<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

What is HITRUST Compliance? Requirements, Cost & More

Everything you need to know about HITRUST in one place
Last updated September 26, 2022 9 min read
Andrew Magnusson, author of What is HITRUST Compliance? Requirements, Cost & More | StrongDM
Written by Director, Global Customer Engineering StrongDM
Justin McCarthy
Reviewed by Co-founder / CTO StrongDM

In this article, we will take a big-picture look at what HITRUST compliance is and how it compares with other types of compliance. You will learn about the HITRUST certification requirements, why compliance is important, and who must comply with the framework and controls. By the end of this article, you will have a clearer understanding of the best practices you can follow to obtain HITRUST certification and how HITRUST compliance can help your organization reduce risk, streamline compliance, and maintain a high level of data security.

What is HITRUST?

The Health Information Trust Alliance (HITRUST) is a non-profit company that delivers data protection standards and certification programs to help organizations safeguard sensitive information, manage information risk, and reach their compliance goals. 

HITRUST stands out from other compliance frameworks because it harmonizes dozens of authoritative sources such as HIPAA, SOC 2, NIST, and ISO 27001. It is also the only standards development organization with a framework, assessment platform, and independent assurance program, which has helped drive widespread adoption.

What is HITRUST Certification?

HITRUST created the HITRUST Common Security Framework (CSF) to provide an objective, measurable way to manage the security risks that come with handling healthcare information and other sensitive data. HITRUST CSF certification is a way for organizations to demonstrate that specific systems within their environment meet the framework’s rigorous standards and regulations. HITRUST-certified assessors perform certifications and produce detailed reports to help organizations understand and improve their maturity levels. 

The latest CSF version (v9.6.0) integrates 44 major security and privacy-related standards, regulations, and frameworks as authoritative sources. It incorporates a risk-based approach to help organizations address security challenges through prescriptive and scalable security controls and privacy controls. 

Although HITRUST was originally designed with the highly regulated healthcare industry in mind, its privacy and security controls framework is industry-agnostic and can be used by organizations across all industries. Organizations that may not be ready to invest in the time, effort, and cost of the HITRUST CSF Validated Assessment can choose from other assessment offerings to understand best practices and implement good hygiene.

History of HITRUST

HITRUST was founded in 2007 to help make information security a core pillar of the healthcare industry. The HITRUST acronym and HITRUST definition are distinct reminders of the organization’s original focus on securing healthcare information. The first Board of Directors included leaders from some of the top healthcare providers, insurers, and vendors. 

Although HITRUST is still the gold standard for compliance in the healthcare industry, the company has since rebranded to reflect its expansion beyond healthcare. Its global expansion and industry-agnostic approach have made HITRUST CSF one of the most widely adopted security and privacy frameworks in the world. Its security programs and frameworks help organizations of all sizes and industries maintain the highest level of information security.

Importance of HITRUST Compliance

Information security is a critical component of modern healthcare information systems and medical technologies. Security frameworks like HITRUST help ensure that private health information and other sensitive data is secure by making it easier for organizations to obtain compliance.

All organizations that need to address compliance and risk management can benefit from achieving HITRUST compliance. The HITRUST CSF improves the security of an organization while helping reduce the complexity, risk, and cost associated with information security management and compliance. Certification provides objective verification that your security program is operating within the parameters of its intended design and meets HITRUST standards.

Who Must Comply with HITRUST?

There are no federal or governmental mandates for HITRUST CSF certification. However, in 2016, some of the biggest health insurance payers announced a requirement for all of their vendors to become HITRUST certified. Since then, HITRUST certification has become an industry-wide standard required by a majority of payers. 

For most companies that create, access, store, or exchange Protected Health Information (PHI), HITRUST compliance is an essential part of doing business. This ranges from doctor’s offices, hospitals, and pharmacies to insurance companies, healthcare vendors, and more. Outside the healthcare industry, there are no mandates for HITRUST certification, but all organizations can benefit from it. Following HITRUST regulations ensures that an organization is meeting multiple regulations and implementing the highest security standards for its data and systems.

Benefits of HITRUST Compliance

As digital information and healthcare technology become increasingly common, organizations are more and more vulnerable to cyberattacks and breaches. Protecting data in today’s environment has a number of challenges, from rapidly changing business and technology environments to increased scrutiny from auditors, customers, and business partners.

HITRUST compliance helps organizations maintain a high level of data security, manage risk internally and with external vendors, and reduce the chances of a data breach. The framework also provides a map for ongoing improvements, making it easier to stay ahead of evolving threats and regulations. 

HITRUST Benefits

  • Streamline the process of building and running an information risk management program.
  • Effectively and efficiently protect sensitive information.
  • Reduce risk and prevent theft of sensitive data such as patient health information.
  • Stay up to date with increasingly sophisticated cyber attacks and security risks.
  • Save time and simplify future compliance efforts with one streamlined security framework mapped to more than 40 other frameworks’ rules and requirements.
  • Show that you prioritize security and safeguarding patient information.
  • Build your organization’s reputation and stakeholder trust.
  • Lower your insurance premiums by proving that rigorous cybersecurity standards are being met.
  • Eliminate the need for multiple assessments and reports.
  • Move faster when working with vendors and partners that are HITRUST CSF certified.
  • Prove that you have met HIPAA-mandated requirements.

The HITRUST Framework

The HITRUST Framework includes multiple regulations, standards, industry frameworks, state-specific laws, and business requirements in one central control repository. Instead of investing time and resources to comply with NIST, HIPAA, HITECH, and a myriad of different frameworks and standards, organizations can perform a single assessment and know that they are complying with their regulatory requirements. 

The HITRUST framework is as flexible as it is comprehensive. Designed with security and privacy professionals in mind, it will not include the same process and requirements for every company. 

Here’s an overview of the architecture:

  • The HITRUST framework leverages control categories, control objectives, and control specifications from the ISO/IEC framework, as well as other information security management programs and risk management practices.
  • The core structure is then integrated with various authoritative sources and best practices of the HITRUST Community to create specific implementation requirements for each control.
  • All HITRUST certification requirements are mapped to the related framework, standard, or regulation and noted as an authoritative source.

HITRUST Requirements

Each control category includes implementation requirements which provide detailed information to support the implementation of the control and meet the control objective. Requirements are defined through three progressive implementation levels—a concept leveraged from NIST’s risk management framework and expanded upon by HITRUST. 

The intent of any given control is the same, but the three HITRUST implementation levels take into account an organization’s risk factors, regulatory requirements, resources, and the type of HITRUST assessment being performed. Level 1 is the minimum; each subsequent level includes the previous level’s requirements along with additional requirements.

HITRUST also recognizes that various organizations may have specific community requirements (such as industry groups or cooperative sharing agreements), and it provides the capability for these requirements to be incorporated during the assessment process.

HITRUST Controls

The CSF contains 14 control categories, made up of 49 control objectives and 156 security and privacy-related control specifications. Control objectives are a statement of the desired result, while specifications mandate the specific tasks infosec teams need to perform to achieve the objective. These specifications can be policies, procedures, guidelines, practices, or organizational structures and may be administrative, technical, managerial, or legal in nature.

What Are the HITRUST CSF Control Categories?

  1. Information Security Management Program
  2. Access Control
  3. Human Resources Security
  4. Risk Management
  5. Security Policy
  6. Organization of Information Security
  7. Compliance
  8. Asset Management
  9. Physical and Environmental Security
  10. Communications and Operations Management
  11. Information Systems Acquisition, Development and Maintenance
  12. Information Security Incident Management
  13. Business Continuity Management
  14. Privacy Practices

How Many Domains Are in HITRUST?

The HITRUST CFA is broken down into 19 control domains, which are high-level subject areas that align with common IT process areas.

  1. Information Protection Program
  2. Endpoint Protection
  3. Portable Media Security
  4. Mobile Device Security
  5. Wireless Protection
  6. Configuration Management
  7. Vulnerability Management
  8. Network Protection
  9. Transmission Protection
  10. Password Management
  11. Access Control
  12. Audit Logging & Monitoring
  13. Education, Training & Awareness
  14. Third-Party Security
  15. Incident Management
  16. Business Continuity & Disaster Recovery
  17. Risk Management
  18. Physical & Environmental Security
  19. Data Protection & Privacy 

HITRUST vs. Other Types of Compliance

HITRUST vs. HIPAA

Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. It can be easy to confuse HITRUST vs HIPAA because of their strong ties to the healthcare industry, but HITRUST and HIPAA are actually quite different. HIPAA is designed to ensure that covered entities protect PHI, while HITRUST focuses on mitigating an organization’s information risks.

HITRUST HIPAA
A framework created by security industry experts A U.S. law created by lawyers and lawmakers
Applies to organizations across all industries Only applies to organizations that manage PHI
Builds on the requirements of HIPAA, incorporating them into a security and risk framework Requirements are nuanced and vary based on an organization’s size
Certification is done by an independent third-party HITRUST-certified assessor Audits can be done in-house or with a vendor
Requires a passing score of at least 3 on a scale of 1-5 in each control category Compliance is determined by a pass/fail system
Failing a HITRUST audit results in losing certification; there are no financial penalties

Steep penalties for non-compliance

HITRUST vs. SOC 2

SOC 2 is a popular security and risk assessment framework. HITRUST and SOC 2 both aim to address cybersecurity concerns in cloud-based systems, but they use different scoping factors. Another key difference is that while HITRUST works across industries, it was introduced to address problems related to securing health records and focuses on handling electronic protected health information (ePHI). SOC 2, on the other hand, was introduced to help software vendors and companies demonstrate their security controls to customers and partners.

HITRUST SOC 2
Risk-based framework Compliance-based framework
Introduced to help healthcare organizations secure electronic protected health information (ePHI) Introduced to help software vendors and other companies demonstrate the security controls they use to protect customer data in the cloud
19 categories, encompassing 156 controls that align with HIPAA 5 common Trust Services Principles with specific requirements that are unique per organization
Evaluates controls based on a maturity rating Tests controls for design and operating effectiveness
Certification is good for two years Requires a full-scope examination annually

HITRUST vs. NIST

The National Institutes of Standards and Technology (NIST) is a non-regulatory governmental agency that develops policies, standards, and guidelines to help organizations in all sectors manage cybersecurity risk. The NIST Cybersecurity Framework is built around five ideals: identify, protect, detect, respond, and recover. While NIST is required for federal agencies and their contractors, it is completely voluntary for most organizations.

HITRUST NIST
Required for organizations that manage healthcare information Required for federal agencies and their contractors
Compliance is certifiable Non-regulatory, voluntary guidance for most organizations
Takes the baseline security controls found in NIST and adds to them Built around five ideals and six recommended organizational steps
Takes an organizational (top-down) approach to security Takes a system (bottom-up) approach

HITRUST vs. ISO 27001

Published by the International Organization for Standardization (ISO), ISO 27001 is a widely known international standard for managing information security. It provides a management framework designed to help organizations of all sizes and industries protect their information in a systemic, cost-effective way. The focus is on developing a process for managing risks through a combination of policies and processes using specific requirements. 

The HITRUST CSF’s core structure is based on the ISO 27001 control clauses. Certifications require similar controls, though they differ in number. Both take an organizational (top-down) approach to security, but there are a number of key differences.

HITRUST ISO 27001
Compliance and risk-based framework Management/process model
Originated in healthcare; supports all industries Primarily used in financial and healthcare sectors
The MyCSF tool supports assessment and compliance Minimal assessment tools available
Certification is valid for two years Certification is valid for three years

HITRUST Compliance Best Practices

You may have heard terms like “HITRUST measured and managed” or “HITRUST policy and procedure.” HITRUST uses five maturity levels as scoring rubric for compliance. Each control will be assessed in five different areas:

  • Policy
  • Procedure
  • Implemented
  • Measured
  • Managed

Looking closer at the HITRUST Maturity Model and understanding the levels and areas for  assessment is extremely useful. It can translate into best practices for your organization, giving you a roadmap to prepare for HITRUST compliance.

Refer to the following best practices for HITRUST compliance.

Upgrade and document your policies. 

Make sure your policies are formal, up-to-date, documented, and readily available to employees. They should be documented and based on NIST or ISO to meet the HITRUST requirements. They should cover all facilities, operations, and systems and be approved by key parties. Clearly assign security responsibilities and identify penalties if policies are not followed.

Formalize procedures. 

Make sure formal, up-to-date, documented procedures are provided to implement the security controls identified by the defined policies. You’ll need to outline procedures in detail and identify the “who, what, how, and when.” Clearly define information security responsibilities and expected behaviors and communicate procedures to everyone who needs to follow them.

Create and test your incident response and business continuity plans. 

Make sure you have an action plan in place so you know exactly what to do in the event of a security incident or breach. Your business continuity plan will ensure you can continue to function in the event of a disaster or business interruption. These are requirements for HITRUST certification. 

Implement technical controls for measurement. 

Validate the security of your system with technical controls like vulnerability testing and penetration testing. Tests should be routinely conducted to evaluate the adequacy and effectiveness of all implementations. These may include self-assessments, independent audits, and evaluations initiated by organizational management. Continually re-evaluate threats, and test individual controls frequently.

Verify consistent implementation.

Are your information security procedures and controls implemented in a consistent manner? Reinforce them through training, and discourage any ad hoc approaches. Conduct initial testing to make sure controls are operating as you intend.

Proactively manage and minimize risk. 

Correct identified weaknesses and make continuous improvements to policies, procedures, implementations, and tests. Integrate information security in budget planning, and make decisions based on cost, risk, and mission impact. Understand and manage security vulnerabilities, adapting controls to emerging threats.

Get organizational buy-in. 

The HITRUST certification process is a significant undertaking that will require a lot of heavy lifting—not only from the IT and security teams but also from others in the organization who might need to change their processes. Make sure you have executive support and the appropriate resources to be successful.

Adopt a culture of compliance. 

Some security audits are all about “checking the box,” but HITRUST facilitates a robust security program and organization-wide compliance culture. Making security a part of your organization’s daily routine and operations will make HITRUST certification much easier. No one wants to be cramming for a HITRUST exam at the last minute! 

Encourage business leaders to understand how adopting the framework benefits the business by addressing risk and providing guidance on important data protection elements. Strong information security isn’t just about the IT team; it extends across all departments with sensitive data to protect. This can include Risk Management, Procurement, Finance, Operations, Human Resources, Sales, Marketing, and many others.

HITRUST Compliance Checklist

HITRUST certification requires an independent assessment. The HITRUST certification timeline is approximately three to four months, with the length depending on the size and complexity of your organization. The process can be very overwhelming, and many organizations choose to work alongside a partner to prepare. 

Here is a HITRUST compliance checklist to help you understand the steps involved in getting certified and learn how to prepare for an assessment.

Step 1: Download the HITRUST CSF pdf.

The latest version of the HITRUST CSF framework is available to download for free on the HITRUST website. Download the latest HITRUST PDF, v9.6. (NOTE: This replaces the HITRUST CSF 9.3 pdf, HITRUST CSF 9.4 PDF, and other previous versions.)

Step 2: Determine scope. 

Perform an internal gap analysis of existing controls against the target controls in the HITRUST CSF. Outline the scope by defining which business units and subsidiaries are affected, the type of assessment needed, and the controls to address. This is a critical first step and can help your organization save time and money in the long run. 

Once you understand your information protection posture, you can develop and communicate a risk management strategy and implementation timeline throughout the organization. Many organizations seek assistance from an Authorized HITRUST External Assessor or certification partner to ensure they are prepared. 

Step 3: Purchase the MyCSF tool. 

Available through HITRUST, the MyCSF tool gives organizations a SaaS solution for performing risk assessments and corrective action plan management. Using it can help reduce resources, improve efficiency, enhance reporting and dashboards, streamline assessment modeling, and share assessment information. It is offered at varying subscription levels.

Step 4: Perform a self-assessment. 

Complete a questionnaire to provide information about your organization's size, risk exposure, and other factors. Your answers will determine which controls, which requirements, and which requirement levels you will need to implement. 

Step 5: Get an external audit. 

Hire a third-party auditor licensed by the HITRUST Alliance. They will begin with the data generated by your self-assessment and then dive into your security processes and controls in detail.

Step 6: Get validated. 

Submit the assessor's work to HITRUST for evaluation, and provide any evidence HITRUST requests.

Step 7: Receive a score from HITRUST. 

If the score is sufficient, HITRUST will issue a certification. If it’s not, you will receive a letter describing the reasons why the assessment failed and a corrective action plan to help achieve certification. You will then have an opportunity to resolve issues and—if you choose to—try again.

How Much Does HITRUST Certification Cost?

Because of its complexity, HITRUST certification is quite expensive. HITRUST cost estimates range from $36,000 to $200,000 depending on the size and complexity of your organization. Many companies aiming for HITRUST certification are likely to see prices in the six figures. Self-assessments are significantly less expensive, but you won’t receive the same level of security assurance you would by hiring a third-party assessor.

Although a validated HITRUST assessment and certification is costly, anyone can access and download the HITRUST CSF free of charge. Many organizations that find HITRUST pricing is beyond their budgetary limitations use the HITRUST framework PDF to achieve a number of information security goals.

How StrongDM Simplifies HITRUST Compliance

The StrongDM platform supports many of the most challenging parts of HITRUST compliance and HITRUST audits, such as access control, audit controls, integrity, and transmission security. You can simplify meeting your compliance requirements by automating least-privilege access and collection of audit evidence, centralizing logging, and locking down sensitive information to minimize the risk of data exposure or data loss. 

StrongDM also deploys built-in monitoring and log collection so you always have a record of access and permissions. This provides transparency into your compliance efforts, reveals potential risks, and supports formal and informal audits.

HITRUST: Frequently Asked Questions

Is HITRUST only for healthcare?

HITRUST is not only for healthcare. Although the framework was originally created to help manage the security risks that come with handling healthcare information, it has since expanded to embrace all industries.

Is HITRUST based on NIST?

HITRUST combines the base controls of NIST with controls from other widely-used frameworks. The two work together to help organizations achieve compliance.

When you complete a HITRUST assessment, you will receive a report including a scorecard that details your organization’s compliance with NIST Cybersecurity Framework-related controls included in the HITRUST CSF framework. If you are HITRUST Certified, you can use the scorecard to assure management, business partners, and regulators of your compliance with the NIST Framework’s objectives and demonstrate compliance with the NIST Cybersecurity Framework. 

Does HITRUST replace HIPAA?

HITRUST does not replace HIPAA. The two are managed by different entities: HITRUST is a privately held company, while HIPAA is regulated by the federal government. HITRUST encompasses the requirements of HIPAA and incorporates them into a broader security and risk framework. Because of this, the HITRUST framework may be used as a means to achieve HIPAA compliance. Many organizations also use HITRUST CFA certification to demonstrate HIPAA compliance since there is no official HIPAA certification.

Is Your Organization Ready for HITRUST Certification?

As you can see from this comprehensive guide, HITRUST certification is a major undertaking that requires a significant investment in time, money, and resources. However, many companies find it to be worthwhile. The benefits of improved data security, reduced risk, and streamlined, efficient compliance across a number of regulations and frameworks can make up for the cost. 

HITRUST certification demonstrates that your organization has met the gold standard for compliance and brings peace of mind to your business, customers, and partners.

Ready to enhance your security posture and HITRUST compliance readiness? Request a StrongDM demo today.


About the Author

, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM app UI showing available infrastructure resources
Connect your first server or database in 5 minutes. No kidding.