What is HITRUST Certification and Why Does It Matter?

December 7th, 2021

Any company can claim to be HIPAA-compliant, but if you are considering using their services, it’s worth understanding exactly what they mean. Using a vendor that self-attests compliance is risky. As a result, many serious organizations use a third party validator to provide assurance that they are doing all the right things when it comes to security and compliance. If you work in the healthcare industry, a HITRUST certification is one of the most widely respected third party validators.

hitrust certification

What is HITRUST?

HITRUST was established in 2007 to develop, maintain, and provide access to its widely adopted common risk and compliance management frameworks, related assessments, and assurance methodologies.

It established the HITRUST Common Security Framework (CSF) which includes elements of a variety of different standards such as:

  • ISO/IEC 27000-series
  • NIST 800-53

By establishing a framework that encompasses many other important sets of regulations, the HITRUST certification makes it easier to provably meet all of the different requirements in a streamlined manner. The HITRUST CSF is the gold standard and most widely adopted security framework in the healthcare industry.

Many healthcare organizations and their business associates have adopted the HITRUST CSF framework to secure electronic protected health information (ePHI). However, other industries also use it for security and compliance in other situations, such as GDPR.

What Does the HITRUST Common Security Framework Include?

Applying for HITRUST is not for the faint of heart. The assessment tackles the major compliance standards and there are detailed requirements that apply to businesses of all sizes. Completing a HITRUST assessment needs not only a high level of security expertise, but the mind of a lawyer to convert some of its general requirements into concrete policies.

HITRUST requires proven adherence to hundreds of different controls across 19 different areas, including:

  1. Information security and protection program
  2. End point protection (laptops, servers, and devices)
  3. Portable media controls (thumb drives and the like)
  4. Mobile device security (laptops, cell phones, etc.)
  5. Wireless access (WiFi security)
  6. Configuration and change management
  7. Vulnerability detection and management
  8. Network security protection
  9. Data transmission protection
  10. Password strength and management
  11. Access control to servers and software
  12. Audit logging and monitoring
  13. Employee education, training, and awareness
  14. Third-party contracts and management
  15. Incident response and management
  16. Business continuity and disaster recovery
  17. Risk assessment and management
  18. Data center physical security
  19. Data protection and privacy

How Do You Get a HITRUST Certification?

Anyone can download the Common Security Framework on the HITRUST website and work to implement the recommendations. However, to become certified your business, must bring on an external assessor to verify adherence to the requirements. This is a time-intensive process that can take up to 8 weeks to complete and submit to the HITRUST Assurance Team. Once submitted, the HITRUST Assurance Team audits your Verified Assessment and assigns a score that determines if you pass or fail the audit.

This time-consuming process is not a one-time event. The score from the Assurance Team will highlight areas to improve. Your company needs to perform yearly audits and go through the external assessment every two years in order to stay certified.

Undertaking a HITRUST assessment is no easy task. The HITRUST CSF certification is the gold standard because of the stringent requirements. Self-reported answers aren’t enough- each requirement is verified by the assessors and the assurance team. This instills confidence that a HITRUST certified company is doing all the right things when it comes to security and compliance.

Why Having a HITRUST Certification Matters

The HITRUST certification is beneficial for any organization that deals with sensitive, valuable or highly regulated data. Whether it creates it, transfers it, or processes it in any other way. This is because the HITRUST CSF certification not only makes it easier to manage risk and compliance, but it also demonstrates to other parties that these critical areas are being properly taken care of.

A HITRUST certification proves both that you have all of the needed policies and procedures in place for compliance (hundreds of them) and that you have properly implemented and are following these policies and procedures. HITRUST requires organizations to actively prove they are doing the right thing. It’s not simple. It takes a lot of work and attention and buy in from all levels of an organization. This is what makes HITRUST so valuable.


Not all third-party certifications are the same. You can feel confident that vendors who have completed the HITRUST CSF certification process take security and compliance seriously. Always do your due diligence to make sure that a vendor or partner can meet your security and compliance requirements- their word is not good enough.