Here’s my definitive ranking of top HITRUST providers, what they offer, who they’re best for, and projected costs.
As a cybersecurity professional who deals with a lot of different companies and industries, it’s become apparent to me that not every HITRUST provider fits every business’s needs.
Here’s my definitive ranking of top HITRUST providers, what they offer, who they’re best for, and projected costs.
SecurityMetrics provides a complete HITRUST solution, including readiness, remediation, implementation, and validation, with a focus on personalized pricing and expert advice. SecurityMetrics partners with Privaxi, to do the heavy lifting of HITRUST readiness for customers, streamlining the overall documentation process. This lets customers be as hands-on or hands-free as they are comfortable being.
With a focus on business associates and those in the healthcare industry, SecurityMetrics has HITRUST experience with the following business types:
“I was expecting the HITRUST process to be more arduous because when we started the HITRUST process with our past assessor, it was harder. So, I was expecting more work. But partnering with Privaxi, and then working with SecurityMetrics made it a smooth process. Our SecurityMetrics HITRUST assessor had conversations with us and seemed to be experienced, and had more of an understanding of what we needed. The relationship worked very well.” –Vice President of Operations Jason Lombardi, Vita Companies
See Also: Read more about Vita Companies experience using SecurityMetrics for their HITRUST assessment here.
Your HITRUST assessment cost will greatly depend on which assessment type you choose. Here are the projected ranges for each assessment, including our white glove service, which significantly increases your chance of passing your assessment the first time around:
I highly recommend using the SecurityMetrics HITRUST calculator and inputting your organization’s information to get a more accurate assessment type and cost.
Coalfire has over thirteen years of experience in the industry as a HITRUST external assessor. Their clients tend to be cloud service providers. Coalfire offers gap analysis, documentation development, remediation support, and coordinated assessments across more than 75 compliance frameworks.
Coalfire’s ideal client is someone who has struggled to manage compliance across multiple regulations and standards. Coalfire has set up their process to map controls across lots of frameworks to reduce audit fatigue and help customers meet multiple standards easier. A Coalfire HITRUST assessment is not ideal for customers who lack budget or don’t need to meet multiple frameworks.
“There’s an ecosystem that you’re building to make sure that your business objectives are being met. We can't do it alone. We're not looking for vendors; we're looking for strategic partners that understand and are willing to take the time to understand what our nuances are, what are challenges are, what risks we are facing. That’s what I find in Coalfire. We sit down we talk about it, and then we build strategies, and we build execution together.” –Dr. Adrian Mayers, global CISO, Premera
At the time of writing this blog Coalfire currently doesn’t offer a price range or tool for estimating the cost of a HITRUST assessment.
A-LIGN is one of the top assessors globally and boasts helping over 300 clients achieve HITRUST certification. A-LIGN offers comprehensive services including readiness assessments, validated e1, i1, and r2 assessments, interim testing, and HITRUST risk & advisory services.
A-LIGN also provides HITRUST AI security and risk management assessments.
One of the most unique features of an A-LIGN HITRUST assessment is their proprietary compliance management platform, A-SCEND, which streamlines the assessment process and centralizes evidence.
If you’ve previously been frustrated by a lack of communication with your HITRUST team or want something in addition to the HITRUST MyCSF platform, A-LIGNS’ A-SCEND platform might be the best choice for you.
“I have been through a couple of audits before, and this is by far the best and most smooth audit I have been through.” –Head of Technical Operations at Mezmo
You will need to contact A-LIGN directly for a custom quote. They will conduct an initial scoping call to understand your organization's specific needs, environment, and the type of HITRUST assessment you require.
Schellman is a prominent CPA firm specializing in IT Compliance and Cybersecurity. They are a major player in HITRUST assessments with an emphasis on the fixed-fee model and strong project planning.
Schellman HITRUST assessments work on a fixed-fee pricing model, which is unique to the industry. If you are an organization that wants a straightforward pricing model, with no hidden costs, Schellman may be right for you. Schellman is also known for flexible Reporting through their AuditSource® tool, which provides real-time visibility into project-level key performance indicators (KPIs).
"Schellman is very flexible for our challenging audit needs. Constantly working with us in our ever-changing environment." –Review on Gartner
While Schellman operates on a fixed-fee model, the amount of that fixed fee is entirely dependent on the specific scope and complexity of an organization's HITRUST assessment.
Schellman's staff (like Managing Principal Doug Kanney) emphasize that the type of HITRUST assessment influences the cost. In a video titled "What Is The Cost of a HITRUST CSF® Assessment," Doug Kanney mentions that first-year certification can range from the mid-$60,000s up to $175,000.
For more information about Schellman’s pricing model, check out this blog.
Vanta is NOT a HITRUST assessor, but rather a compliance automation platform that has expanded its offerings to include support for HITRUST. Unlike traditional HITRUST assessors (like A-LIGN or Schellman) that primarily provide human-led audit services, Vanta's core offering is a software platform designed to automate and streamline the compliance process.
Vanta is ideal for companies that want to automate their evidence collection process during their HITRUST assessment. This is Vanta's most significant differentiator. By integrating with hundreds of common business tools, cloud providers, HR systems, and more, Vanta automatically collects evidence of control implementation, reducing the manual burden on internal teams during the audit process.
“Using Vanta, we’ve saved hundreds of hours and hundreds of thousands of dollars. The time the team spent working on audits can now be dedicated to other projects.” –Nicole Dobias Senior Counsel, Ironclad
Vanta provides ranges for assessor fees with their solutions, based on HITRUST level and employee range, as projected by the assessor fee. They don’t provide specific information on their solution’s price, so reach out for a quote on what the Vanta solution would cost your organization.
Choosing a HITRUST provider to partner with can be a challenging choice, especially with so many different players in the industry. Identifying what is most important for your HITRUST assessment, whether it be support, cost, assessors with knowledge of your industry, turnaround time, and more, can help you identify who will be your best partner.
I also strongly recommend meeting with several HITRUST assessors to get both specific quotes/proposals and to hear what makes them unique in their own words. This should also help you get a feel for how you will work together and if they are the best match for you.
If you want more information about what to expect during a HITRUST assessment, check out the SecurityMetrics HITRUST Checklist here.
.svg)
