Why am I being asked to provide a HITRUST Certification?

HITRUST Certification provides assurances of transparency, integrity and validity of the assurance process to your customers, vendors, and others with whom your organization does business. It also provides centralized, secure, electronic distribution of your certifications to those you designate. Unlike most other certification and accreditation bodies that are fragmented and decentralized, HITRUST is the sole issuer of all HITRUST Assessment results. 

I’ve been asked to obtain HITRUST Certification. What’s next?

We recommend you start the certification process by speaking with a HITRUST Certification Expert. They will guide you through the Readiness step and provide you with information about the options for certification to help you identify which is the best fit for your organization. HITRUST offers several approaches that vary in complexity, time, and investment. Following the Readiness step, a likely next step in the certification process will involve engaging a certified External Assessor, who will lead you through assessment, gap remediation, and, ultimately, HITRUST certification.

Contact a Certification Expert

HITRUST Assessment Journey


What is HITRUST Certification?

HITRUST offers three information protection assessments, all of which allow an organization to assess the maturity of their information protection program. All three assessments can be performed as readiness or validated assessments.

HITRUST readiness assessments are designed to allow an organization to identify the controls that they will be assessed against, understand their current state maturity, and plan remediation where needed.

HITRUST validated assessments allow organizations to achieve HITRUST Certification. As a result, these assessments are subject to rigorous control validation procedures by HITRUST Authorized External Assessors and quality assurance procedures by HITRUST to ensure every report is rely-able.

All HITRUST assessments:

  • are threat adaptive, meaning that they are regularly updated by HITRUST to ensure they address the most common cyber threats based upon data received from a leading threat intelligence provider.
  • are scored using a control maturity model which allows an organization to demonstrate compliance
  • utilize the HITRUST CSF, a leading information protection framework which is built upon over 40 authoritative sources, such as ISO 27001, NIST SP 800-53, CCPA, HIPAA and GDPR, and MyCSF, our innovative Software-as-a-Service delivery platform that allows organizations to rapidly perform assessments
  • benefit from shared, nested CSF controls so past assessment work can be leveraged and reused

How do I obtain a HITRUST Certification?

HITRUST Certification represents the gold standard in information protection assurances. This achievement demonstrates your organization is taking the most proactive approach to data protection and risk migration and adhering to the highest information security standards. HITRUST Certification is globally recognized, and applicable to all industries, throughout the supply chain. Certification allows your organization to prove you have undergone a rigorous control maturity assessment. HITRUST Certifications are the result of completion of a validated assessment where the necessary scoring threshold to achieve certification has been met.

What are the benefits of HITRUST Certification?

  • Provides significant assurances that can be relied upon by third parties such as clients, vendors, shareholders, and internal stakeholders
  • Differentiates your organization relative to security and privacy posture
  • Reduces unnecessary efforts of responding to third-party proprietary questionnaires
  • Increases awareness of your organization’s relative exposure, inherent risk, current security posture, and the maturity of your information risk management program
  • Demonstrates that your organization is committed to managing risk, improving its security posture, and meeting compliance requirements
  • Potentially helps save on cybersecurity insurance premiums
  • Starts conversation and potential new business partnerships with organizations who may require in-depth, third party verified assurances


Why would I need a HITRUST Certification if my application and data are hosted in a HITRUST-Certified cloud environment?

Security assurances and implementation of sufficient controls always remain the responsibility and accountability of cloud tenants, whether hosted in cloud environment is HITRUST-Certified or not. Only the cloud tenants ultimately control who, how, or when their data and applications are accessed. Therefore, as a cloud tenant, you are on the hook for ensuring your own customers can safely use the application and not risk unauthorized access to their data. Fortunately, when hosting in a HITRUST-Certified cloud environment, cloud tenants have the opportunity to save significant time, money, and effort by relying on (or “inheriting”) up to 60% of HITRUST CSF controls already covered by HITRUST-Certified cloud providers that secure the underlying cloud infrastructure and physical security that host tenant applications and data.

Who uses, recommends, and accepts HITRUST Certification?

  • 81% of US hospitals and health systems
  • 83% of US health plans
  • 75% of Fortune 20 Companies

HITRUST Selected for TEFCA Security Certification
Health 3rd Party Trust Initiative

What assessment do I need?

HITRUST offers three primary assessments, which vary by levels of assurance, complexity, effort, time to complete, and expense. Each level builds on the next, providing you the option to leverage previous, active certifications to enhance your level of assurance, and to meet and exceed what one customer requires in favor of an approach that will satisfy multiple requirements of multiple organizations with whom you do business. We recommend starting with a conversation with one of HITRUST’s certification experts in order to consider and understand your options. You can also learn more about HITRUST’s certifications on our website.


HITRUST Assessment Portfolio by Level of Effort and Assurance


How do I choose an assessor?

External Assessors are organizations that have been approved by HITRUST for performing assessment and services associated with the HITRUST Assurance Program and the HITRUST CSF, a comprehensive security framework that incorporates the existing security requirements of organizations. They are critical to HITRUST’s commitment to providing trained resources to organizations of varying size and complexity to assess compliance with security control requirements and document corrective action plans that align with the HITRUST CSF.

HITRUST External Assessor Organizations have been thoroughly vetted and have demonstrated the ability to perform HITRUST Assessments. Visit HITRUST’s External Assessor search page to learn more.

Questions to Ask Potential Assessors

These questions can help determine if an External Assessor is the right fit for your organization.

  • How many HITRUST assessors do you have employed at or working with your organization? What are their specific HITRUST assessor certifications?
  • Is your organization under any corrective action agreements with HITRUST?
  • Has your organization performed any assessments similar in complexity to mine?
  • Is your organization familiar with my industry? Have you performed validated assessments for any other organizations within my industry?
  • What is your process/methodology for completing validated assessments?
  • Have any of your validated assessments ever failed HITRUST’s QA review?
  • Have any of your validated assessments ended up with a Validated Report and not Certification?
  • What are the expectations of my team?
  • What case studies can you share? Are there reference customers I can speak with?


For Additional Information: Contact your HITRUST Product Specialist

Call: 855-448-7878 or Email: sales@hitrustalliance.net

Chat Now

This is where you can start a live chat with a member of our team