External Assessors

External Assessors are organizations that have been approved by HITRUST for performing assessment and services associated with the HITRUST Assurance Program and the HITRUST CSF, a comprehensive security framework that incorporates the existing security requirements of organizations.

External Assessors are critical to HITRUST’s efforts to provide trained resources to organizations of varying size and complexity to assess compliance with security control requirements and document corrective action plans that align with the HITRUST CSF.

Readiness Licensees

Organizations that do not wish to join the HITRUST External Assessor program have the option to license the HITRUST CSF from HITRUST to conduct readiness assessments and provide consulting on HITRUST CSF control implementation. AICPA organizations that choose this option may also produce SOC 2 reports which contain an opinion on the applicable Trust Services Criteria and HITRUST CSF criteria. Please note, licensing the HITRUST CSF in this manner does not allow the firm to perform a HITRUST Implemented, 1-year (i1) Validated Assessment or a HITRUST Risk-based, 2-year (r2) Validated Assessment, which are the only ways for organizations to obtain HITRUST Certification. HITRUST i1 and r2 Validated Assessment engagements can only be performed by an approved HITRUST External Assessor organization.

How Do I Become a HITRUST External Assessor or Readiness Licensee?

In order to perform external consulting, readiness, or assessment services using the HITRUST CSF framework or MyCSF platform, an organization must have an active license with HITRUST. HITRUST performs a review of all applying assessor firms to ensure quality of the program. To begin your application, please refer to our HITRUST Requirements Document for details and links to the required application templates. If you have any questions regarding the application process, please contact us at csfassessor@hitrustalliance.net.

Search for a HITRUST Authorized External Assessor below.

Each HITRUST External Assessor Organization (“EA Organization”) has completed a HITRUST vetting process prior to becoming an EA Organization. As part of the HITRUST vetting process the EA Organization demonstrated the capability to perform a HITRUST Assessment. The HITRUST vetting process includes reviewing policies and procedures and the background of the individuals performing the assessments in addition to the requirements outlined in Chapter 3.2 of the HITRUST Assessment Handbook.

HITRUST strives to ensure that the list of EA Organizations on this webpage remains current and that the EA Organizations continue to meet our standards, but HITRUST cannot guarantee that any EA Organization will be successful in their role as an EA Organization on any specific engagement.  As outlined in 3.1.12 of the HITRUST Assessment Handbook, it is the responsibility of the Assessed Entity to perform its own due diligence prior to engaging the EA Organization to perform a HITRUST Assessment. HITRUST does not recommend EA Organizations for engagements.

Chat Now

This is where you can start a live chat with a member of our team