What is HITRUST?

HITRUST stands for the Health Information Trust Alliance. It is a Common Security Framework (CSF) primarily designed to help healthcare companies protect and manage sensitive data. HITRUST was designed to encompass other information security and privacy regulations including NIST, ISO 27001, PCI DSS, HIPAA, and GDPR. It gives organizations the ability to demonstrate regulatory compliance with multiple standards and regulations through one certification.

A HITRUST CSF certification verifies that organizations have the highest standards for data security.

Getting HITRUST Certified

There are 3 HITRUST assessment options. Selecting the assessment that makes the most sense for your organization is a key step to achieving HITRUST compliance. All options require the organization to use a HITRUST assessor firm to evaluate their control maturity for submission to HITRUST for certification.

HITRUST Essentials, 1-year (e1)

The e1 is the newest assessment option. It was included in the HITRUST CSF v11 release in January 2023. The e1 is designed as a low-effort assessment focusing on basic cybersecurity hygiene and addressing what HITRUST identified as the most critical cybersecurity practices.

The e1 is designed for vendors whose risk may not be high enough to warrant the more extensive assessments but do need to demonstrate a verifiable commitment to basic security standards. There are 44 e1 controls that are standardized with no scoping required. e1 certifications must be renewed annually.

HITRUST CSF Implemented, 1-year (i1) Validated Assessment

The i1 is a certifiable assessment option that represents a midrange in terms of time, effort, and cost. There are approximately 180 i1 controls that cannot be customized. The i1 does not require that you have detailed policy and procedure documentation for all controls as it is scored on implementation only.

The i1 assessment should be considered by companies with cybersecurity controls in place but without thorough policy and process documentation. The i1 can serve as a good starting point for businesses that eventually want the r2.

HITRUST CSF Risk-based, 2-Year (r2) Assessment

The r2 is the gold standard for security certifications in the healthcare industry. It requires the most significant commitment to obtain, but it is a highly regarded certification that demonstrates an organization is dedicated to the highest level of data security.

The r2 contains more than 2,000 controls, but your organization’s scope can be customized to match its operations. Most businesses will have a control count between 200-800. To identify applicable control requirements, you can purchase a self-assessment from HITRUST.

Another option is to work with an assessor firm like CompliancePoint that will help you select the controls your organization needs to implement. The benefit of working with an assessor is they can also help you understand what is required to satisfy each control.

The Benefits of HITRUST Certification

HITRUST certification is a rigorous process, but the payoff for any healthcare organization is a powerful tool for securing and retaining business. Your certification will give customers the utmost confidence that you have tested policies and procedures in place to protect sensitive data and meet regulatory requirements. You can trust an r2 certification to meet any security requirements you have to satisfy to land deals.

How We Can Help

With CompliancePoint you get an experienced partner who can guide you through the entire certification process that is also an authorized CSF assessor. Our team of experts will help you identify the necessary controls, implement the policies, procedures, and technology to meet those controls, and successfully complete the assessment.

Once you’ve achieved certification, our HITRUST Management Program ensures you're prepared to maintain your certification on an ongoing basis.

Frequently Asked Questions

HITRUST stands for the Health Information Trust Alliance.

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that established rules for the maintenance and security of Personal Health Information (PHI) and is enforced by the US Department of Health and Human Services (HHS).  HIPAA standards are built on these three rules, Privacy Rule, Security Rule, and Breach Notifications.

HITRUST is a certifiable Common Security Framework (CSF) designed to help healthcare companies protect and manage sensitive data. HITRUST encompasses other information security and privacy regulations including NIST, ISO 27001, PCI DSS, HIPAA, and GDPR. It gives organizations the ability to demonstrate regulatory compliance with multiple standards and regulations through one certification.

SOC 2 is a data security compliance standard developed by the American Institute of CPAs (AICPA). The standard focuses on the secure handling and management of customer data. SOC 2 reports are most commonly utilized by service providers. For any business or organization, SOC 2 compliance is a powerful way to show customers and prospects that it is committed to protecting their data and they have the procedures in place to do so effectively.

While SOC 2 is largely industry-agnostic, HITRUST is utilized by healthcare organizations. It is a certifiable Common Security Framework (CSF) designed to help healthcare companies protect and manage sensitive data. HITRUST encompasses other information security and privacy regulations including NIST, ISO 27001, PCI DSS, HIPAA, and GDPR. It gives organizations the ability to demonstrate regulatory compliance with multiple standards and regulations through one certification.

Records Icon

10 Billion+

Records Audited

Expert Witness

150+

Cases as an
Expert Witness

Companies Icon

2,500+

Companies Served

92 Net Promoter Score

+86

Net Promoter Score - Our Customers Love Us!