Master the complexities of cloud compliance with expert resources and relevant insights.

Everything You Need to Know About HITRUST Certification

Unless you’re still stuck in the Stone Age, your practice uses some kind of electronic data to keep your operation moving. Compliance requirements give your partners and clients peace of mind that you know how to use this technology safely, but confusing jargon, vague requirements, and stiff penalties make compliance a headache for your organization. 

The compliance requirements that come with this technology can feel like “one more thing,” but HITRUST actually simplifies a lot of the compliance to-dos for you. HITRUST helps you prove to potential partners and clients that you’re trustworthy and makes compliance as simple as possible. 

If you’re looking for a way to differentiate your business and show the world that you take cybersecurity seriously, go after a HITRUST certification. Let’s dig into the basics of HITRUST, the benefits of certification, and the 5 steps you need to take to get certified: 

What is HITRUST? 

HITRUST stands for “Health Information Trust Alliance.” Since 2007, this non-profit has helped organizations simplify and standardize their approach to compliance. HITRUST is often used in the healthcare industry, but organizations across several industries use HITRUST because its framework is so effective. 

In fact, HITRUST is the most common healthcare security framework in the U.S. 81% of hospitals and 83% of U.S. health plans have adopted HITRUST’s framework. It isn’t a substitute for HIPAA compliance, but it’s a great playbook for better managing your data security. 

The purpose of HITRUST is to unify a handful of different regulatory requirements and specifications in one framework that helps organizations protect sensitive data such as protected health information (PHI) and financial information. Instead of throwing a slew of vague requirements at you, HITRUST’s Common Security Framework (CSF) is clear, prescriptive, and helpful.

The great thing about HITRUST is that it rolls several regulatory reports into one. The idea of “assess once, report many” means you can save a lot of time on compliance efforts if you stick to HITRUST. The CSF can help you audit your systems for: 

… to understand how prepared you are for cyberattacks. With privacy and security regulations in one framework, HITRUST seriously simplifies how much time your team spends on compliance. 

HITRUST Structure

HITRUST is supervised by the non-profit HITRUST Alliance. But the CSF itself is monitored by the Advisory Council, which adjusts the CSF as technology changes. 

The American Medical Association, American Hospital Association, and America’s Health Insurance Plans are some of the many members of the Advisory Council, so this dream team definitely has its finger on the pulse of modern healthcare. The Advisory Council is completely independent, which means it’s as objective as possible. 

Aside from The Advisory Council, HITRUST also has a Research Advisory Council (RAC). The goal of the RAC is to keep the CSF as relevant as possible. Since technology changes so fast, the CSF can become obsolete overnight, and that’s where the RAC comes into play. Its members look at emerging technologies and recommend changes to the CSF. This committee guarantees that the HITRUST certification is actually useful and relevant in the real world. 


Some people lump HITRUST and HIPAA together, but they’re two very different things. To put it bluntly: HITRUST is not the same as HIPAA because:

  • HIPAA is open to interpretation: HITRUST is a clear security framework that tells you exactly what to do. HIPAA requires that organizations implement technical, physical, and administrative safeguards as they relate to patient security and privacy, but how you meet these requirements is pretty much up to you. 

  • HIPAA is the bare minimum: Honestly, HIPAA isn’t asking for much. HITRUST, on the other hand, helps you go beyond HIPAA requirements. It’s a badge of trust that says you’ve gone above and beyond to protect your data. 

  • HITRUST isn’t the law: You’re on the hook for fines and penalties if you don’t comply with HIPAA. While it’s a good idea to get HITRUST certified, it isn’t mandatory. However, if your business provides services to a company that requires its vendors to be HITRUST certified, then certification is critical for your business operations. 

  • HITRUST is more rigorous than HIPAA: HITRUST consolidates a bunch of regulatory reports into one and requires more resources and effort compared to a HIPAA audit. HITRUST is a certifiable framework with controls mapped to all HIPAA specifications and standards. There is no formal HIPAA certification, but a HITRUST certification can help you prepare for an external HIPAA audit and can serve as a reliable way for HIPAA covered entities to ensure that their business associates are HIPAA-compliant

HITRUST is certainly a helpful tool for ensuring you meet regulatory compliance standards and can help potential partners and clients verify that you’re HIPAA compliant. That said, it isn’t the same as HIPAA and it certainly doesn’t replace HIPAA, but the two work in tandem. 

Why Does HITRUST Certification Matter? 

If HITRUST doesn’t replace HIPAA, what’s the point in certifying? HITRUST is a valuable internal tool to ensure you’re maintaining appropriate safeguards for privacy and security, but it’s also a great way to market your business and give your potential business partners and clients an added layer of assurance. 

HITRUST certification is important because it helps you:

  • Prepare for known risks: Remember, the RAC is constantly recommending changes to the HITRUST CSF based on new technology as well as emerging threats. If you follow HITRUST precisely, you’ll be prepared for the majority of known risks, threats, and cyberattacks. It’s a great way to proactively structure your business for digital resilience, which is a must for protecting sensitive data.

  • Train your team: HITRUST is definitely suited for IT-minded folks, but that doesn’t mean your team should leave security up to the IT department. HITRUST gives you an actionable playbook that can help you communicate the importance of security to your entire team, build a security culture, and get all departments involved in following security best practices. 

  • Be competitive: HITRUST isn’t required by law, but it can give you a competitive advantage against other businesses that aren’t certified. HITRUST certification is certainly no picnic, but successful certification is a great way to gain a competitive edge in a crowded market. 

  • Future-proof: HITRUST goes beyond HIPAA requirements to better protect your organization from a revolving door of threats. It’s a scalable, sustainable way to protect everyone as technology changes. If you aren’t HITRUST certified today, you risk becoming obsolete. 

HITRUST isn’t mandatory, but many organizations pursue certification to tighten up their security and privacy practices anyway. If you can successfully pass the certification, HITRUST proves that you know how to handle sensitive information.

HITRUST Certification Basics

The HITRUST certification process involves a great deal of planning and an in-depth audit. If you successfully complete the process, you’ll be HITRUST certified for 2 years, although you do need to undergo an interim assessment after 12 months to ensure the continued effectiveness of your organization’s data security controls. 

Keep in mind that passing an audit doesn’t mean your organization is bulletproof. The purpose of HITRUST is to prove your systems are adequately secured—and that you’re able to respond to issues appropriately. It’s about proving your processes are strong enough to respond to threats. 

HITRUST Certification Timeline

You’ll need to renew your HITRUST certification every year, so remember your certification expiration date. As mentioned, technically, HITRUST CSF certifications are valid for 2 years, but the interim assessment required at the 12-month mark means it’s still an annual requirement. 

Yearly certification might sound like a pain, but this is necessary because cybersecurity changes so frequently. The CSF is ultra-relevant and timely, so it makes sense that you need to recertify every year. 

On average, it takes 9 - 12 months from start to finish to complete your HITRUST certification, but it varies quite a bit. The actual timeline will vary based on how big your organization is, how many departments you have, the scope of the certification, and more. In some cases, companies can complete the process in as little as 6 months, although certifying the CSF with the HITRUST Alliance—the lengthiest step in the process—can take up to 18 months alone. Generally speaking, the bigger and more complex your business, the longer you can expect HITRUST certification to take. 

HITRUST Certification Audits

The HITRUST certification shows that you’ve met all of the CSF controls for this current year. To pass, you need a rating of at least 3 or higher on a scale of 1-5 for every CSF control. The HITRUST Alliance documents the entire process online in the MyCSF portal

The HITRUST certification looks at how well you comply with the components of the CSF, which includes:

  • 14 control categories

  • 49 control objectives

  • 156 control specifications, with 3 implementation levels per control

Keep in mind that not every control will apply to you. Identifying the applicable controls for your organization is a key step in the process, and a HITRUST CSF Assessor or consultant can help you determine which controls are applicable based on the type of company and products being certified. 

There are also different types of HITRUST assessments organizations can pursue. Figure out which HITRUST assessment you should complete based on your needs: 

  • HITRUST CSF Readiness Assessment: This is a self-assessment that you use to prepare for the real thing. You don’t have to use a HITRUST assessor for this, but some people hire a consultant for expert guidance to ensure they’re adequately prepared for the next steps. 

  • HITRUST CSF Validated Assessment: This is a third-party assessment that you do with an authorized third-party CSF Assessor approved by HITRUST. The assessor then reviews the report, verifying the information gathered by the organization, and issues a Validated Report provided that confirms the organization’s maturity level for the applicable security controls. The Validated Assessment can then be submitted to HITRUST for review and certification if the organization wants to pursue formal HITRUST CSF certification. However, some organizations opt to stop at this stage rather than pursuing formal HITRUST certification. While a Validated Assessment is a lower Degree of Assurance than formal certification, it’s adequate for some organizations’ needs. 

  • HITRUST CSF Interim Assessment: You’ll do this assessment if you’ve already received HITRUST CSF certification. The interim assessment is something you do at the one-year mark to keep your HITRUST certification in good standing. 

  • HITRUST Bridge Assessment: Are delays threatening your HITRUST certification? A Bridge Assessment, a new option introduced by HITRUST in April 2020, helps you maintain a form of certification for 90 additional days if you missed the submission deadline. It’s not a permanent fix, but it can buy you some much-needed time. Note that a Bridge Certificate doesn’t extend the expiration date of an organization’s HITRUST CSF Validated Report with Certification. Instead, a Bridge Certificate represents a lower level of assurance that an organization continues to meet the required control specifications until it can complete its HITRUST CSF Validated Assessment. 

If you aren’t sure what type of assessment you need to take, HITRUST created this helpful quiz to put you on the right track.

5 Steps to Get HITRUST Certified

Curious how the HITRUST certification process works? Here are the 5 steps we recommend you take to pass your certification with flying colors. 

1. Get Your Ducks in a Row

First of all, what kind of assessment do you need to complete? Which controls apply to you? Learn the ins and outs of HITRUST so you know precisely what you need to do when it’s time to get certified. 

Make sure you have all of your documentation ready before the audit. Assessors are going to ask for documentation, so make sure it’s up-to-date and easily accessible. Since this is already a HIPAA requirement, you should be prepared if you’re subject to HIPAA compliance as well, but double-check that all of your documentation is correct anyway.

It takes months of blood, sweat, and tears to finish the HITRUST certification, so prepare your team for what’s coming. Explain what HITRUST is and why it benefits your organization. Warn your staff that assessors might interview them so they aren’t caught off-guard.

2. Conduct a Self-Assessment

It’s always a good idea to do a practice round before you pursue formal assessments. That’s why every organization needs to do the HITRUST CSF Readiness Assessment first. This self-assessment will help you do a thorough risk analysis of your organization in preparation for the HITRUST certification process. 

While you’re free to do this internally, some organizations prefer to hire a HITRUST-approved assessor. But if you choose to audit internally, make sure your internal assessors are up for the job to avoid pitfalls like improper scoping.

During the self-assessment, you’ll go through the CSF controls and rank yourself in terms of how mature your organization’s security measures are related to that control. This is especially important if it’s your first time certifying and you want to minimize the headaches that come with the real audit process. Use the practice assessment as an opportunity to improve and strengthen your organization’s security posture before the real thing.

3. Partner with an Assessor

Once you’re satisfied with your self-assessment, it’s time to pursue HITRUST certification. To get started, contact an approved HITRUST external assessor. Here are a few things to look for when choosing a HITRUST Assessor

  • Experience conducting assessments and certifications

  • Experience implementing HITRUST in your industry

  • The depth of their audit processes

  • Qualifications for other attestations, such as SOC 2 Type 2

The assessor’s goal is to make sure that you did an accurate self-assessment and that you fixed any problems found during that assessment. 

If you completed a self-assessment internally, the external assessor will ask to see a copy of your self-assessment so they can see how well you remediated any issues. The assessor will also: 

  • Analyze your policies and documentation 

  • Interview your staff 

  • Monitor your controls 

  • Test your controls

If your organization stands up to scrutiny, the assessor will grant a Validated Report and can help you upload documentation to the MyCSF portal if you’re pursuing formal HITRUST CSF certification. 

4. Get Certified!

At this point, HITRUST will look over the audit documents to make sure the assessor’s reports are correct. If everything looks good, HITRUST will issue your certification and alert you via MyCSF. Easy enough, right? 

5. Make a Plan for Next Year

Before you start celebrating, remember that you need to recertify yearly for HITRUST. Sure, the certification itself is good for 2 years, but you’re still on the hook for an interim assessment at the one-year mark, too. 

Your organization needs to be able to certify every year. Make sure that you have sustainable procedures and documentation processes in place that make annual certification a smoother process for your team.

HITRUST Certification Simplifies Compliance

Healthcare organizations and businesses in other highly regulated industries transmit a lot of sensitive information. HITRUST is a standard that goes beyond the bare minimum, protecting customers’ and patients’ sensitive information for a better experience all around. 

HITRUST certification is a stamp of approval that shows you know how to handle data. But as you can see, certification is no picnic. HITRUST certification is complex and time-consuming, and that’s why you need a trusted toolkit on your side to simplify the audit process. 

Datica helps healthcare businesses automate their compliance to make HITRUST certification much easier. Watch a quick demo now to see the Datica platform in action.