BLOG HOME > Cybersecurity > What is HITRUST Compliance?

What is HITRUST Compliance?

Matt Halbleib Security Analyst
By: Matt Halbleib
Director of Security Assessments

Secure storage and transmission of electronic data is increasingly critical to the healthcare industry. Data security and compliance with mandates like HIPAA are paramount, yet more often than not, the two intersect in ways that make them complex and difficult to implement. 

Many HIPAA requirements are nuanced and open to interpretation, and depending on an organization’s size and available skill, they may not be understood or implemented in accordance with their intended purposes. 

HITRUST aims to solve these issues by providing an integrated security approach as well as a way to demonstrate compliance with HIPAA security requirements to a third-party assessor. 

HITRUST is a certifiable and recommended framework trusted by many health networks and hospitals to manage risk.

SEE ALSO: How Much Does HIPAA Compliance Cost?

Get Started with HITRUST

Learn More

What is HITRUST?

HITRUST stands for the Health Information Trust Alliance. It was founded in 2007 and uses the “HITRUST approach” to help organizations from all sectors–but especially healthcare–effectively manage data, information risk, and compliance. 

HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework. 

HITRUST was organized with the intent to provide an option for the healthcare sector to address information risk management across a matrix of third-party assurance assessments, with the hope of consolidating, reducing, and in some cases, eliminating the need for multiple reports. HITRUST refers to this design element as “assess once, report many.” 

What is HITRUST CSF Certification?

Organizations that create, access, store, or exchange sensitive information can use the HITRUST Common Security Framework (CSF) assessment as a roadmap to data security and compliance. The CSF is a certifiable (by security assessors) standard and was designed as a risk-based approach to organizational security–as opposed to a compliance-based approach. The HITRUST CSF assurance program combines aspects from common security frameworks like ISO, NIST, PCI, and HIPAA. 

Between the CSF’s 19 reporting domains are 149 control specifications which can each be assessed to one of three implementation levels. 

Read about the HITRUST Common Security Framework here. 

White Paper: HIPAA Compliant Emails 101

Download Here

How to get HITRUST certification? 

What HITRUST calls the “HITRUST approach” provides organizations a comprehensive information risk management and compliance program. This blend of security and compliance mandates provides an integrated approach that ensures all programs are aligned, maintained, and comprehensively support an organization’s information risk management and compliance objectives. 

HITRUST certification requires an independent assessment. The length of the assessment depends on the size and complexity of an organization, its scope and the amount of counselling. According to HITRUST, the certification process can take an additional 6 weeks after an assessment is complete. 

What is the HITRUST Certification Process?

The HITRUST Process includes six steps: defining your scope, determining next steps, choosing your HITRUST validation type, your gap assessment and remediation, final HITRUST CFS assessment, and your HITRUST interim assessment. Check out this data sheet and checklist that describe the HITRUST Certification process.

What is the difference between HITRUST and HIPAA?

HIPAA vs. HITRUST: While HIPAA is a law created by lawyers and lawmakers, HITRUST is a framework created by security industry experts which includes aspects of HIPAA. 

The HITRUST CSF gives organizations a way to show evidence of compliance with HIPAA-mandated security controls. HITRUST takes the requirements of HIPAA and builds on them, incorporating them into a framework based on security and risk.

According to the HHS, "The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form . . . This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information."

HITRUST can help provide measurable criteria and objectives for applying "appropriate administrative, technical, and physical safeguards." HITRUST does not replace HIPAA compliance or prove that an entity is HIPAA compliant, but it is widely accepted as a good approach for evaluating risk.

If I’m HITRUST Certified, does that mean I’m HIPAA compliant?

Being HITRUST CSF certified can assist you in your HIPAA compliance efforts because some of the requirements overlap, but does not guarantee HIPAA compliance. 

What is the difference between e1, i1 and r2 assessments? 

The difference between the assessments comes down to risk exposure of organizations as well as their cybersecurity practices. e1 assessment is basic and suited for lower-risk organizations, the i1 offers a moderate level of assurance, and the r2 provides the most comprehensive and rigorous validation for organizations with the greatest risk exposure. Organizations can choose the appropriate assessment based on their cybersecurity maturity and risk profile.

e1 assessment

The "e1" assessment represents fundamental cybersecurity hygiene and serves as an introductory step into the world of HITRUST. Compared to the more rigorous HITRUST i1 and r2 Assessments, the e1 requires less effort to complete while still providing a valuable level of assurance. 

i1 assessment 

The HITRUST i1 Validated Assessment is built on a set of curated controls that guarantee an organization is adopting leading security practices to establish a robust and comprehensive cybersecurity program. Positioned between the foundational HITRUST e1 Essentials and the advanced r2 Expanded Practices Risk-based Assessments, the i1 Assessment provides a balanced level of assurance. Additionally, the i1 Rapid Recertification streamlines the recertification process for greater efficiency.

r2 assessment

The HITRUST r2 Validated Assessment is widely regarded as the gold standard for information protection assurances due to its comprehensive control requirements, thorough review process, and consistent oversight. It offers flexible and risk-based control selection, allowing organizations to meet the most stringent risk and compliance factors while tailoring measures to their specific needs. The r2 Assessment's proactive Expanded Practices approach to cybersecurity, along with its extensive requirement statements, ensures the highest level of assurance, making it ideal for organizations facing significant risk exposure.

The r2 assessment can be performed every other year. On the "off year" In the "off year"organizations can complete a slimmer assessment, called the r2 Interim Assessment.

Is HITRUST CSF Certification more expensive than other similar assessments?

Not necessarily. Because a HITRUST CSF can help you meet other frameworks such as a HIPAA risk assessment or a NIST cybersecurity assessment, or other assessments, you could save money by becoming HITRUST certified.

How long does it take to become HITRUST CSF Certified?

Depending on your initial readiness, the amount of time needed for remediation, and the size/complexity of your organization, your HITRUST assessment can take anywhere from 2-8 weeks on average for the assessment and a minimum of 8 weeks for your assessment to be processed and certification awarded.

This means it typically takes 3-4 months to complete your HITRUST assessment, remediation, and receive certification.

Have questions? Talk to us about HIPAA Compliance Audit or a HITRUST Assessment.

Matt Halbleib, Director of Security Assessments at SecurityMetrics, is responsible for overseeing the activities of the company’s audit teams. He holds QSA (Qualified Security Assessor), PA-QSA (Payment Application Qualified Security Assessor), and CISSP (Certified Information Systems Security Professional) security certifications and as a qualified assessor for the Payment Card Industry, has completed over 80 PCI DSS and PA-DSS security assessments.

Join Thousands of Security Professionals and Subscribe