HITRUST Nuances and How to Use Them to Your Advantage


The HITRUST CSF contains several attributes that differentiate it from other information security frameworks.  Here are three tips on how to handle them!

The HITRUST Business Case

Many consider the HITRUST CSF to be one of the top cybersecurity frameworks for organizations to adopt.

Although it was initially designed as an answer to demonstrate HIPAA compliance, HITRUST has since established itself as an industry-agnostic solution that virtually any entity can leverage to strengthen its information security posture.

In addition to an enhanced security posture, certified entities may also receive the benefit of complying with other frameworks that have been mapped to the HITRUST CSF (previously known as the Common Security Framework). Included in these other frameworks are ISO 27001 and NIST 800-53, which the HITRUST CSF was predominately modeled after.

The HITRUST CSF contains several nuances that differentiate it from other frameworks. The tips below identify actions your organization can take to address these nuances and use them to your advantage.

Policies and Procedures

One of the distinguishing factors within the HITRUST Assurance Program is that each requirement is scored at three maturity levels, at a minimum: Policy, Process, and Implemented.

Organizations are often able to treat the Policy and Process maturity levels as the “low-hanging fruit” when trying to boost their requirement scores.

Entities can receive partial credit towards requirements by simply documenting policy and procedural statements around controls implemented to meet those requirements. These scores are completely independent of the implemented control itself, which may take significant time and effort to remediate.

90 Day Testing Window

Another nuance of the HITRUST Assurance Program is that all testing related to a validated assessment must be completed within a 90-day window. This requirement forces assessed entities to be disciplined since they have a strict deadline to demonstrate that all controls are in place.

Entities being assessed should devote ample time during their readiness and remediation phases to ensure that control owners understand the HITRUST testing methodology and their responsibilities within the process, especially as it relates to evidence collection.

This will ensure that control owners can quickly turn over relevant artifacts once validated testing begins, resulting in a more efficient assessment.

As an auxiliary benefit, if control owners understand their roles and responsibilities, they are also more likely to validate that their respective controls are operating throughout the year.

Three-Party System

Unlike most external audits that only involve the entity being assessed and the assessor, HITRUST engagements require a three-party system. In addition to involvement from the assessed entity and the assessor, the HITRUST Alliance is responsible for performing a quality assurance (QA) function on each assessment and for issuing the final report.

The primary benefit resulting from this requirement is that assessor firms can assist with remediation support without jeopardizing their independence.

For this reason, it is critical that assessed entities conduct due diligence and choose an assessor firm that is right for them.

At a minimum, assessed entities should ensure that their assessor understands their business and their control environment, has the knowledge and experience necessary to guide the assessed entity through the engagement, and can recommend practical and cost-effective solutions to remediate identified gaps while leveraging a risk-based approach.


Organizations that pursue HITRUST certification can realize a plethora of benefits. In order to become certified, these organizations must understand the nuances of the HITRUST CSF and how to effectively address those aspects of the framework and associated assurance program.

Assessed entities can best prepare for their HITRUST assessment by developing strong policies and procedures, ensuring control owner involvement in the readiness and remediation process, and partnering with an assessor firm that can guide them through all aspects of the certification process. For further information on the certification process, please reference the following whitepaper.

Share to


Share to

Like our content? Subscribe and stay informed.