have tested policies and procedures in place to protect sensitive data and meet regulatory requirements. You can trust an r2 certification to meet any security requirements you have to satisfy to land deals.
How We Can Help
With CompliancePoint you get an experienced partner who can guide you through the entire certification process that is also an authorized CSF assessor. Our team of experts will help you identify the necessary controls, implement the policies, procedures, and technology to meet those controls, and successfully complete the assessment.
Once you’ve achieved certification, our HITRUST Management Program ensures you're prepared to maintain your certification on an ongoing basis.
Get started on your HITRUST Certification today!
Cases as an
Net Promoter Score - Our Customers Love Us!