HITRUST Certification Requirements & Self-Assessment

In today’s digital age, the last thing a healthcare organization wants is for hackers to gain access to patients’ health records. While there are regulations and procedures to prevent unwanted access to health records, such as HIPAA and others, something more comprehensive was needed, which is where HITRUST comes in. Below we’ll discuss what HITRUST is, why organizations need HITRUST compliance certification, and how to acquire regulatory compliance certification.



HITRUST stands for Health Information Trust Alliance. It is a non-profit organization that was founded in 2007 to establish a common security framework for the healthcare industry and put controls on creating, accessing, storing, and exchanging sensitive information and regulated data.

The security compliance framework consists of 135 required controls, including endpoint protection, wireless protection, network protection, disaster recovery, and more.

While those in healthcare must follow HIPAA regulations, there had never been a certification for how well or how poorly those within the organization followed HIPAA regulations. This is where HITRUST comes into play. The only way to prove compliance with HIPAA regulations is via an audit by an external party.

Larger healthcare providers, having demanded greater insurance about organizations following HIPAA security controls, looked to IT audit firms for HIPAA compliance gap assessments. They also sought out compliance reports and HITRUST certifications to prove that they follow all HIPAA regulations.

HITRUST has even created a tool called HITRUST myCSF, which organizations use for regulatory compliance and risk assessment and compare it with various standards and data security frameworks. These assessments are tailored to each organization’s needs, as well as their system and other factors they may have. This tailoring means that two hospitals of equal size, one on each side of the country, will have a different setup based on the two hospitals’ differences.


What Is HITRUST Compliance Certification?

HITRUST compliance certifications clarify, and in some cases adds to, what the requirements for HIPAA suggest. In some cases, HIPAA doesn’t provide enough details in the regulations for people to follow. One such example is when HIPAA regulations may say something like “reasonable & appropriate” protections.

HITRUST compliance certification takes HIPAA regulations and provides specific descriptions and a framework to help healthcare companies manage data security needs required by the industry standards. HITRUST CSF provides a common framework for people and companies to work through. When a company or person says they’re HITRUST CSF certified, those who have gone through the same rigorous process will know what they mean.

Another benefit for HITRUST compliance certification is that it keeps patients’ personal data far more secure. In this digital age, the security of your patients’ personal health data is always the first priority. Those who aren’t willing to keep the information of their patients secure only subject themselves to trouble.

The ongoing assessments adapt to meet the ways cyber-attacks and security threats emerge. HITRUST CSF regularly revises and updates procedures to make sure organizations are up-to-date with regulatory guidelines. This continuous improvement advances and adapts CSF and makes it stronger. Once a company becomes HITRUST CSF certified, staying certified and compliant becomes easier over time.


What Are the Domains and Controls That HITRUST Provides?

The common security framework is at the center of HITRUST certification and proves HIPAA compliance. It’s divided into 19 different domains that allow a healthcare organization to better secure the protected health information (PHI) of their patients.

HITRUST CSF works in the domain of business continuity in the event of a disaster and works with recovering from the said disaster. It wouldn’t do to lose all of your patient information and not have it backed up somewhere. HITRUST also provides physical and environmental security as well as risk management and third-party security.

HITRUST not only has an information protection program for organizations to follow, but it also offers data protection and privacy as well as mobile device security. HITRUST also allows for access control, configuration management, and password management. This makes it easy for those who have access to see who tries to access information they aren’t allowed to access.

HITRUST CSF also provides training, education, and awareness to those undergoing certification and those who have already gone through the certification process. It offers tools for logging and monitoring audits and the results of those audits, as well as incident and vulnerability management. HITRUST also offers portable media security, so everything is at your fingertips when you’re on the go.


What Are the CSF Degrees of Assurance?

HITRUST offers three levels of assessment that it calls Degrees of Assurance. These degrees build upon the level below, and with each degree, there’s more level of effort, time, and rigor that goes into each assessment. These degrees are self-assessment, CSF validated, and CSF certified.



The self-assessment requires the least effort, rigor, and time to complete. The self-assessment is when the organization uses the CSF as an internal tool and completes it independently. This is allowed as the CSF is on a standardized framework.

This degree does not require external party verification, but it noted that the company did its own assessment. When a company does its own assessment, HITRUST issues a CSF, otherwise known as a self-assessment report.


CSF Validated

This option requires a third-party CSF Assessor to verify the information the organization gathered upon completion of the assessment. The third-party assessor can only be an assessor approved by HITRUST and must visit the organization onsite. HITRUST then reviews the assessment and issues a validated report once the assessor submits the report.


HITRUST CSF Certification

A HITRUST CSF certification is good for two years. At the end of those two years, the organization must undergo another assessment. The organization that’s granted this Degree of Assurance means that it’s passed all of the necessary certification requirements.

HITRUST reviews and certifies all entries of the organization and combines it with the information provided by the third-party assessor before making their decision. This certification takes a few months to complete.


Who Should Be HITRUST Compliant and Why?

If you’re wondering if your company needs HITRUST CSF certification and you create, store, access, or exchange personal health information of patients, then the answer is yes. Those in the healthcare industry who have access to patient medical information are required to undergo HITRUST CSF certification.

HITRUST doesn’t just work with HIPAA, but it also brings together internationally recognized security standards like PCI, COBIT, and NIST. Not only that, but HITRUST provides insights on how the organization should handle security risks from digital to physical. This gives the organization actionable steps on how to mitigate security risks and protect patient data.

Steps toward HITRUST certification takes a lot of time and effort. The assessment state lasts anywhere from two to eight weeks, depending on the organization’s complexity and the intricacy of the information the company handles. Despite the time and effort, a company must put into becoming HITRUST certified, some question why they must do so.

After all, they complied with HIPAA regulations, and others, in the past, so why take the time, expense, and effort to become HITRUST CSF certified? Hackers don’t take a break, and a comprehensive study by the Clark School found that hackers attack devices connected to the internet every 39 seconds. Incidentally, during the study, their computers were attacked by hackers more than 2,000 times each day.

Imagine a hacker discovering that your organization is an easy target during one of those 39 seconds. Once they’ve created a security breach, they can take what they need in seconds. With digital healthcare on the rise, not becoming HITRUST CSF certified leaves your organization and your patients vulnerable to attack.


How to Acquire HITRUST Compliance Certification

There are several steps a company must take to become HITRUST certified. The organization must first determine its certification needs. This includes the systems that need certifying, the multiple organizations within the organization’s trading circle, and the controls set for those security requirements.

Once the organization determines its scope, then it can purchase a subscription to the MyCSF tool. Once they have access to the tool, they must start the self-assessment, taking a few weeks. Once they complete the self-assessment, they request an external audit and submit the assessor’s findings for HITRUST to evaluate.

Once HITRUST receives and reviews those findings, they will request evidence of those claims that back up the assessor’s work. Once HITRUST has all the information they need, they score the results and issue a certification if the score is sufficient within their standards. While HIPAA has a pass/fail system, to pass a HITRUST CSF certification, you must have a passing score of three on a scale of one to five in each of the 19 control categories.

Some states have already made HITRUST CSF certification mandatory for those who wish to deal with healthcare organizations. While determining the scope of what you need for your organization is the hardest step, keep in mind that it’s well worth the time and effort put into becoming certified. The patients who come to you for their healthcare needs also depend upon your systems’ information security to keep their private health records confidential and safe.