Blog

How Much Does HITRUST Cost?

Written by HITRUST | Mar 27, 2024 7:00:00 PM

It’s not as much as you might think.  

HITRUST’s universal control framework is free 

HITRUST offers a universal assurance framework, the HITRUST CSF, that maps to all critical control sets. It is the foundation of HITRUST’s approach to security assurance. The HITRUST team uses threat intelligence to make the HITRUST CSF cyber threat adaptive and enable you to proactively defend against different upcoming threats.  

And like the other best things in life, a version of the HITRUST CSF is free! Eligible organizations can download the CSF from the HITRUST website and use it as a first step in evaluating their security practices.  

Evaluate your readiness 

Organizations preparing for a HITRUST certification or evaluating where they stand can use a readiness assessment. Readiness assessments can be self-assessments or facilitated by an External Assessor to generate a compliance scorecard and help identify gaps and Corrective Action Plans (CAPs). Readiness assessments are not validated, meaning they do not result in certification, but they can be a valuable, low-cost tool.  

Seeking HITRUST certification?  

When your organization needs to prove that your security practices meet the highest standards, you may need certification through HITRUST validated assessments. HITRUST offers multiple options that are streamlined, cost-effective, and meet varying cyber and risk maturity levels. The three types of certifications are the e1, i1, and r2. All three certifications are built on the HITRUST CSF so that you can progress from one to the other without losing your prior work.  

There are three primary HITRUST certification costs — subscription to HITRUST’s MyCSF SaaS tool, assessment reports, and the fees charged by independent, third-party assessors. 

Leverage the MyCSF SaaS tool 

The MyCSF SaaS tool enables you to assess, manage, and report on your information risk and security practices against the HITRUST CSF universal control framework. Subscriptions typically cost from $17,325. Using MyCSF enables you to seamlessly move from one assessment type to another, streamline your efforts, and develop risk management programs. Its custom dashboards offer multiple view configurations and easy data access. Corporate subscription of the tool also provides advanced analytics and support and tracks CAPs.  

Additionally, MyCSF integrates with the HITRUST Shared Responsibility and Inheritance Program — an innovative way to help save time and money when working with third parties like cloud service providers (CSPs). It allows users to access the HITRUST Shared Responsibility Matrix (SRM) and determine which provider controls are fully, partially, or not inheritable. Inheritance is an excellent way of lowering the overall HITRUST certification cost. Learn more about how you can accelerate your HITRUST journey through Inheritance. 

Get detailed assessment reports 

HITRUST issues an assessment report after a readiness or validated assessment is complete. The price of a readiness assessment report begins at $3,465. The assessment report offers a detailed evaluation. It identifies gaps, recommends CAPs, and gives an overview of your system’s security. In addition, a validated assessment report includes your certification letter, assessment scope, and results. 

Independent External Assessor advisors 

Authorized, third-party assessors provide necessary resources, advise, and perform HITRUST assessments to evaluate compliance with security control requirements. Each assessor determines their own pricing based on factors like the type of HITRUST certification (e1, i1, or r2), the systems that need certification, the scope of the assessment, timelines, remediation needs, etc.  

HITRUST works to ensure the objectivity and independence of these assessors but is not involved in the assessor fees. HITRUST customers have indicated that HITRUST e1 costs start as low as $10,000. 

Is HITRUST certification worth it? 

It depends. If your organization has little or no access to sensitive data, you may not need HITRUST. A simple attestation, like a SOC 2, might be enough. However, if you maintain or access high stakes, sensitive data like medical, payment, customer, or employee data; if your security practices are subject to regulation; if protecting your organization and its officers from liability is important; or if your customers want proof that you are safeguarding the data they entrust to you, HITRUST certification is more than worth it. HITRUST certifications are widely accepted by major, global organizations and can become a competitive differentiator for organizations looking to work with vendors and partners they can trust.