Datica Blog

January 23, 2019

What is the Cost of HITRUST CSF Certification in 2019?

Datica Team

Editorial Staff

Healthcare is complex and can seem overwhelming, but it doesn't have to be. Whether you're an industry professional or not, it is commonly felt that more time is spent understanding the healthcare conundrum versus solving it. That's where Datica comes in. We have set out to investigate the underlying logic behind the astounding regulatory maze of this field and distill the information to those searching for it. Why spend your time mastering the problem when you could be discovering the innovative solutions? HITRUST CSF Certification costs what?

Many people fail to realize that the Health Information Trust Alliance, known simply as HITRUST, is not a framework at all, but an organization comprised of healthcare industry leaders who regard information security as a fundamental component to data systems and exchanges. The HITRUST organization, in partnership with other technology and information security leaders, created and maintains the Common Security Framework (CSF). Organizations can gauge their compliance to the HITRUST CSF by performing many types of assessments.

Cost is one of a few gating factors for companies considering a HITRUST Assessment. This cost breaks down into two broad categories – direct and indirect costs. The costs for a HITRUST Certification have gone up as the HITRUST CSF has evolved and become more complex.

  • The direct costs for this include both fees to HITRUST and to your auditor or approved assessor. The direct cost, at the low end, is about $60,000-$120,000 but costs can be much higher for larger organizations.
  • Indirect costs are harder to quantify. In regard to the Datica HITRUST assessment, we estimate the total time spent for all employees and have come to an estimate of 400 hours. Also necessary to consider is the time spent between each audit to address issues and solidify compliance and infosec programs. Though not captured for our HITRUST assessment, this contributes to the overall cost of compliance.
  • Conservatively estimating the cost of an hour of work to be $100/hour, a rough calculation can be tallied. With the cost of salaries, benefits and lost opportunities from work not performed simultaneously (writing code, customer support, sales, marketing, etc) a partial loss must be considered. Based on those numbers, the total cost of the HITRUST Assessment is appraised $100,000 - $160,000.

Why does HITRUST matter?

As healthcare becomes further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become progressively emphasized, yet convoluted, challenges. Navigating the tortuous labyrinth of federal, state and third-party security mandates is now a feat that can quickly consume an organization’s resources. If that isn’t enough, getting through all of the twists, turns, and pitfalls to achieve compliance is only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner. With all considerations, isn’t it obvious the industry is in need of a system that is clear, standard and secure? Thankfully, that’s exactly what HITRUST has established in order to put the trust in data security.

Additionally, with the recent push on privacy and high profile regulations like GDPR, there is an increased desire to push security and compliance higher up as an organizational priority and into the product lifecycle. HITRUST can help do this within your organization.

HITRUST isn’t easy, and it shouldn’t be. The experience we’ve gained as a company and the extensive testing of our technology brings great value to our customers. We’re ecstatic because our HITRUST CSF Certification is helping our customers prove their applications and data are secure by being an even more compelling point of proof than our HIPAA audits.

If you’re already a Datica customer, there’s nothing you need to do; the infrastructure you’re hosting on is HITRUST CSF Certified. If you’re not a Datica customer and still want to learn why this is so valuable, or simply have questions about what it takes to complete a HIPAA audit or HITRUST assessment, please don’t hesitate to reach out, as our team of experts wants to be your trusted resource.

Visit the Datica blog or the Datica Academy to learn more about HITRUST.

Related Reading