Making Sense of HiTrust Certification

Estimated reading time: 4 mins

Proper handling, management, and storage of protected health information (PHI) and electronic protected health information (ePHI) are critical in the healthcare industry.

The federal government and different regulatory bodies have dozens of guidelines on the handling and storage of patient health information. Failure to adhere to the requirements has various consequences, including substantial fines and even jail time.

Most healthcare organizations and their business associates find it challenging to meet the Health Insurance Portability and Accountability (HIPAA) requirements. This is the reason why the Health Information Trust Alliance (HITRUST) established the HITRUST Cybersecurity Framework (CSF).

HITRUST CSF is a certified framework that helps healthcare providers to meet and adhere to regulatory risk management and compliance requirements.

HITRUST Assessment & Certification Process

The HITRUST Alliance comprises of different risk management leaders from diverse sectors of the healthcare industry. The leaders collaborate with cybersecurity and risk management professionals to develop frameworks and standards that help to prevent data breaches in the healthcare industry.

Overview of the HITRUST CSF

HITRUST CSF aims at creating a fully-integrated, single data risk management standard for the healthcare industry. The framework combines the relevant healthcare regulatory compliance requirements from HIPAA, NIST, PCI, ISO, and other information security standards.

All information security standards enable HIPAA compliance in one way or the other. However, PCI, NIST, and ISO do not provide comprehensive guidelines on the protection of healthcare information. HITRUST CSF can help healthcare providers and their business associates fill in the gaps left by these standards. Check the HITRUST CSF comparison paper for more details.

HITRUST CSF is primarily a risk-based model that encompasses a compliance-based approach. The framework requires organizations to implement various controls to mitigate residual information security risks.

In a nutshell, HITRUST CSF uncovers the risks that an organization faces and outlines specific mitigation controls that should be implemented.

HITRUST Assessment Levels

You can engage HITRUST CSF at various levels. The engagement level will determine the type of assessment that would be suitable for your organization.

The engagement levels are:

  1. Self-Assessment. This assessment is for organizations that want to review their controls but are not keen on getting a CSF certification, or a CSF Validated assessment.
  2. Validated Assessment. This assessment is for healthcare providers that want to perform a Self-Assessment and then get a CSF certification, or a CSF Validated Assessment.
  3. This level is for organizations that want to use HITRUST CSF to build their privacy and security control frameworks.

HITRUST provides different CSF tools to help organizations attain federal and regulatory compliance at each engagement level.

Which CSF Assessment Should You Choose?

The Self-Assessment is suitable for small organizations that want to track their regulatory risk management compliance internally.

To become CSF Certified or CSF Validated, the CSF Assessment Report is required. To get the report, organizations need to engage a CSF Assessor Organization.

Completing a CSF Self-Assessment

Completing the Self-Assessment involves filling out a questionnaire that aims to discover the security measures implemented in your organization to reduce risks. The information assessed in the questionnaire include:

  1. i) The organization’s information security standards or policy
  2. ii) Processes and procedures that support the policy

iii) How the policy has been implemented

  1. iv) Risk management tests carried out to determine the effectiveness of the policy
  2. v) The corrective measures that will be activated in cases of data breaches

In the questionnaire, you will have to indicate your organization’s level of compliance for each category.

After completing the questionnaire, you should forward it to HITRUST.

CSF Validation vs. CSF Certification

Both CSF certification and validation require you to work with a HITRUST CSF Assessor. To get certified, you have to carry out a Self-Assessment and then bring the assessor to review and validate the effectiveness of your information security.

The assessor will go through the answers you provided in the questionnaire and use HITRUTS’s MyCSF Tool to test your controls. Finally, the assessor will generate the CSF Validated Report. After the validation report has been created, it has to be sent to HITRUST for certification. HITRUST will then certify the report, after which the organization will be CSF Certified for 24 months.

If the organization experiences a data breach and reports it to the Department of Human Services, risk analysis, and forensic investigation will have to be carried out to determine the technical causes of the breach.

CSF certified or validated organizations that suffer a data breach are required to carry out an annual assessment for two years following the breach. Misrepresenting security controls or failing to disclose data breaches can lead to decertification.

Use Compliance Software to Ease HITRUST Certification

There are various compliance programs that you can use to perform a gap analysis and determine how your organization fares concerning healthcare regulatory compliance standards. If you are ISO or NIST compliant, you can document your existing controls and then use the compliance software to carry out a gap analysis of the additional controls required for HITRUST certification.

Some programs can provide real-time visibility of your organization’s compliance and risk exposure. This information is critical to identifying and mitigating potential breaches before they happen.

Compliance risk management programs also provide a single-source-of-truth, which is crucial for testing and validation. When all your documentation is stored in a single place, you can quickly get the information that the CSF Assessor needs to support your control decisions and risk-based analyses.

Author Bio

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at

Leave a Comment

Please note: if you are making a comment to contact me about advertising and placements, read the Advertisers page for instructions. I will not reply to comments about this subject.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top
How Am I Doing?

Did this discussion solve your problem?

Then please share this post or leave a comment.