HITRUST Certification: 15 Important Questions Answered

HITRUST certification

The HITRUST Common Security Framework (CSF) was created by the Health Information Trust Alliance (or HITRUST Alliance) to provide a formal certification process for an information security program. HITRUST certification provides a high degree of confidence in the verified ability of an organization to meet its regulatory compliance needs and ability to implement reasonable safeguards.

HITRUST certification comes in three flavors:

  • The HITRUST bC verified assessment which is a self-assessment performed by an organization. This is set to be supplanted by the HITRUST e1 validated assessment in January 2023.
  • The HITRUST i1 validated assessment which is an assessment conducted by a HITRUST assessor firm or HITRUST-approved assessor of 219 HITRUST CSF controls. This is valid for one year and can be supported by a readiness assessment.
  • The HITRUST r2 is a HITRUST-validated assessment of the full HITRUST CSF control baseline applicable to an organization. This is valid for two years, with the completion of an interim assessment after the first year. It can be supported by a readiness assessment. An organization can engage in a bridge assessment if it is engaged in the certification process to prevent certification lapse.

This article answers questions most commonly asked by organizations about attaining and maintaining HITRUST certification.

(NOTE: If you’re looking for consulting around HITRUST certification, our free tool below matches you with leading HITRUST consultants that suit your needs and budget.)

Find the Right HITRUST Consultancy Fast

Get matched for free with top HITRUST consultants that fit your budget.

Sidechannel Logo Optiv Logo

By submitting this form I acknowledge that I have read and understand the Privacy Policy and agree to the Terms of Use.

What is the Benefit of HITRUST Certification?

There are many benefits of HITRUST certification, especially for Covered Entities, Business Associates, and other healthcare organizations or healthcare industry participants. That seems obvious given that HITRUST stands for Health Information Trust. The HITRUST CSF certification was originally designed with Health Insurance Portability and Accountability Act, or HIPAA, requirements in mind.

The HIPAA Privacy Rule requires periodic assessments of organizational compliance with HIPAA. The HITRUST framework and HITRUST certification process sought to provide that periodic assessment with a high degree of validated compliance confidence to signal HIPAA compliance and implementation of critical HIPAA-mandated security controls.

The Health Information Trust Alliance now highlights the breadth of security and compliance frameworks covered by the HITRUST CSF and the competitive advantage that can be realized by organizations that achieve certification. It’s not just for the healthcare industry and is widely accepted as a measure of information security and compliance program maturity. Any organization that wants to demonstrate compliance with strict regulatory requirements or that it verifiably protects sensitive information and can appropriately manage risk can do so by pursuing HITRUST certification.

Few other security certifications are as comprehensive or deep concerning demonstrating administrative, technical, and physical safeguards. The HITRUST CSF incorporates not only regulatory compliance objectives, but also security best practices from NIST 800-53, NIST CSF, ISO 27001, and others. Customers and partners who want to know that customer data is being secured can look to the existence of a HITRUST-validated assessment as a demonstration of high-quality information risk management.

Who Needs HITRUST Certification?

There’s no legal or regulatory mandate requiring any vendor to adopt or certify themselves to HITRUST standards.

Some publications online have highlighted that “they’ve heard” certain large healthcare organizations “require” their vendors to be HITRUST certified. I have never seen evidence of that requirement–which would be critical to communicate to the vendor community at large–or even the names of those organizations published anywhere.

I’m very dismissive of those kinds of unfounded claims based entirely on hearsay. That’s not to say it’s not a requirement by some organizations. However, in over a decade of working with and for healthcare organizations large and small, I’ve never personally encountered it.

While no organization absolutely needs HITRUST to function, it is a valuable tool for demonstrating a strong risk management program and a high degree of competence in protecting customer and client data.

Specifically, it is valuable to organizations that:

  • want a single assessment
  • with measurable criteria
  • conducted periodically
  • by an independent third-party assessor
  • that results in formal certification
  • which can be used to demonstrate meeting regulatory requirements for multiple regulations and
  • develop a high degree of confidence in an organization’s security program.

Breaking that down really highlights why this has become such a popular certification process for healthcare providers and the healthcare sector. The HITRUST Common Security Framework provides a process that satisfies both the HIPAA Privacy and Security Rules. It validates the protection of Protected Health Information (PHI) to a high degree of confidence.

It also highlights why other human services, finance, and other heavily regulated sectors can benefit from being HITRUST CSF certified. The detailed focus on administrative, technical, and physical security controls combined with a certification runway make this a solid choice for any organization that wants to demonstrate its security posture to the world.

Is HITRUST Only for Healthcare?

No. The breadth and depth of HITRUST assessments and the significance of HITRUST certification can identify the quality of information security programs in many industries and sectors. Since the HITRUST requirements are based on numerous security frameworks, not limited to HIPAA security requirements, they are generally applicable.

Is HITRUST a Risk Assessment?

The HITRUST certification process is a kind of risk assessment. HITRUST compliance requires a readiness assessment in the form of validated assessments against the Common Security Framework.

To obtain HITRUST certification, an organization must show substantial conformance with the HITRUST CSF. Success on a HITRUST assessment, even a self-assessment, depends on the ability of an organization to demonstrate a high degree of HITRUST CSF conformance and a managed risk posture.

Is HITRUST an Audit?

Hitrust certification auditor

The HITRUST process for conducting validated assessments can look a lot like an audit. It’s typically conducted by a third party and when the bC self-assessment is phased out, that will be the only option. Control compliance is validated by the third-party assessor and verified via the collection of evidence for that control. That evidence can be used later as audit evidence in support of other audit activities.

Similar to an audit, after a validated assessment, the assessor will generate a gap report highlighting areas lacking HITRUST Common Security Framework (CSF) compliance. Depending on organizational performance on the assessment, a remediation plan must be created and progress will be measured during subsequent assessments.

The major difference between a HITRUST-validated assessment and an audit is that the validated assessment results in HITRUST CSF certification.

How Many Companies are HITRUST Certified?

Unfortunately, there’s no roster of how many companies hold HITRUST certification. Given the prominence of HITRUST among healthcare organizations as a proxy for verifying the presence of a HIPAA-compliant security program, it’s safe to say “probably a few thousand.”

How Long is HITRUST Valid?

The HITRUST i1 certification is valid for one year. The HITRUST r2 certification is valid for two years and an organization must complete an interim assessment successfully after the first year.

How Long Does a HITRUST Audit Take?

Depending on the size and scope of the HITRUST assessment–which is impacted by organizational size, the volume of applications, regulatory factors, and other objectives–a HITRUST assessment can take 6-12 months.

What is the Cost of HITRUST Certification?

HITRUST certification for most organizations will cost between $50,000 and $250,00. That will depend on numerous factors including organization size, the infrastructure being assessed, and other organizational factors.

What is a Passing Score for HITRUST?

62 is a passing score for HITRUST certification. That means that an organization scored at least 3 points out of 5 for all 19 HITRUST CSF domains.


No. HIPAA is the regulation governing the use, processing, storage, and destruction of Protected Health Information. Healthcare organizations handling PHI in covered operations must comply with HIPAA.

HITRUST lets Business Associates and Covered Entities apply a certifiable compliance framework toward their HIPAA compliance objectives. It also lets them measure other healthcare organizations or related organizations that aren’t required to follow HIPAA.

What is the Difference Between HITRUST and SOC 2?

HITRUST created the Common Security Framework (CSF) to be a certifiable compliance framework based on numerous other security and regulatory standards.

SOC 2 is a type of audit report generated by an American Institute of Certified Public Accountants (AICPA) licensed CPA or auditing organization under defined auditing standards. The SOC 2 audit leverages other verifiable frameworks and standards, like HITRUST, to measure organizational compliance and risk management practices.

For our more detailed comparison between HITRUST and SOC 2 see this article.

What is the Difference Between HITRUST and HIPAA?

As highlighted above, HIPAA is the regulation that safeguards Protected Health Information, which is a very narrowly defined set of healthcare customer data. It is a mandatory compliance driver for large swaths of the healthcare industry.

HITRUST is a security framework and certification mechanism to show information security and risk management sophistication. It can be used to highlight the protection of sensitive healthcare information and compliance with HIPAA.

For our more detailed comparison between HIPAA and HITRUST see this article.

What is the Difference Between HITRUST and ISO 27001?

ISO 27001 is a security framework developed by the International Organization of Standards, based in Geneva, Switzerland. It is a high-quality certifiable information security framework.

HITRUST is also a high-quality certifiable information security framework that incorporates ISO 27001 and other standards. A HITRUST assessment can include more objectives and controls for an organization compared to ISO 27001. As a result, some believe that HITRUST is a more strenuous framework. Whether it is or not, both HITRUST and ISO 27001 are well-respected and widely accepted certifiable frameworks.

What is the Difference Between HITRUST and NIST 800-53?

NIST 800-53 is a security framework developed by the National Institute of Standards and Technology in the United States. Presently in its fifth revision, it provides extensive and detailed controls for organizational security needs.

HITRUST accounts for the NIST 800-53 controls and incorporates conformant objectives in the CSF. Where NIST 800-53 has no certification process, HITRUST does. As with ISO 27001, both NIST compliance and HITRUST certification are widely respected. However, if an organization wants a validated certification, then the NIST controls have no formal process for that. HITRUST does and accounts for the NIST controls thoroughly.

Published by Aaron Weismann
Aaron Weismann is a healthcare industry CISO with over a decade of strategic management, technology, and information security experience. He deepest experience is in managing and securing sophisticated and highly regulated environments. His expert...
Network Assured on Facebook     Network Assured on Twitter
Copyright © 2022 Network Assured