banner image for r2 assessment certifications

The HITRUST CSF is a Single Framework for All HITRUST Assessments + Certifications

The foundation of all HITRUST programs and services—including Certifications—is the HITRUST CSF, a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management.​ The CSF harmonizes multiple standards and more than 40 authoritative sources while providing prescriptive and granular control requirements and leveraging a common assurance methodology across all HITRUST Assessments.

Developed in collaboration with data protection professionals, the HITRUST CSF rationalizes relevant regulations and standards into a single overarching security and privacy framework.

The HITRUST CSF provides the structure, transparency, guidance, and cross-references to authoritative sources organizations globally need to be certain of their data protection compliance.​​

What is the process for my organization to achieve HITRUST Certification?​

The organization should first determine the business drivers for attempting certification which should include identifying key stakeholders, defining scope, and selecting an Authorized External Assessor Organization. The assessed entity will need to determine if they are going to pursue a HITRUST Implemented, 1-Year (i1) Validated Assessment or a HITRUST Risk-Based, 2-Year (r2) Validated Assessment. For either an i1 or an r2, HITRUST recommends a Readiness Assessment be performed to prepare organizations for the Validated Assessment.

Organizations can involve Authorized Internal and External Assessor Organizations as part of the Readiness Assessment. Based upon the results of the Readiness Assessment the organization should develop a remediation plan and work with their Authorized External Assessor Organization to define timing of the Validated Assessment.

Prior to beginning the Validated Assessment, the organization will need to purchase a Validated Assessment object from HITRUST if they are not a MyCSF subscriber. The organization will need to complete the Validated Assessment using the MyCSF tool and then the Authorized External Assessor Organization will be required to perform the validation/audit work. Once the Authorized External Assessor Organization’s work is complete, they submit the assessment to HITRUST for review. HITRUST will perform quality assurance procedures, create a report and, depending on the scores in the report, will issue a Letter of Certification.

Download the HITRUST CSF

The HITRUST Approach is built upon the comprehensive and scalable HITRUST CSF framework, which helps organizations of all sizes implement and enhance information risk management and compliance programs. For eligible organizations, the HITRUST CSF is available to download free of charge.



Learn more about HITRUST Assessments

and the journey to HITRUST Certification.


Chat Now

This is where you can start a live chat with a member of our team