Back to Basics: What is HITRUST?

What is HITRUST?

A-LIGN’s HITRUST Assessors are often asked: What is HITRUST and why do I need it? As healthcare organizations face stricter regulatory needs in light of an increase in healthcare-related breaches, many organizations are considering HITRUST as an option for risk management and mitigation.

What is HITRUST?

HITRUST, or the Health Information Trust Alliance, was created in order to develop a consistent system for healthcare organizations and business associates to manage information security. The scalable framework is valuable to any organization that creates, accesses, stores or exchanges personal health information or financial information.

HITRUST uses many existing standards and regulations as a framework, such as HIPAA, HITECH, PCI DSS, COBIT, NIST, ISO and more. By utilizing a variety of standards, the HITRUST Common Security Framework (CSF) offers extensive certification options for organizations.  These include a variety of different implementation requirements that depend on the risks that your organization faces, as well as prescriptive requirements that ensure clarity. Controls can be modified based on organization size and type, system and regulatory requirements.

Watch: Putting the Pieces Together: What is HITRUST and How Does It Fit into the Compliance Puzzle?

Who requests that I become HITRUST certified?

Organizations are typically asked by their partners and/or business associates to provide a CSF Assurance report. For example, large healthcare organizations such as Anthem Inc., Health Care Services Corp., and Highmark Inc., are requiring that their business associates take steps to become HITRUST CSF compliant.

Why do I have to do it?

Many organizations require that their business associates and partners utilize HITRUST as a consistent information security system. As a result, becoming HITRUST compliant allows your organization a point of differentiation amongst competition.

Additionally, becoming HITRUST compliance allows your organization to minimize the risk of a potential breach, which can be damaging to client relationships and the reputation of your organization. Click here to learn more about our HITRUST services.

Interested in learning more about HITRUST? Contact one of our certified HITRUST practitioners at or 1-888-702-5446.

Which HITRUST Assessment Scope Is Right for My Organization?

HITRUST assessment

Which HITRUST Assesment Scope is Right for My Organization?

There are 14 different control categories, each with their own number of objectives and requirements. These include the following:

  • Information Security Management Program
  • Access Control
  • Human Resources Security
  • Risk Management
  • Security Policy
  • Organization of Information Security
  • Compliance
  • Asset Management
  • Physical and Environmental Security
  • Communications and Operations Management
  • Information Systems Acquisition, Development and Maintenance
  • Information Security Incident Management
  • Business Continuity Management
  • Privacy Practices

These control categories are high-level groupings that are based on ISO 27001 and 27002. There are then 46 control objectives that fall within these categories, which essential state what the control is trying to achieve. For example, requirement 0.01 requires that organization implement and manage and Information Security Management Program. These controls are then broken down by implementation level, which is used to support the control that needs to be met and prescribes what level your organization needs to be at dependent on particular risk factors.

The CSF has 135 controls with 3 levels of implementation. Which control level is necessary is dependent on organizational, system and regulatory factors. Which of these controls are relevant to your organization is dependent on the scope of assessment that you receive: security, comprehensive or an assessment with privacy.

Security Assessment

Formerly known as the baseline assessment, the security assessment is a set of questions drawn from the MyCSF library across a variety of different assessment domains. This can be used as an initial compliance assessment to determine where your organization is able to meet satisfactory security levels to third-parties. This assessment is designed to measure against 64 of the 149 implementation requirements, thereby providing a minimum set of requirements that covers each of the HIPAA Security Rule’s standards and implementation specifications. The scope of this assessment supports self-assessment and third-party validated assessments.

Comprehensive Assessment

A comprehensive assessment pulls questions from the MyCSF library and spans 19 different assessment domains. This assessment is able to measure where your organization is in more detail, and is used to show satisfactory security levels to third-parties. This is because it is designed to measure your organization against all of the implementation requirements, providing a higher level of assurance for each of HIPAA’s Security Rule standards and implementation specifications.

The scope of this assessment also supports self-assessment and third-party validated assessments.

Assessment with Privacy

An assessment with privacy adds the 14th domain, privacy, to your assessment. This can be added onto your security assessment or your comprehensive assessment.

This is mandatory for companies operating within Texas, Massachusetts or Nevada, and could be mandatory for organizations doing business within these states, including both covered entities and business associates. However, organizations who are not doing business in these states can also select privacy if there is a contractual obligation to do so.

Need help deciding which HITRUST assessment scope is right for your organization?

Reach out to one of A-LIGN’s HITRUST Practitioners today at or 1-888-702-5446.

Ask A-LIGN’s Experienced Assessors: HITRUST

Because of the unique challenges facing the healthcare industry, companies are considering their options to mitigate and manage their risk. HITRUST offers a framework that allows for consistent implementation of the HIPAA requirements, but generates many questions that need to be answered. Below are a few frequently asked questions that A-LIGN Partner, Gene Geiger, answers as he speaks with companies seeking HITRUST certification, including your firm’s options for HITRUST Certification.

What are my options to become HITRUST Certified? Are there any other options?

To become certified against the HITRUST Common Security Framework (CSF) you must undergo a validated assessment by a HITRUST Assessor Firm, and submit that assessment results using the MyCSF tool to the HITRUST Alliance for review and final Certification. The HITRUST Alliance will evaluate the submission and the scores received during the assessment to issue a certified report based on the scoring of your company. You can find out more about scoring here. You may also undergo a self-assessment using the MyCSF tool or perform a SOC 2 + HITRUST CSF audit. The SOC 2 + HITRUST CSF audit is an assessment performed by a CPA firm who is also a HITRUST Assessor Firm. The Self-Assessment and the SOC 2 + HITRUST do not enable a company to become HITRUST Certified, but they do offer an option to demonstrate compliance against the HITRSUT CSF.

Do I have to purchase the MyCSF tool from the HITRUST Alliance to become HITRUST Certified? Can I purchase that from you?

To become HITRUST Certified you must purchase and use a MyCSF subscription through the HITRUST Alliance. You cannot purchase the subscription though A-LIGN or other assessor firm.

I’m a small to medium sized business; how am I expected to pass the same certification and meet the same controls of these large corporations? Are there any ways to reduce the cost of certification for a company of my size?

The HITRUST CSF was designed for organization of all sizes. Compliance of each control is scored evenly and is either Non-Compliant (0), Somewhat Compliant (25), Partially Compliant (50), Mostly Compliant (75), or Fully Compliance (100). However, the HITRUST controls are assessed using a weighted scoring system. The scoring for the system follows a concept of “one can’t manage what one can’t measure” and its risk-based approach directly applies to small or medium sized organizations.

How do I know if I will pass the test and receive certification from the HITRUST Alliance? What happens if I fail?

Your team and the assessor firm will know if a control has met the passing score for certification. The MyCSF tool is scoring you as your assessor is evaluating each control throughout the process. You will know if you have received a passing score prior to the submission of A-LIGN’s assessment to HITRUST. If you did submit prior to meeting a 3 out of 5, the passing score for certification, you would still receive a validated HITRUST assessment report, however you would not receive a certification from the HITRUST Alliance.  If you do not reach certification as part of the first submission, you may be able to resubmit.

Will this assessment meet my requirements for my HIPAA compliance? What about my PCI-DSS Certification and NIST 800.53 compliance?

While HIPAA compliance is still a priority in healthcare, the HITRUST CSF can be used to translate HIPAA and HITECH requirements into a step-by-step compliance roadmap. HITRUST was built upon the ISO 27001 framework using controls from HIPAA, NIST 800.53, PCI-DSS, various state requirements (Nevada, Massachusetts, and Texas), and COBIT. Because of the variety of standards that are cross-referenced with HITRUST, your organization is able to mitigate risk more broadly than solely meeting HIPAA compliance requirements. Although you are able to assess and audit yourself against various audit and security standards under the HITRUST CSF Certification, you will not receive additional certifications from PCI, ISO 27001, or NIST 800-53.

Still looking for additional information on HITRUST? Check out our HITRUST resources:




Interested in learning more about HITRUST? Contact one of our certified HITRUST practitioners at or 1-888-702-5446.

HITRUST Assessment Scoping Guidelines

HITRUST-assessmentWe are asked routinely “which controls will A-LIGN test as part of the HITRUST assessment?”.  The answer to that question depends on the environment and the outcome of the scoping process.  Scoping occurs in the initial phases of your HITRUST assessment process in order to determine which controls will be included in your assessment.

When determining the scope of an assessment, there are three major factors that affect the risk within an organization. These are the type and size of an organization, the system that is being utilized, and what external regulations affect the organization. In combination, these three factors determine the appropriate implementation requirements.

However, one of the first things an organization should determine before attempting to configure their scope is why they are seeking HITRUST compliance. Are they seeking to satisfy the requirements of business associates? Are they looking to utilize the certification to demonstrate their level of information security and increase marketability through differentiation? Is it a regulatory requirement?

By determining this information, it makes the scoping process much easier by developing a better understanding of the needs of your organization and those affected by its decision to receive a HITRUST assessment.

Type and Size of an Organization

The type and size of the organization affects the risk and complexity of the organization being assessed.  The organizational factors impact the controls which are included in the scope.  This is driven by the volume of business, which is determined by factors such as the number of transactions or number of records.  It is also driven by the geographic location of the organization, whether in one state, multiple states or even global.

It may be helpful for large companies to break down the organization into the different business units. Because many healthcare organizations have many different functions within the entity, they should be broken down by their distinct operational differences. At times, it is also necessary to separate the organization by geographic segments in order to more appropriately comply with regional differences in regulation.

Systems in Use

Once the organizational size and type are clear, determining which systems are in use is the next step. When referring to the systems that are in use, focus on those that are used in the transmission, storage, or processing of electronic protected health information (ePHI) or other types of PHI.

Important factors include the accessibility of the systems:

  • From the Internet or other remote access operation.
  • Through a third-party of any kind.
  • From any public location.
  • From other systems.

Regulatory Factors

Regulatory factors have also affect the scope of the assessment and can be dependent on geographic determinations, as well as the other compliance needs of an organization.  For example, if the organization also processes payment card data, the PCI DSS standard may be included in scope, or a state specific data security standard may be included in the assessment.

Setting the proper scope is an important first step when pursuing HITRUST certification.  The scope drives the subsequent steps in the process.  If you have questions or would like additional information on HITRUST or how to establish the proper scope, please contact one of A-LIGN’s HITRUST CSF assessors to learn more.

Interested in learning more about HITRUST?

Contact one of our certified HITRUST practitioners at or 1-888-702-5446

An Overview of the HITRUST CSF and Related Frameworks

The HITRUST CSF is a comprehensive, certifiable security framework that pulls from HIPAA/HITECH, ISO 27001, NIST SP 800-53, COBIT, and PCI DSS, combining them to create a powerful framework.

The HITRUST CSF provides an integrated, prescriptive framework that works with the needs of the healthcare industry in order to comply with the necessary standards. This framework is able to be scaled for the various sizes and types of organizations and their control systems. It also allows for the tailoring and scaling of controls with HITRUST oversight to ensure that the integrity of the systems remain in-tact and application remains consistent.

The HITRUST CSF and ISO 27001

HITRUST recognizes the complex, global nature of healthcare industry and the need for an industry-specific approach to information protection. Because of this, ISO/IEC 27001 was chosen as the foundation from which the HITRUST CSF was built upon due to its place as an international standard for information security that could be modified and implemented for any organization.

ISO 27001 differs greatly from the HITRUST CSF, as ISO 27001 is not control-compliance based, but is instead a management/process model for the Information Management System that is assessed. One of the major benefits of the HITRUST CSF over ISO 27001 is the ability to select and create practical controls. While ISO 27001 does have the ability to tailor controls in order to better-fit organizations who cannot implement a specific control, but it is not as complete in its ability to be tailored or scaled.

The HITRUST CSF and NIST 800-53

The HITRUST CSF also pulls from NIST SP 800-53, which was designed for United States government agencies. However, the standards are applicable to many different types of organizations. One of the key differences between NIST 800-53 and the HITRUST CSF is that NIST 800-53 does not address the specific needs within the healthcare industry.

Both NIST 800-53 and HITRUST CSF are compliance solutions that assess a set of controls through gap analysis of any controls considered within the scope for the organization or system.

One of the issues with NIST 800-53 that the HITRUST CSF takes care of is the ability to scale controls to the specific organization. NIST 800-53 has no formal mechanism for an organization to do so. NIST 800-53 does have the ability to tailor controls in certain situations when an organization is unable to implement a specific control, though it is more limited than the HITRUST CSF.  However, this is limited because NIST 800-53 defines control parameters based on the highest potential impact, regardless of the size or type of organization.


PCI DSS is a payment card industry standard used to protect payment card data. Founded by the five major card brands, Visa, MasterCard, American Express, Discover and JCB, PCI DSS defines controls to enhance credit and debit card security.

In many ways, HITRUST has used this type of methodology in the creation of the HITRUST healthcare standard. HITRUST receives input from their board of directors, who are industry experts from major healthcare organizations, to tailor the framework to the industry’s needs.


While there are a variety of different audit options for any organization, the HITRUST CSF provides scalable, prescriptive solutions for organizations of any type. By pulling from major pre-existing frameworks and working with healthcare organizations to better-understand their needs, the HITRUST CSF provides a complete, certifiable security standard.

Looking for the right healthcare compliance solution for your organization?

Talk to one of our HITRUST professionals now by emailing or call 1-888-702-5446

HITRUST Assessment Types & HITRUST Integration with SOC 2

Don’t make the climb to compliance more difficult than it has to be. With a comprehensive framework for organizations of any size, system or regulatory requirement, the HITRUST CSF allows for organizations to easily assess their current compliance while providing implementation requirements based on an organization’s risk factors.

Types of HITRUST Assessments

HITRUST has two methods to approach complying with the HITRUST CSF with each providing their own unique benefits, depending on the needs of an organization. They include the Self-Assessment, and a Validated Assessment, which leads to HITRUST certification. They each function on varying degrees of assurance based on the cost, effort-level, and time required. The benefits of any type of HITRUST CSF Assessment include:

  • Scalability for organizations of any size
  • Allows for organizations to understand their current level of compliance with the CSF and areas of general risk

HITRUST Self-Assessment

The HITRUST MyCSF is designed to be completed by an organization in order to minimize time and resources when demonstrating compliance with the CSF. The self-assessment can also be used as a stepping stone to a validated assessment. The benefits include:

  • Low to medium level of effort needed to complete
  • Can be quickly completed

However, one of the disadvantages of completing a self-assessment report is that it provides the lowest level of assurance, as no validation comes from the self-assessment: it simply results in a HITRUST issued CSF Self-Assessment report.

Validated Assessment

A Validated Assessment is a more rigorous assessment process, with an increase in assurance level performed by a CSF assessor firm to validate the information gathered by the organization. One of the benefits of receiving a CSF validated assessment includes providing an increased assurance level to the relying entity.

The process is more rigorous due to on site testing at the entity to be performed by an authorized CSF assessor. A validated assessment requires a medium to high level of effort for completion, due to the on-site time and rigorous testing procedures. Upon completion, HITRUST reviews the complete assessment and issues a Validated Report as the outcome if the organization has failed to receive a rating of 3 or higher on any of the controls.

Certified Assessment

While an organization goes through the same audit-process when receiving either a validated assessment or a certified assessment, becoming HITRUST certified means that the organization received at least a 3 on HITRUST’s scale and has shown a high-level of maturity.

The benefits of receiving a CSF certified assessment include:

  • The report is good for 2 years, with an interim assessment completed at the one-year mark.
  • Provides the most complete assurance level certified by HITRUST. The organization that receives a certified assessment must meet all of the certification requirements of the CSF.

A certified assessment is only earned once an organization successfully demonstrates that they are able to meet all of the controls in the CSF required for certification at the appropriate level based on organizational needs.

Integration with SOC 2

What is SOC 2?

SOC 2 reports describe the internal controls at a service organization, based on the AICPA’s Trust Principles:

  • Common Criteria (Security)
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

SOC 2 reports provide users with management assertions, a description of both the system and the controls, tests and the results of the tests, and the independent service auditor’s report.  The SOC 2 is widely used by service organizations that provide services to other business entities.

HITRUST and the American Institute of Certified Public Accountants (AICPA) have developed a collaborative approach that aligns the AICPA’s Trust Principles with the HITRUST CSF criteria.  This allows licensed CPA firms, who are also CSF assessor firms to issue a SOC 2 plus HITRUST report that includes both the SOC 2 criteria and HITRUST CSF.  This makes HITRUST and SOC 2 complementary services through this converged reporting model. The benefits for your organization include:

  • Save time
  • Save on costs
  • Gain efficiency
  • Increase your client satisfaction

This streamlining process allows organizations to simplify the process of leveraging their HITRUST CSF for SOC 2 reporting.

Is HITRUST implementation right for your organization?

Contact us today at or call 1-888-702-5446 to find out your options for data protection and compliance.

Understanding the HITRUST Specification and Scoring

HITRUST’s Risk Management Framework

In order for an organization to better assess potential risks and create safeguards for adequate protection of potentially sensitive information, HITRUST has created a comprehensive risk management framework that supports a basic 4-step process:

  1. Identify risks and define the protection requirements
  2. Specify controls
  3. Implement and manage controls
  4. Assess and report

A-LIGN’s HITRUST experts will cover the implementation and certification requirements of HITRUST.

Implementation Requirements

Risk Levels

Implementation levels are built upon three unique risk factors:

  1. Organization factors

For example, the type of organization, or the size of the organization.

  1. System factors

For example, internet connections, or the use of mobile devices in the organization.

  1. Regulatory factors

For example, state or specialized industry requirements.

The risk levels are placed into three different designations (Level 1, Level 2, and Level 3) dependent on the complexity and risk systems within the organization. Because of this, organizations would not have consistent levels across the board. The prescriptive system is as follows:

Level 1

This is the minimum security requirement set for any system, of any size and serves as a baseline for the industry in order to meet all HIPAA Security Rule requirements.

Level 2

All of the functionality and control of Level 1, but with additional functionality and/or an increase in the strength of a Level 1 control. Level 2 is only required for an organization that has a system with an increased risk due to the complexity of their organization, system or regulatory factors.

Level 3

All of the functionality and control of Levels 1 and 2, but with additional functionality and/or an increase in the strength of Level 1 and 2 controls. Level 3 is only required for an organization that has a system with an increased risk due to the complexity of their organization, system or regulatory factors.

Certification Requirements


Each section is scored as a percentage of your final score. Scores are determined through the percentages available in Figure 1.


To receive a final score, you multiply the scoring category percentage (Fig. 1) by the score (Fig. 2). For example:


In the sample, the organization would serve a 68.75 in the access controls section. This percentage is then converted into a 15-level maturity rating in order to find your final score.


In the example from Figure 3, a score of a 68.75 would merit a maturity level of 3.

In order to receive a certified report, each domain MUST score at least a 3 on the HITRUST’s 1- to 5+ scale. If you do not earn a score of 3+ or higher, you will raise a Corrective Action Plan (CAP). You can still be certified with CAPs as long as the overall score of the domain is a 3. Any domains that do not receive at least a 3 will result in the generation of a validated report.

There are 64 controls required for certification, and the focus should be on continual improvement in all control groups.

Corrective Action Plans (CAPs)

Once HITRUST has delivered an organization’s draft report, certification CAPs will be entered into the tool. Basic Cap management functionality will be opened up for any organization that does not have the CAP management module. CAPs at that point can be entered for each control identified as deficient. Once the CAP is reviewed by HITRUST, the modifications are added to the next draft version of the HITRUST report.

Need more information or have further questions about HITRUST scoring? 

Talk to one of our HITRUST professionals now by emailing or call 1-888-702-5446.

The Challenges Facing Healthcare & How HITRUST Can Help

The Healthcare industry currently faces strict regulatory needs, causing many challenges when considering the options for risk management and mitigation. These challenges include but are not limited to:

  • Inconsistent implementation of acceptable minimum controls.
  • Inefficiencies associated with varying interpretation of control objectives and safeguards.
  • Increasing scrutiny from regulators, auditors, underwriters, customers and business partners.
  • Growing risk and liability including data breaches, regulatory violations and extortion.
  • Public and regulatory concern over industry breaches.
  • Inability to implement security in medical devices and applications.
  • Rapidly changing business, technology, and regulatory environment.

In order to mitigate these challenges, HITRUST can be implemented to minimize risk and alleviate healthcare pain points.

What is HITRUST?

HITRUST, or the Health Information Trust Alliance, was established to create a certifiable standard to approach regulatory compliance and risk. Developed in collaboration with healthcare and security professionals, this framework provides a comprehensive, flexible and consistent system to address compliance and manage risk. Because of this, it is the most widely adopted framework in the healthcare industry.  Controls can be tailed based on the following factors:

  • Organization size and type
  • System complexity and use
  • Regulatory requirements

At its core, the HITRUST CSF (Common Security Framework) is built upon other standards and authoritative sources relevant to the healthcare industry, including ISO 27001, NIST SP 800-53 Rev4, HIPAA: Security, Breach and Privacy rules, and can be completed according to SOC 2 criteria. In compiling these standards, HITRUST is able to align existing controls and requirements from standards, regulations, business and third-party requirements by incorporating compliance and risk management principles. HITRUST supports CSF certification and defines a process to effectively and efficiently evaluate security and compliance risk, which includes the HIPAA Final Rule Requirement.  Annual updates to the HITRUST framework are based on:

  • New security standards and regulations
  • Changes to existing authoritative sources
  • Breach data
  • Industry feedback, best practices and lessons learned.

Advantages of HITRUST Implementation

Consistent.  With a single benchmarking method, HITRUST leverages and enhances existing standards and regulations to provide organization of any size with prescriptive implementation requirements.

Efficient.  Obtains industry consensus and incorporates best practices on the most effective way to address information security.

Cost-reducing.  With a single, unified approach to compliance across the organization, it allows service organizations to be assessed once, and reported often.

Risk-minimization.  The facilitation of internal and external measurement incorporates existing healthcare compliance requirements. Implementation increases trust and transparency among business partners and consumers.

Is HITRUST implementation right for your organization?  

Contact us today at or call 1-888-702-5446 to find out your options for data protection and compliance.