HITRUST Certification Understanding the Basics

1. What is HITRUST?

HITRUST is a privately held company that, in collaboration with leading healthcare, technology and information security organizations, developed the HITRUST CSF. The HITRUST CSF is a risk-management framework. Through the HITRUST Certification program, HITRUST has evolved into the gold-standard for healthcare information security assurance, giving providers and business associates an efficient and standardized way to demonstrate and communicate the effectiveness of their IT security and privacy programs.

2. What is the difference between HIPAA and HITRUST?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that includes security and privacy regulations for covered entities (care providers) and business associates (service providers) using or disclosing protected health information (PHI).

As mentioned above, HITRUST is a privately held organization that has created a risk management framework (CSF) intended to serve as a gold-standard for reporting the effectiveness of a company’s IT security and privacy programs.

3. Is HITRUST a requirement?

HITRUST is not a regulatory requirement. However, many covered entities and business associates have adopted the CSF framework and/or certification program. Similarly, many of them have also mandated that their business partners become HITRUST certified as a means of managing and standardizing their third-party risk management programs.

4. What is the HITRUST CSF?

The HITRUST CSF is a comprehensive set of IT controls based on ISO/IEC 27001:2005 and 27002:2005 and incorporates or maps to more than 40 other security, privacy, and regulatory frameworks, laws and standards.

5. How do I get HITRUST certified?

The HISTRUST CSF Assurance program outlines the three step process to become HITRUST CSF Certified, which includes 1) Self-Assessment, 2) CSF Validated Assessment, performed by a HITRUST Authorized External Assessor, such as risk3sixty, and 3) HITRUST review, report issuance, and certification.

6. How many control requirements are there in HITRUST?

It depends. As part of the HITRUST CSF Assurance program, entities must subscribe to the HITRUST MyCSF platform. To begin an assessment in the platform, the organization is led through a scope and profiling section. The output is a set of customized controls, based on the organization’s risk profile, to which the organization must demonstrate compliance.

The organization can elect to incorporate additional controls frameworks in an effort to demonstrate compliance with multiple laws, regulations, or compliance requirements (e.g. GDPR, HIPAA). From our experience, most organizations we serve that would be considered “high-growth technology companies” tend to have between 270-350 requirement statements (aka controls) in-scope.

7. Who performs HITRUST assessments?

In order to be HITRUST CSF Certified, an organization must engage with a HITRUST Authorized External Assessor, such as risk3sixty.

8. How long does it take to become HITRUST CSF Certified?

This depends on several factors, such as: maturity of the organization, security program readiness, internal resource availability, remediation requirements, scope and complexity of the environment, etc.

On average, accounting for the time it takes to become ready for the HITRUST CSF Validated Assessment, we generally see the process take nine (9) to twelve (12) months. There are some process dependencies which the organization and the Authorized External Assessor cannot influence, such as the (current) minimum of ten (10) weeks it takes for HITRUST to review and process the validated assessment and to issue certification.

9. How much does it cost?

Depending on the scope and complexity of the environment and assistance needed (e.g. self-assessment/remediation), in general, we suggest an organization budget roughly $100,000. The organization’s risk profile, which results in the required number of in-scope requirement statements (aka controls) will play a large part in this – obviously a scope of 300 requirement statements vs. 750 requirement statements will result in a very large difference in required effort (both internally and from the external assessor).

Additionally, it is important to note that there are certain fees that must be paid to HITRUST directly (for access to the MyCSF platform and HITRUST’s review of the validated assessment and certification process) vs. those fees paid to the external assessor. For budgeting purposes, the typical high-growth technology company may estimate fees paid to HITRUST to be in excess of $20,000 while fees paid to the external assessor may be estimated between $50,000-75,000, depending on the scope.

HITRUST Certification Webinar

View All

Phalanx GRC