With sensitive data at risk, the need for secure storage and transmission that complies with regulatory mandates among varied industries is critical. Although necessary, these mandates often prove difficult to implement. One of the best ways to prepare for threats and successfully comply with data protection regulations is with the HITRUST CSF®. HITRUST has become a widely adopted security and privacy framework across industries globally.

What Is HITRUST Certification?

HITRUST Certification means an organization has partnered with an authorized HITRUST External Assessor to pass a comprehensive security evaluation. Certification confirms that the organization has met all industry regulations while maintaining high standards of data loss prevention and information risk management. This helps set your organization apart from others within the industry. Certification verifies that industry leaders put security and consumer transparency first.

The process is detailed, time-consuming, and intense, but will ultimately set your organization up for success. That’s why it’s considered the gold standard for compliance in healthcare and a wide range of industries with regulatory compliance standards. Achieving HITRUST Certification shows that your company took to the time to meet all regulatory requirements of the HITRUST framework.

IMPORTANT UPDATE: HITRUST CSF Validated Assessment Become the i1 and r2 Validated Assessments; HITRUST Readiness Is Renamed the bC Assessment.

How to Get HITRUST Certification

When getting started, the key is solid preparation. Most organizations seek assistance from an Authorized HITRUST External Assessor, or certification partner, who helps determine the scope, type of assessment needed, and the controls to address. Defining the scope of the assessment is a key first step. It defines which business units and subsidiaries are affected, as well as what is covered by controls. If the scope isn’t properly outlined, there are likely to be too many or too few requirements to reach certification. Careful scoping helps your organization save time and money as you prepare for the HITRUST assessment process.

Find out How to Prepare for a HITRUST Assessment.

Illustration showing the phases of the HITRUST CSF Certification process: readiness assessment, remediation, validated assessment and certification

This process has four main phases: readiness, remediation, validated assessment and the HITRUST Quality Assurance review. The culmination of the HITRUST  assessment process is certification.

1. Readiness

The readiness step starts with a readiness assessment. The readiness assessment can be completed using the HITRUST MyCSF tool.

Once the scope is determined, the partner will examine and measure all documentation relating to policies and procedures against current HITRUST requirements and controls. During this time, the assessor performs testing of controls to validate whether they are working as listed. All gaps are documented for remediation.

This can take up to 8 weeks, depending on the size and complexity of the organization’s infrastructure.

Learn more about the HITRUST  Certification Readiness Phase.

2. Remediation

All performance or documentation gaps found during the readiness phase will be addressed by the organization during this time. The goal of this phase is to identify and ranks gaps in your organization by risk level. This provides the organization with opportunities for remediation before moving forward to the validated assessment.

During the remediation phase, authorized assessors should work to understand the organization’s environment and the normal flow of data through systems within the scope. They analyze requirements to understand the organization’s controls, identify gaps, and workable solutions to remediate any gaps found. Then, as the company works to remediate issues, assessors can provide ongoing support and review progress toward compliance.

This process can take up to 6 months the first year, depending on the type of remedial actions required by the organization.

3. Validated Assessment

During the validated assessment, the assessor tests the defined control requirements of each designated category. An on-site risk assessment usually includes interviews with key personnel, reviewing supporting documents, sampling, penetration testing and vulnerability scans. Each requirement is evaluated or scored based on the following attributes control maturity:

  • Policy,
  • Process/Procedure,
  • Implementation,
  • Measured, and
  • Managed.

Based on these control maturity levels, the levels of compliance are:

  • Fully compliant,
  • Mostly compliant,
  • Partially compliant,
  • Somewhat compliant, and
  • Non-compliant.

During this assessment testing phase, authorized assessors review and validate the organization’s scores. Then, they send the final assessment to HITRUST for approval. The final decision about approving or denying the application for certification is made by HITRUST.

4. HITRUST’s Quality Assurance Review & Report Generation

Once the validated assessment is complete, the assessment is submitted to HITRUST for their quality assurance review and generation of the final report. The typical duration of HITRUST’s processing of a submission ranges from 4 to 8 weeks.

Learn about the New HITRUST CSF v9.3: Effective January 1, 2020.

How long does it take to get HITRUST certified?

This depends mostly on your organization’s preparedness and the skilled guidance provided by your assessor. If this is the first time that your organization is working towards HITRUST certification, the process may take up to 12 months to complete successfully.

How Long Is HITRUST Certification Valid For?

The HITRUST certification is valid for 24 months, with an interim review required to ensure standards continue being met. After 12 months, interim assessment testing is required. This is designed to ensure the ongoing effectiveness of data security controls for organizations that have already received certification. Interim testing also serves to update the scope and scores as needed.

After two years, certification expires and the organization must go through the process of recertification. Although, the HITRUST Bridge Assessment can help organizations to maintain their HITRUST certification report for an additional 90 days while working to complete re-certification.

What Are the Benefits Of HITRUST Certification?

HITRUST certification adds credibility and visibility to an organization. It also improves the information security outlook of the organization by identifying potential security risks in the privacy and data protection infrastructure. HITRUST certification reduces the time investment and costs connected to complying with numerous regulatory standards.

With certification, organizations can circumvent potential issues if a secondary audit is needed. The HITRUST certification, demonstrates the effectiveness of an organization’s security protocols to consumers and other businesses.

Learn more about the Importance of HITRUST Certification.

What Types Of Businesses Should Obtain HITRUST Certification?

HITRUST Certification is ideal for companies that create, access, store, and exchange sensitive information. This includes healthcare vendors, hospitals, pharmacies, insurance firms, and doctors’ offices. Other global organizations outside of healthcare have also been successful in obtaining the HITRUST certification like Marriott, Google, Amazon, Microsoft, Sony, and more.

Does your organization need HITRUST certification? Here’s some help answering that question.

The HITRUST framework was designed to make sure that healthcare-related facilities subject to HIPAA and their third-party business associates meet security regulations. Because HITRUST is a comprehensive combination of multiple security and privacy standards – including HIPAA, HITECH, PCI, COBIT, and NIST – it has become widely applicable in other industries as well.

Now, the HITRUST framework can be used to streamline risk management operations. And it is being effectively used for companies in the insurance, government, biotech, life sciences, and financial sectors, just to name a few.

Get the information you need to tackle assessment and certification: HITRUST Glossary.

Professional Assistance With HITRUST Certification

The certification process is rigorous, but it’s well worth the effort. Your organization will achieve the highest standards of compliance which will be recognized throughout the industry. Collaborating with the right technical audit team is key. I.S. Partners, LLC works with organizations to obtain certification and make the entire experience stress-free.

Find out more about how we can assist you in becoming HITRUST certified. Contact our team at 215-675-1400, or contact us online, to discuss how we can help your organization.

Go on to find out more about Phase 1 of the HITRUST certification process: Readiness Assessment

About The Author

Get started

Get a Customized Quote

Please fill out the form to schedule a free, 30-minute consultation. This consultation will allow us to create a customized plan and an accurate quote just for you.

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top