Download Our White Paper

“Talking To Your Business Associates About HITRUST TM CSF”

Read why your healthcare organization must utilize HITRUSTTM CSF when working with business associates and third-party vendors.



Founded in 2007, HITRUST was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST – in collaboration with public and private healthcare technology, privacy and information security leaders – has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.

HITRUST programs include the establishment of the HITRUST CSF, which is a common risk and compliance management framework; an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and other supporting programs and initiatives.

Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the HITRUST CSF, making it the most widely adopted security framework in the industry.

How to get started

We understand that achieving HITRUST CSF certification can be confusing. In order to help you better understand what HITRUST CSF is, we recommend speaking to HITRUST CSF specialist so that you understand the benefits, and process, of becoming HITRUST CSF certified. Below are our recommended steps for taking the first steps towards your organizations HITRUST CSF certification.

Contact Us

Contact Us

I.S. Partners can assist with all of your HITRUST CSF needs. Give us a call at (866) 335-6235 or fill out our contact form and one of our HITRUST CSF specialists will help you get started.

HITRUST CSF Self Assessment

Self Assessment

It all begins with a self-assessment. I.S. Partners can guide you and provide assistance throughout the self-assessment process.

HITRUST CSF Validated Assessment

Validation Assessment

The HITRUST Validated Assessment is the onsite assessment performed by the qualified accessors of I.S. Partners. We will work with you in order to help you obtain HITRUST certification.

HITRUST CSF Certification

HITRUST CSF Certification

HITRUST certification is the ultimate goal of the HITRUST process. I.S. Partners can get you there. Interested in the HITRUST certification? Call (866) 335-6235 or fill out our contact form and we can help you today.

Learn more about HITRUST

A full assessment of all health information systems at one time is not always viable or necessary for every healthcare organization. Breaking up the engagement into smaller level assessments allows you to focus on a set of information systems, records, technologies and personnel so you have an easier time receiving the necessary certification.

Read Article

The HITRUST® team of experts has once again returned to the drawing board, working to improve and expand the HITRUST CSF. On January 21, 2019 they announced the latest update – HITRUST CSF v9.2. Learn more about the update here.

Read Article

Does it seem like HITRUST® continually releases new versions that are chocked full of new elements and updates? As you well know—even if it does…

Read Article

Frequently asked questions

  • What’s the difference between HITRUST CSF and HIPAA?

    HITRUST CSF and HIPAA assessments both aim to safeguard healthcare information and electronic Protected Health Information EPHI. However, both standards offer a different approach for organizations. HIPAA was originally meant to be utilized for a wide range of organizations, resulting in a vague and subjective list of requirements to be HIPAA compliant. The HIPAA Security Rule allows for certain specifications to be only “addressable” while others are “required.” There is no official designation of HIPAA compliance. HITRUST CSF assessments and certifications are organized around the specific risk of a certain organization. HITRUST CSF assessments also allow for a comprehensive approach toward information security as it considers compliance with other regulations. A HITRUST CSF assessment is an efficient and risk-based approach to information security because it draws upon existing frameworks, standards, and current regulations.

  • What is the HITRUST CSF Certification process like?

    I.S. Partners, LLC will perform a HITRUST CSF readiness, certification, and remediation services for healthcare organizations and their business associates to assess compliance with industry security requirements and standards, and create solutions that help organizations align with the HITRUST CSF. If your company requires both a HITRUST CSF Certification and a SOC 2 report, I.S. Partners can leverage the efficiencies between both sets of requirements, thus lowering the time and expense of effective risk management.

  • Is the HITRUST CSF similar to SOC report requirements?

    A SOC 2 is a reporting format, while the HITRUST CSF is a security framework. A SOC 2 examination examines the internal controls at a service organization as they relate to one or more of the Trust Services Principles of Security, Availability, Confidentiality, Processing Integrity and Privacy. The SOC 2 reporting model and the HITRUST security framework are complementary since both are facilitated through the efficient assessment and implementation of controls to satisfy the HITRUST CSF.

  • What is the advantage of getting HITRUST CSF certified?

    An organization that creates, accesses, stores or exchanges Protected Health Information (“PHI”) can use its HITRUST CSF Certification to demonstrate that they meet the high standards of security prescribed within the HITRUST CSF. Many companies now accept a HITRUST Certification as evidence of compliance, thus relieving them of the obligation to audit their vendors. Companies such as Highmark, Humana, United Health Group, HCSC and Anthem now require their vendors to undergo a HITRUST CSF assessment. The HITRUST CSF incorporates all major information security-related requirements and best practices, and provides scalable cyber security measures based on different risks and exposures.

  • Who is HITRUST

    HITRUST is a privately held corporation in the United States that has established the HITRUST CSF to be used by organizations that create, access, store or exchange sensitive information. In collaboration with public and private healthcare technology, privacy and information security leaders, HITRUST has become the leader in safeguarding health information systems and exchanges.

  • What are the Two Different Types of HITRUST CSF Assessments that HITRUST Offers?

    1. A HITRUST CSF Self-Assessment allows an organization to conduct a review and assessment of its internal control environment using the standard methodology, requirements, and tools provided under the HITRUST CSF Assurance Program. The self-assessment option removes any potential barriers for organizations that lack the resources for an onsite assessment, but nonetheless must still implement data protection controls, maintain HIPAA/HITECH compliance, and report to external parties. 2. A HITRUST Validated Assessment is conducted by a HITRUST approved CSF Assessor, such as I.S. Partners, LLC. Using the HITRUST CSF Assurance methodology, an organization’s internal controls are scored accordingly. Assessments meeting or exceeding the current HITRUST CSF Assurance scoring requirements for certification will be indicated as “HITRUST CSF Certified” on the certification report from HITRUST.

  • How Can My Organization Utilize the HITRUST CSF Framework for a SOC 2 Report?

    HITRUST and the American Institute of Certified Public Accountants (AICPA) have joined together to map HITRUST CSF controls to the Service Organization Controls (SOC) 2 Trust Principles and Criteria, specifically the Trust Services Principles of Security, Confidentiality and Availability. I.S. Partners, LLC, as both a CPA firm and a HITRUST CSF Assessor, can perform a SOC 2 audit leveraging the HITRUST CSF framework. If an organization requires both a SOC 2 and a HITRUST CSF Certification report, the two reports can be combined into a singular report.

  • How Often Do I Need to Get a Report?

    Given the positive fulfillment of the interim review requirement, where no breach has occurred and no significant changes have developed relating to the scoped control environment, HITRUST CSF reports with Certification are valid for two years. However, at the one-year anniversary of the Certification, I.S. Partners, LLC can perform your organization’s interim review by: Requesting your organization to update the scoping questions Reviewing the updated questionnaire for any changes to original questionnaire Testing at least one control/statement in each domain Reviewing the status of any Corrective Action Plan (CAP) from the original assessment to ensure that satisfactory progress/milestones are being met

  • Why Should You Choose the HITRUST CSF Over Other Available Frameworks (NIST, ISO, etc.)?

    The HITRUST CSF includes and embodies requirements from various authoritative sources such as ISO, NIST, PCI DSS, HIPAA and others, and tailors the requirements to healthcare organizations based on specific organizational, system and regulatory risk factors. The level of integration and prescription in the framework, along with the quality and rigor of the HITRUST CSF Assurance Program and supporting HITRUST products and services, makes the HITRUST CSF the easy choice for healthcare organizations.

Request a Quote

Get hassle-free pricing in 3 easy steps:

  • Step 1: Send us a message
  • Step 2: Allow us to create a customized plan
  • Step 3: We’ll get you an accurate, no-obligation quote

Start Here

Request a Quote

Please fill out the fields below and one of our specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.

I.S. Partners

Your choice regarding cookies on this site

This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.