How to Get HITRUST Certified—and Why

Satya Moutairou

30 Oct 2023

What is the HITRUST Certification?

In 2007, a group of healthcare organizations, technology companies, and government agencies—including the American Hospital Association, Blue Cross Blue Shield Association, the Centers for Medicare & Medicaid Services (CMS), McKesson Corporation, and Microsoft—got together to create a unified approach to information security and privacy.

HITRUST approach

Image source:

The result was the Health Information Trust Alliance’s Common Security Framework (HITRUST CSF). The HITRUST framework provides a comprehensive set of security controls and best practices to help organizations protect their data. More than 100 different controls cover a range of domains, from device and network security to employee education and incident management.

HITRUST’s integrated approach ensures all security components are aligned, maintained, and strong enough to support your organization’s specific information risk management and compliance requirements. While HITRUST is voluntary, it’s designed to help businesses comply with mandatory regulations and preferred security standards, such as HIPAA, GDPR, and ISO 27001. 

HITRUST has grown to become the most popular information security and privacy certification compliance program in the world, with more than 1,000 organizations certified globally. Organizations in the healthcare industry most commonly follow HITRUST compliance standards, but any organization can use the framework to protect sensitive data.

Is HITRUST certification valuable?

Companies that achieve HITRUST certification—and maintain it—reduce their vulnerability to cyberattacks; increase trust among customers, investors, and other stakeholders; and improve operational efficiency. Here are just a few scenarios where HITRUST can make your life easier:

  • HITRUST better prepares your IT and risk management teams to discuss risk appetite and mitigation strategies with executives and other stakeholders
  • Your sales team can use HITRUST to address security concerns of prospective customers
  • HITRUST can help your business save time and money by replacing extensive InfoSec questionnaires from potential partners and reducing cybersecurity insurance premiums

Because HITRUST CSF is actively managed and updated to meet the latest risk factors, security threats, and regulatory requirements, you’ll always have the best protection available. Now in version 11.2.0, HITRUST CSF offers a significant advantage over other frameworks with limited or no active management, such as PCI and NIST.

How to get a HITRUST certification

Obtaining and maintaining HITRUST certification requires a commitment of resources across your organization, including IT staff, compliance, risk management teams, and a project coordinator. Depending on the maturity of your existing security program, you can expect your resource team to put in 20–30 hours a week for two to three months. The HITRUST certification cost can range from several thousand dollars to several hundred thousand dollars, depending on your organization size and complexity of your tools and processes. If you’re new to HITRUST and your company is large and complex, your commitment will be higher.

The HITRUST CSF framework is available for qualifying organizations at no charge, but all organizations must purchase a HITRUST MyCSF SaaS subscription. This web portal is where you manage your audit and remediation efforts.

Hiring an outside assessor can also be useful for getting through the certification process, and you may need to purchase additional tools to address any security issues you need to fix before you can get certified. 

Here are the basic steps involved in the HITRUST certification process:

1. Define your scope

Identify the sensitive information your company obtains or generates, such as medical records, billing and payment information, and other Personally Identifiable Information (PII).

2. Map your data flow

Map your data flow and diagram your network. Like the first step, this effort will require assistance from IT and any departments that handle sensitive information.

3. Choose your assessment level

HITRUST offers three levels of assessment based on your current needs:

Basic Current-State (bC) Self-Assessment
This is a strong starting point for implementing HITRUST and lets your stakeholders know that you’re working towards certification

Implemented 1-Year (i1) Validated Assessment
This option provides a good level of assurance for a relatively modest effort. It’s for organizations that want certification but aren’t prepared, or don’t need, to go through a more extensive r2 Assessment.

Risk-Based 2-Year (r2) Validated Assessment
The highest level of assurance is ideal for organizations with greater risk exposure due to data volumes, regulatory compliance, and other risk factors. 

hitrust assessment by level of effort

With HITRUST, the more you put in, the more you get out. Image source:

4. Determine your HITRUST readiness  

Options i1 and r2 above offer Readiness Assessments that help you evaluate your security controls against HITRUST controls requirements, so you can understand the strength of the framework and determine any gaps you need to remediate. The Readiness Assessment will position your security posture to achieve a successful Validated Assessment and HITRUST certification. 

5. Conduct a HITRUST Validated Assessment and get certified

An authorized external assessor must perform the HITRUST CSF Validated Assessment. The assessor collects and submits evidence about your security controls to HITRUST. If you meet the HITRUST CSF certification standards, you’ll receive your certification. It’s valid for two years, but you’ll need to undergo an interim assessment after one year.

Common challenges when pursuing a HITRUST assessment

Getting HITRUST CSF certified requires leadership buy-in, as the preparation process takes time and money. Here are common concerns and ways to address them:

HITRUST is expensive

It’s true that preparing for a HITRUST certification costs money: there are fees to pay to HITRUST, to an auditor, and possibly for additional team resources. Ways to reduce potential costs include: 

  • Getting preferential pricing through an auditor referral 
  • Ensuring efficient auditor review in an evidence collection portal 
  • Reducing unnecessary work (more on this below) 

HITRUST is a lot of work, and it takes a long time

Meeting the requirements of any of the HITRUST CSF assessments is serious business, but there are ways to lighten the lift and reduce time required by your team:


  • Ensure efficient evidence collection: APIs that connect directly to your tech stack ensure employees spend less time hunting for info, and auditors always have an up-to-date view
  • Make it easy for your current team to provide required information: Leverage workflow integrations that notify employees when they need to complete a task, and organize the data they share in a central portal 
  • Reduce redundant work: Leverage a common controls framework that builds on policies and controls already in place for other attestations and certifications like SOC 2, HIPAA, or others. 
  • Create a smooth experience for your auditor: Provide your auditor with a login to a dynamic portal that provides an up-to-date view of your security posture
  • Minimize the need to hire additional resources: Work with a partner that can provide guidance on what auditors will be looking for during a HITRUST assesment

It’s unclear if HITRUST is worth it for our business

Start with a simple comparison outlining the potential costs of HITRUST with the potential revenue the additional certification would unlock. Ask auditors, customers, prospects, and partners for their thoughts on your model, and share it with leadership.

TrustCloud streamlines your HITRUST assessments and optimizes your HITRUST certification

Getting HITRUST CSF certified can be a mostly manual process that involves collecting screenshots and documents from teams across your organization via email, and then having to organize them in your MyCSF portal. 

Not only is this tedious and time-consuming, but the information is generally outdated as soon as it’s sent out. 

TrustCloud’s API-powered programmatic evidence collection to save your team’s time and make HITRUST certification easier to achieve. This seamless integration gives auditors the info they need without asking your team for a single document, and you can avoid the pre-audit crunch.

To learn more about how our cloud-based platform automates the HITRUST assessment and certification process—and why our clients pass 100% of their audits with flying colors—contact us to arrange a demo with one of our HITRUST experts.