HITRUST Assurance Program FAQs
What is the HITRUST Assurance Program?
The HITRUST Assurance program is a common, standardized methodology to effectively and consistently measure compliance and risk via simplified information collection and reporting, consistent testing procedures and scoring, and demonstrable efficiencies and cost-containment; and additional assurances around the accuracy, consistency and repeatability of assessments due to the use of pre-qualified professional services firms—all of which is designed to meet the unique regulatory and business needs of the healthcare industry. In short, it is a risk-based approach to selecting HITRUST CSF controls for assessment, including management oversight of the assessment. The HITRUST Assurance Program delivers simplified compliance assessment and reporting that addresses multiple federal, state and industry requirements for both covered entities and their business associates.
How can I confirm an organizations certification status?
If you are in possession of a HITRUST report or letter PDF and are seeking verification that the PDF is authentic please contact firstname.lastname@example.org. You will be asked to provide a copy of the PDF in question and evidence showing you received it from the organization.
What is the process for an organization to achieve HITRUST Certification?
Before starting the Certification process, HITRUST recommends a self-assessment or readiness assessment be performed to prepare organizations for the validated assessment. To begin the Certification process, please select a HITRUST Assessor. Once you select an Assessor, you will need to purchase a validated assessment from HITRUST. Complete the validated assessment using the MyCSF tool and then the Assessor will perform the validation/audit work. Please note access to the MyCSF is granted for 90 days. Once the Assessor work is complete, please submit to HITRUST for review. HITRUST will create a report and, depending on the scores in the report, will issue a letter of certification.
How many organizations have completed a HITRUST Assessment?
38,000 HITRUST Assessments have been performed in the last three years with 15,000 HITRUST Assessments in 2015 alone. HITRUST anticipates a continued demand for its Certifications due to third-party assurance requirements from several major health organizations and requests for combined SOC 2 + HITRUST reports.
If I’m HITRUST Certified, does that mean I’m HIPAA compliant?
In principle yes, but it is not black and white. To be HIPAA-compliant, an organization must conduct a risk analysis and implement a reasonable and appropriate set of information safeguards—aka information security controls—to provide for the adequate protection of ePHI against all reasonably anticipated threats. In practice, organizations that want to demonstrate HIPAA compliance must generally show that it has addressed each standard and implementation specification in the Security Rule, including risk analysis. Organizations must therefore design or select multiple information security controls to provide the level of prescription necessary for implementation in the system or within the organization.
HITRUST helps organizations select these controls via its extensive mapping of the CSF controls to the HIPAA Security Rule’s standards and implementation specifications. Many of the HIPAA requirements are mapped to multiple controls, and the CSF controls themselves consist of multiple, specific protection requirements contained in multiple levels. By implementing the HITRUST CSF control requirements that are applicable to an organization based on its specific organizational, system and regulatory risk factors, each and every standard and implementation specification in the Security Rule is addressed in a very complete and robust way.
However, HITRUST certification is based on an assessment of a subset of the controls an organization is expected to implement. These controls were selected based on an analysis of past breach data and the need to address each and every standard and implementation specification in the HIPAA Security Rule. NIST supports the use of such targeted assessments to answer specific questions like this, and the use of a targeted assessment for HITRUST Certification ensures relying organizations receive reasonable assurances at a reasonable cost.
DHHS specifically references HITRUST and the CSF with respect to risk management and risk assessment in its Guidance on Risk Analysis Requirements under the HIPAA Security Rule, and OCR has stated entities with a strong compliance program in place, with the help of a credentialing/accreditation program or on its own, would have that taken into account when determining past compliance. Implementation of the CSF as the basis for an organization’s information protection program and subsequent use of CSF validated or certified assessments has been previously accepted by OCR as evidence of its compliance with the HIPAA Security Rule, assuming the assessment addresses the appropriate scope relevant to OCR’s audit or investigation. The HITRUST CSF and HITRUST Assurance Program has also been used in past resolution agreements with OCR.
What is the HITRUST QA Process?
The only change to the QA process is that the process will be performed in MyCSF. There are other changes that are being implemented to the QA process that are focused on ensuring the integrity and consistency of the assurance program. These changes will be announced as they are implemented.
Who will accept HITRUST Assurance Reports?
Many organizations accept HITRUST Assurance reports as a means of evaluating a business partner’s privacy and security controls and in fact a growing number of organizations require their business partners obtain a HITRUST Certification.
What is the length of time it takes to become HITRUST Certified?
The total amount of time it can take an organization to become certified is dependent on its initial readiness level and the amount of remediation needed to fully implement all the requirements in scope for the assessment. Most organizations will perform at least one self-assessment to gauge their readiness for certification and, once an organization is comfortable that they will meet the certification requirements, they will hire a HITRUST Authorized External Assessor to perform a validated assessment. These independent assessments can take anywhere from 2-8 weeks on average depending on the size and complexity of the organization and the scoped environment, and it can take a minimum of 8 weeks for the validated assessment to be processed and certification awarded by HITRUST. In general, it can take up to 3-4 months to complete the assessment and obtain certification once an organization is ready.
However, the established HITRUST post-submission Service Level Agreement (SLA) for an i1 is not greater than 45 business days with HITRUST (otherwise the customer’s next i1 Validated Assessment report credit is free); and for an e1 is not greater than 30 business days with HITRUST (otherwise the customer’s next e1 Validated Assessment report credit is free). This Service Level Agreement (SLA) is calculated using a measurement called “days with HITRUST”. The measurement is calculated from the earlier of the day that HITRUST begins QA (the day the assessment moves into the Performing QA phase), or the last day of the QA Block from the reservation. Days are counted for any business days where the assessment is in a HITRUST-owned phase before the draft report is posted. Validated Assessment submissions entering escalated QA due to quality concerns are exempted from this SLA, as processing such submissions may take longer than processing non-escalated submissions. The days with HITRUST measure are visible to customers as part of the assessment details page within MyCSF. Should HITRUST exceed the stated SLA, customers can request a complimentary report credit by contacting their Customer Success Manager within 14 days after the final report has been issued.
Is a HITRUST certification assessment more expensive than comparable assessments?
No, and this is a common misconception and in many cases the overall assessment costs associated with information security and privacy assessments are less than other 3rd party assessments. The alignment between the HITRUST CSF and Assurance programs allows a single HITRUST Assessment report to support multiple objectives, such as a HIPAA risk assessment and an assessment against the NIST Cybersecurity Framework, and in addition the same report can be accepted by external parties (such as business partners, government agencies) reducing the costs associated with multiple assessments.
For a fair comparison, one should consider various factors such as:
- Scope of the Assessment: Are both assessments reviewing the same scope?
- Applicability of the Control Requirements to the Environment: Are the controls requirements applicable to the organization or scope of assessment? Are they prescriptive and do they take into account relevant risk factors?
- Audit Ability: Does the framework have audit procedures to ensure consistency of assessment?
- Level of Assurance: How well is the process to ensure the control requirements implemented?
- Caliber of Organization Performing Assessment: Is It being performed by a 3rd party? What are the qualifications of the firm performing the assessment?
What are the various types of HITRUST Assessments?
- HITRUST Essentials, 1-year (e1) Validated Assessment. The HITRUST e1 Assessment adds efficiency and flexibility to the HITRUST portfolio by covering basic Foundational Cybersecurity practices that address the assurance needs of lower-risk organizations. The e1 also provides an excellent starting point for enterprises that are in the early stages of implementing their information security controls.
- HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification. The HITRUST i1 Assessment leverages a proven set of HITRUST-curated controls designed to ensure that an organization is exercising Leading Security Practices. The i1 provides reliable assurances against current and emerging cyber threats to help establish a strong and broad information security program. A HITRUST i1 Readiness Assessment and a Rapid Recertification Assessment are also available.
- HITRUST Risk-Based, 2-Year (r2) Validated Assessment + Certification. The HITRUST r2 Validated Assessment is considered the gold standard for information protection assurances because of the comprehensiveness of control requirements, depth of review, and consistency of oversight. The r2 offers flexible, tailorable, risk-based control selection to meet the most stringent needs for organizations processing sensitive information or facing challenging regulatory requirements. HITRUST r2 Readiness, Interim, and Bridge Assessments available.
Does the r2 Assessment score differently than e1 and i1 Assessments to earn HITRUST Certification?
HITRUST Certification for an r2 Validated Assessment can be achieved when the minimum compliance level (PRISMA score of 3+ or 3 or straight average score below 62 with corrective action plans) is met for all 75 CSF controls required for certification (2019 CSF v9.2 requirement). An e1 or i1 Validated Assessment only scores Implementation and does not use PRISM scoring, so to achieve an e1 or i1 Certification, no assessment domain’s straight-average score can be below 83.