What is HITRUST Certification and Why Does It Matter?

December 7th, 2021

Any company can claim to be HIPAA-compliant, but if you are considering using their services, it’s worth understanding what they mean. Using a vendor that self-attests compliance is risky. As a result, many serious organizations use a third-party validator to assure that they are doing all the right things regarding security and compliance. If you work in the healthcare industry, a HITRUST certification is one of the most widely respected third-party validators.

hitrust certification

What is HITRUST?

HITRUST is a company that was established in 2007 to develop, maintain, and provide access to its widely adopted common risk and compliance management frameworks, related assessments, and assurance methodologies.

It established the HITRUST Common Security Framework (CSF), which includes elements of a variety of different standards such as:

  • ISO/IEC 27000-series
  • NIST 800-53

By establishing a framework that encompasses many other important sets of regulations, the HITRUST certification makes it easier to meet all of the different requirements in a streamlined manner. The HITRUST CSF is the gold standard and most widely adopted security framework in the healthcare industry.

Many healthcare organizations and their business associates have adopted the HITRUST CSF framework to secure electronically protected health information (ePHI). However, other industries also use it for security and compliance in other situations, such as GDPR and FINRA.

What Does the HITRUST Common Security Framework Include?

Applying for HITRUST is not for the faint of heart. The assessment tackles the major compliance standards, and detailed requirements apply to businesses of all sizes. Completing a HITRUST assessment needs a high level of security expertise and the mind of a lawyer to convert some of its general requirements into concrete policies.

HITRUST requires proven adherence to hundreds of different controls across 19 different areas, including:

  1. Information security and protection program
  2. Endpoint protection (laptops, servers, and devices)
  3. Portable media controls (thumb drives and the like)
  4. Mobile device security (laptops, cell phones, etc.)
  5. Wireless access (WiFi security)
  6. Configuration and change management
  7. Vulnerability detection and management
  8. Network security protection
  9. Data transmission protection
  10. Password strength and management
  11. Access control to servers and software
  12. Audit logging and monitoring
  13. Employee education, training, and awareness
  14. Third-party contracts and management
  15. Incident response and management
  16. Business continuity and disaster recovery
  17. Risk assessment and management
  18. Data center physical security
  19. Data protection and privacy

How Do You Get a HITRUST Certification?

Anyone can download the Common Security Framework on the HITRUST website and work to implement the recommendations. However, your business must bring on an external assessor to verify adherence to the requirements to become certified. This time-intensive process can take eight weeks to complete and submit to the HITRUST Assurance Team. Once submitted, the HITRUST Assurance Team audits your Verified Assessment and assigns a score that determines if you pass or fail the audit.

This time-consuming process is not a one-time event. The score from the Assurance Team will highlight areas to improve. Your company must perform yearly audits and undergo an external assessment every two years to stay certified.

Undertaking a HITRUST assessment is no easy task. The HITRUST CSF certification is the gold standard because of the stringent requirements. Self-reported answers aren’t enough- the assessors and the assurance team verify each requirement. This instills confidence that a HITRUST-certified company is doing all the right things regarding security and compliance.

Why Having a HITRUST Certification Matters

The HITRUST certification benefits any organization dealing with sensitive, valuable, or highly regulated data. Whether it creates, transfers, or processes it in any other way. The HITRUST CSF certification makes it easier to manage risk and compliance. Still, it also demonstrates to other parties that these critical areas are being adequately cared for.

A HITRUST certification proves that you have all the needed policies and procedures for compliance (hundreds of them) and that you have correctly implemented and are following these policies and procedures. HITRUST requires organizations to prove they are doing the right thing actively. It’s not simple. It takes a lot of work, attention, and buy-in from all levels of an organization. This is what makes HITRUST so valuable.


Not all third-party certifications are the same. You can feel confident that vendors who have completed the HITRUST CSF certification process take security and compliance seriously. Do your due diligence to ensure that a vendor or partner can meet your security and compliance requirements- their word is not good enough.