Our 2024 Compliance Benchmark Report is out now! | Download the report

What is HITRUST? Complete Guide to HITRUST Certification

HITRUST is a standards organization focused on security, privacy and risk management. The organization developed the HITRUST Common Security Framework (CSF) to provide healthcare organizations with a comprehensive security and privacy program. This program was specifically designed to help organizations manage compliance and reduce risk.  

Although the HITRUST CSF has been around for more than a decade, many organizations still struggle with knowing if it’s the right certification for them.  

Here’s what you need to know before your organization decides to complete a HITRUST assessment.   

What is the HITRUST CSF?  

The HITRUST CSF is a comprehensive, flexible, and certifiable security and privacy framework used by organizations across multiple industries to efficiently approach regulatory compliance and risk management.  

This standard provides customers with confidence in knowing their data and confidential information are secure.  

HITRUST vs. HIPAA: What’s the difference?   

While HITRUST and HIPAA may seem similar on the surface, it would be inaccurate to truly pit the two of them against each other.   

HITRUST CSF is acertifiable security and privacy framework with a list of prescriptive controls/requirements that can be used to demonstrate HIPAA compliance. 

HIPAA, or the Healthcare Insurance Portability and Accountability Act, is a U.S. law that details a set of safeguards that covered entities and business associates must follow to protect health information.   

However, a more productive question to ask is “What is the best method for demonstrating HIPAA compliance within my organization?”    

If you’d like to learn more about why you might choose the HITRUST CSF as a means to achieve HIPAA compliance, check out our blog post explaining the benefits of this approach.   

Who must comply with HITRUST CSF? 

The HITRUST CSF was originally designed specifically for the healthcare industry. However, in 2019, HITRUST made the CSF industry agnostic, enabling organizations in any industry to pursue the certification.     

HITRUST Certification is not mandated by the Federal government but is considered to be the most comprehensive framework because of its mapping to many other standards, including HIPAA, SOC 2, NIST, ISO 27001 and  more. 

What are the benefits of HITRUST?   

Many organizations choose to undergo a HITRUST assessment because of how the CSF:  

  • Satisfies regulatory requirements mandated by third-party organizations and laws   
  • Accelerates revenue and market growth by differentiating your business from the competition  
  • Saves your organization time and money by leveraging a solid and scalable framework that includes multiple regulatory standards   
  • Unifies over 40 different regulatory requirements and recognized frameworks (such as ISO 27001, NIST SP 800-53, HIPAA, PCI DSS, etc.)  

What are the types of assessments?  

There are three types of HITRUST CSF Validated Assessments, each with its benefits. They are as follows:  

HITRUST CSF e1 Assessment, HITRUST CSF i1 Assessment and HITRUST CSF r2 Assessment. The e1 Assessment is a new Assessment type that HITRUST released January 2023.  

HITRUST CSF e1 Assessment 

The e1 is the cybersecurity essentials assessment with 44 control requirements and is meant for low-risk organizations that want to ensure they are maintaining good cybersecurity hygiene. It will provide a low level of assurance but can serve as a stepping stone for more robust HITRUST certifications like the i1 and the r2.  

More details on this new product can be found in our recent blog post.   

HITRUST CSF Implemented, 1-year (i1) Assessment   

The i1 Assessment  focuses on leading security practices with a more rigorous approach to evaluation than other existing assessments in the marketplace.   

The i1 Assessment provides moderate assurance. Although meeting all requirements of an i1 Assessment will lead to a 1-year certification, it does not have coverage for the 40+ regulatory factors in the HITRUST CSF.  

HITRUST made changes to the i1 Assessment as of January 2023. The new i1 Assessment is based on the new CSF v11 (also released January 2023) and has fewer controls than the current i1 Assessment. There are 182 control requirements in the new i1 Assessment vs. 219 in the previous version. Also, once the HITRUST i1 certification is obtained, the organization would have the option of doing an i1 rapid recertification in year 2 instead of an i1 full certification, if requirements are met.  More details on the new i1 Assessment and the rapid recertification option can be found in our recent blog post

HITRUST CSF Risk-based, 2-year (r2) Assessment  

Formerly known just as the CSF Validated Assessment, the r2 Assessment focuses on a comprehensive risk-based specification of controls. It also takes a very rigorous approach to evaluation, which is suitable for the high assurance requirement. This certification is issued for two years, and  an Interim Assessment must be completed at the one-year mark.   

Although this assessment provides the highest assurance level certified by HITRUST, the completion process is costly and requires a high level of effort and resources.  

If you’d like to learn more about the key differences between HITRUST i1 and HITRUST r2, read our blog post to learn about which assessment is best for your organization.  

What is the HITRUST assessment process?   

The HITRUST Assessment process is composed of five steps:  

  • Step 1: Define Scope. During this stage, an organization either works with a third-party assessor or an internal subject matter expert to define scope and determine what type of HITRUST assessment to undergo.  
  • Step 2: Obtain Access to MyCSF portal. The organization (the entity being assessed) contacts HITRUST to get access to the MyCSF portal. After receiving access, the organization should create its assessment object and engage an approved third-party assessor firm.   
  • Step 3: Complete a Readiness Assessment/Gap-Assessment. The assessor performs appropriate tests to understand the organization’s environment and flow of data between systems, and then documents any possible gaps. The gap assessment also ranks gaps in your organization by risk level, allowing you to remediate any gaps before the validated assessment.  
  • Step 4: Validated Assessment Testing. During the validated assessment (either the e1, i1 or r2 Assessment) testing phase, assessors review and validate the client scores, then submit the final assessment to HITRUST for approval. HITRUST will then decide whether to approve or deny your organization certification. The HITRUST QA stage in the process (before issuing the certification) can take anywhere from four to ten weeks, depending on the assessment and the assessors’ level of responsiveness.  
  • Step 5: Interim Assessment Testing. If certification is obtained as part of the r2 Assessment, an interim assessment is required to be conducted at the one-year mark  to maintain certification. It is important to note that an interim assessment is not required if certification was obtained via the e1 or i1 Assessment.  

To view a comprehensive, step-by-step guide to the HITRUST CSF Assessment process, download our HITRUST CSF Companion Guide.    

What are the HITRUST policies and procedures?   

The biggest challenge many organizations face in obtaining a HITRUST CSF Certification is establishing policies and procedures that satisfy the HITRUST requirements. This is more  challenging for r2 Assessments. It is important to note that some policies and procedures are still required to be tested in an e1 and i1 Assessment, even though the tests performed will be less rigorous than for the r2 Assessment.  

HITRUST policies and procedures must be created, documented, and in place for at least 60 days prior to the validated assessment to achieve full compliance. Policies are established guidelines and rules an organization and its employees must follow to achieve a specific goal, whereas procedures are the documented steps for the organization to meet the defined policies.  

For a full description of the specific policies and procedures  to obtain HITRUST CSF certification, read our blog post on the subject.  

Which policies and procedures does my organization need to document? 

The HITRUST CSF is a flexible and scalable security framework that is adapted to each organization’s compliance needs so the policies and procedures required will depend on your scope. 

You must have policies and procedures in place that address at least 19 HITRUST control domains. Your organization must receive a maturity score of at least “3” (on a scale from 1-5) for each control domain to earn HITRUST r2 certification. The HITRUST CSF control domains are: 

  1. Information Protection Program 
  2. Endpoint Protection 
  3. Portable Media Security 
  4. Mobile Device Security 
  5. Wireless Security 
  6. Configuration Management 
  7. Vulnerability Management 
  8. Network Protection 
  9. Transmission Protection 
  10. Password Management 
  1. Access Control 
  2. Audit Logging and Monitoring 
  3. Education, Training, and Awareness 
  4. Third-Party Assurance 
  5. Incident Management 
  6. Business Continuity and Disaster Recovery 
  7. Risk Management 
  8. Physical and Environmental Security 
  9. Data Protection and Privacy 

Why is it important to choose HITRUST-compliant vendors and partners?  

After receiving a HITRUST CSF Certification, continue managing risk by assessing exposure from third-party business partners.    

With cybersecurity compliance constantly evolving as new threats emerge, it doesn’t matter how great the security is if third-party vendors do not also have great security creating a risk exposure vector to your organization.   

In fact, many large healthcare corporations, including Anthem, Health Care Services Corporation (HCSC), Highmark, Humana, and UnitedHealth Group sent a memo to most of their downstream vendors to achieve HITRUST Certification. This was enacted to ensure the safe handling of all sensitive information.      

When selecting vendors, be sure to perform a risk assessment to confirm they have a risk mitigation strategy in place. This is the first step to ensure that they can protect the data that might be shared with them. Requesting a security compliance report, like a HITRUST Validated Assessment, SOC 2, PCI DSS, or NIST 800-53, among others, is a good approach to meet this objective.       

For more on how to properly vet HITRUST-compliant vendors, read our blog on the topic.  

Can HITRUST certification satisfy other requirements?  

In short, yes. HITRUST CSF Certification draws from several major pre-existing frameworks to provide a complete, certifiable security standard. The nature of this foundation may simplify the steps an organization needs to take to satisfy other requirements.  

Three major requirements HITRUST CSF Certification can help satisfy include SOC 2, ISO 27001/NIST 800-53 and FedRAMP.  


A SOC 2 report describes the internal controls at a service organization, providing users withmanagement assertions, a description of both the system and the controls, tests and the results of the tests, and the independent service auditor’s report. Service organizations that provide services to other business entities commonly use SOC 2 reports.    

HITRUST and the AICPA have developed a collaborative approach that aligns the AICPA’s Trust Services Criteria with the HITRUST CSF criteria. This converged reporting model makes HITRUST and SOC 2 complimentary services.     

HITRUST and ISO 27001/NIST 800-53   

The foundations of HITRUST CSF were actually built upon ISO 27001 and NIST SP 800-53. However, ISO 27001 is not control-compliance based, and is instead a management/process model for the Information Management System that is assessed.   

Unlike HITRUST CSF, NIST 800-53 does not address the specific needs within the healthcare industry. This means that while ISO 27001 and NIST 800-53 are both beneficial frameworks to demonstrate cybersecurity standards, they are not as comprehensive as HITRUST CSF.    

Fortunately, HITRUST Certification covers many more factors than ISO 27001 and NIST 800-53, making both assessments easier to attain after being HITRUST CSF Certified.   


The Federal Risk and Authorization Management Program (FedRAMP) is a certification that serves to raise confidence in the security of cloud service providers (CSPs) utilized by the Federal government.     

 FedRAMP requirements can be easily mapped to the HITRUST CSF framework. Organizations interested in pursuing FedRAMP certification should consider adding it to their HITRUST assessment. This provides a FedRAMP benchmark and reveals areas to mature, but  is not the equivalent of achieving FedRAMP Certification.    

For a complete list of requirements that HITRUST CSF Certification can assist with, read more here.   

Get started with HITRUST Certification 

HITRUST Certification may seem daunting, but it doesn’t have to be. There are many steps organizations can take ahead of time to streamline the process.   

The best way to set yourself up for a successful HITRUST Assessment is to make the time and resource investment upfront. This means hiring an external assessor firm that understands your business and industry, and has proven HITRUST Certification success. Thoroughly scope the project with your assessor to understand everything needed for the project.   

For more on the do’s and don’ts of beginning your HITRUST journey, check out this blog post.    

How long is HITRUST Certification valid? 

The HITRUST e1 and i1 certifications are valid for one year while the r2 certification is valid for two years if the Interim Assessment is completed successfully and timely.  

Note that the HITRUST certifications should be treated as a continuous improvement and monitoring assessment and not a static once and done type of assessment. And this is because the threat landscape is always evolving and so the HITRUST CSF. 

How much does HITRUST cost? 

HITRUST Certification greatly varies in price from approximately $40,000-$200,000, depending on the size, risk profile and scope of the assessment. 

The cost will be determined by the number of controls tested and the scope of the environment.  

Note that self-assessments are much less expensive but do not carry the same level of assurance because the process does not involve a third-party assessor. 

What’s an example of HITRUST Certification in the real world?  

Below are customer case studies in which the organization earned HITRUST Compliance to drive revenue, build customer trust and better their security posture.  

What’s the history of HITRUST CSF? 

HITRUST was founded in 2007 to make information security a focus of the healthcare industry. HITRUST has now moved beyond healthcare and is a widely adopted, industry-agnostic framework. 

Start your HITRUST journey  

With more than 400 successful HITRUST Assessments completed, A-LIGN’s team of HITRUST experts is here to answer any question you might have through every step of the process by responding to all inquiries within 24 hours. With A-LIGN, you’re on the right path to HITRUST Certification success.   

Speak with an expert at A-LIGN today!