Blog Home
By Stephanie Musal • September 30, 2016

What is HITRUST?

HITRUST, also known as Health Information Trust Alliance is an organization that “was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.” While HITRUST is not a framework, it is the organization that created and maintains the Common Security Framework (CSF). CSF harmonizes other compliance frameworks like HIPAA, HITECH, PCI,ISO and NIST.

HITRUST builds on HIPAA. HITRUST takes HIPAA, a non-standardized and non-prescriptive compliance framework, and creates a standardized compliance framework, assessment, and certification process for the healthcare industry.

There are varying levels Degrees of Assurance with the CSF process. The Degrees of Assurance align with cost, level of effort, amount of time, and rigor. Each level builds on the one below.

The following options exist for Degrees of Assurance:

  1. Self Assessment- Self Assessments result in a HITRUST issued CSF Self Assessment Report. It is an organization completing CSF on its own with no external parties that verify any aspect of the assessment. It is valuable, typically as an internal tool for the organization, because it’s completed against a standardized framework.
  2. CSF Validated- CSF Validation requires a 3rd party CSF Assessor to verify the information gathered by the organization. The CSF Assessor is approved by HITRUST. This Degree of Assurance requires an onsite visit by the CSF Assessor. HITRUST reviews the completed and validated assessment and issues a Validated Report as the outcome.
  3. CSF Certified- CSF Certified is similar to the CSF Validated assessment. Organizations with this level of certification must be assessed by a CSF Assessor. The organization undergoing the assessment is granted a HITRUST CSF Certification that is good for two years. The major differences for this Degree of Assurance is that the organization granted HITRUST CSF Certification meets all of the certification requirements of the CSF. This builds on the CSF Validated assessment in that HITRUST reviews and certifies the entries of the organization and the validation of the 3rd party assessor.
Compared to HIPAA, HITRUST CSF Certification is a much more rigorous process with a higher burden of proof put on the organization trying to achieve certification. Achieving HITRUST CSF Certification requires significantly more time, effort, and resources than a HIPAA audit. Being HITRUST CSF Certified should be seen as a more significant badge for security and compliance than completing a HIPAA audit.