Making Sense of the HITRUST Certification Process

Making Sense of the HITRUST Certification Process
Making Sense of the HITRUST Certification Process

The healthcare sector handles protected health information (PHI) and electronic PHI (ePHI) that should be guarded from unauthorized access. As such, it’s crucial that healthcare organizations and their business associates institute measures to uphold the confidentiality and integrity of their data.

Your organization will achieve this by complying with the Health Insurance Portability and Accountability Act (HIPAA) which can be overwhelming. To simplify the process, the HITRUST Alliance formed the HITRUST Cybersecurity Framework (CSF). When you comprehend the HITRUST certification process, you’ll easily comply with other regulatory bodies.

HITRUST Assessment and Certification Process

HITRUST Alliance: Who are they?

HITRUST Alliance is an abbreviation of Health Information Trust Alliance. This body brings together various players in the healthcare industry to assess the security risks facing the industry.

They introduce collaboration between various regulatory bodies tasked with upholding cybersecurity. This unity helps in developing unique and applicable methods to mitigate the security risks characterizing health information.


HITRUST CSF consolidates all the healthcare regulatory requirements including HIPAA, NIST, ISO, PCI, among other information security standards. When the stakeholders work together, they develop a fully integrated measure that is the healthcare institutions can follow in the compliance process.

While all these regulatory standards allow HIPAA compliance, PCI, ISO, and NIST do not offer different security regulations to PHI and ePHI. The HITRUST CSF comparison whitepaper highlighted the different ways that can be used to resolve the security issues affecting healthcare providers as well as their business associates. For example, you’ll require ISO 27001 for HIPAA compliance process, but the ISO 27001 only assures third-parties. NIST SP 800-53 is not based on ISO 27001, but it provides an adequate framework for compliance controls, assessment, and certification process.

The HITRUST CSF is based on the ISO 27001, and it offers basic security framework that is special for the healthcare industry. It’s uniquely designed in a prescriptive nature to allow customization while ensuring compliance with the security framework. It provides organizational and third-party assurance as well as tool support and assessment guidelines.

HITRUST: Is it Risk-Based or Compliance Based?

HITRUST is a risk-based system, but it allows you to take a compliance-based approach in managing your risks. Organizations should implement various controls to mitigate information security risks.

The system will enable you to begin with individual risks that characterize your business operations before providing specific controls that you need to implement to mitigate your risks.

What is the HITRUST Assessment?

This platform offers different levels of engagement with the CSF depending on the needs of your organization. The HITRUST agreement levels include:

  • Self-Assessment. For organizations whose aim is to review their controls without necessary acquiring CSF certification.
  • Validated Assessment. For organizations that need to perform self-assessment then obtain CSF validated Assessment and certification.
  • These are an organization whose aim is to use HITRUST CSF to develop their privacy and security controls.

What is the Difference?

The agreement levels differ significantly. The self-assessment is mainly adopted by small organizations mostly for internal tracking and monitoring. These organizations will purchase a CSF Assessment Report or join the MyCSF program to aid their compliance.

You should note that becoming CSF validated and acquiring CSF certification may require that you buy CSF Assessment Report, subscribe to MyCSF, or engage a CSF Assessor Body.

How to Complete a CSF Self-Assessment

The process begins by filling a risk-based questionnaire that assesses the maturity level of your organization across various yardsticks including:

  • Presence of a policy or standard
  • Availability of processes and procedures to support the adoption of the system.
  • Policy implementation
  • Tests and Measures of management maturity in operations
  • Corrective measures instated as needed

Within these categories, the level of compliance of an organization can be defined as:

  • Non-compliance
  • Partially compliant
  • Somewhat compliant
  • Mostly compliant
  • Fully compliant 

Once you’re through with self-assessment, you should submit the questionnaire.

Who should be CSF Validated or CSF Certified?

All healthcare providers and business associates will gain clients’ confidence when they comply. It also helps in complying with HIPAA requirements.

Difference between HITRUST CSF Certification and Validation

Both processes involve the use of HITRUST CSF Assessor. The certification process begins with self-assessment, and then the assessor comes in to validate the efficiency of the controls. The assessor’s on-site review uses various HITRUST’s MyCSF tools to test and generate a verified report.

Here, the business is validated but not certified. The report is then forwarded to HITRUST for the certification process. Once activated, the certificate is valid for 24 months unless a breach is reported to the Department of Health and Human Services. HITRUST also reserves the right to decertify your business in case of misrepresentation of a control.

Use of Technology Software to Ease HITRUST Certification

You can use technology software to assess the HITRUST controls if you’re already certified. These applications offer a single-source of truth on your controls making it easy to determine compliance thus shortening certification time. It also provides remediation strategies.

Author Bio

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.  Learn more at

This is an article provided by our partners network. It might not necessarily reflect the views or opinions of our editorial team and management.
Contributed content