HITRUST FAQs: Your Top HITRUST Questions Answered

What is HITRUST, and do  I need to have this assessment performed?

“The HITRUST CSF is a comprehensive set of controls designed to help organizations manage and safeguard sensitive information, ensuring compliance with various regulations and standards such as HIPAA, NIST, PCI-DSS, and GDPR.”

HITRUST is becoming increasingly required by organizations to ensure robust protection of sensitive data, such as PII and PHI, particularly when working with third parties. For example, initiatives like Health 3PT accept HITRUST certification as a trusted way to manage third-party risk effectively.

What are the three types of HITRUST assessments?

There's the e1, the i1, and the r2 assessment types. 

What is the e1 assessment type? 

A HITRUST e1 assessment, which stands for "Essential 1-year Validated Assessment," is a cybersecurity evaluation by the Health Information Trust Alliance (HITRUST) that focuses on an organization's compliance with foundational cybersecurity controls, designed to be a low-effort way for companies to demonstrate basic security practices, particularly suitable for startups or those with low-risk profiles; it is considered an entry-level assessment within the HITRUST framework, validating adherence to 44 critical security controls for a one-year period.

What is the i1 assessment type? 

The i1 assessment builds on the e1 by including its 44 controls plus additional ones, totaling about 182 controls. It focuses on leading cybersecurity practices and operates on a two-year cycle. In the first year, all 182 controls are reviewed, while the second year involves a rapid re-certification with only 60 controls, making it more cost-effective. This step-up assessment is suited for organizations aiming for enhanced security assurance.

What is the r2 assessment type? 

The r2 assessment is considered the gold standard for HITRUST, offering the most comprehensive coverage. It includes the controls from the e1 and i1 assessments and adds any additional controls applicable to your business. The number of controls varies based on your organization’s complexity, typically ranging from 200 to over 2,000. 

Before starting an r2 assessment, a detailed analysis of your company’s attributes is required to determine the scope. This assessment is ideal for organizations seeking the highest level of security assurance.

How long does a certification take?

The timeline for certification depends on the assessment type and your organization’s complexity:

• e1 assessment: Typically 3–4 months.
• i1 assessment: Usually 6–8 months.
• r2 assessment: Varies widely, based on complexity. Smaller organizations may achieve certification in 10–12 months, while larger or more complex environments can take up to two years.

Internal deadlines and the organizational environment will play a significant role in determining the most suitable approach. "We acknowledge that the process may become intricate; however, it does not necessarily need to be if one maintains a smaller operational footprint.”

Is there flexibility to jump from a low-level of assurance assessment (e1) to a high-level assessment? 

Yes, there is flexibility and “you don't have to feel like you're locked into any one particular standard.” 

You can start with an e1 and transition to an i1 or r2 in subsequent years. The process is fluid, so you're not locked into one standard. Additionally, both the i1 and r2 operate on two-year cycles, with the second year involving a reduced scope assessment, which lowers costs and effort.

How much work is needed to prepare for HITRUST?

Preparing for a HITRUST assessment can require significant time and effort, especially if you're managing it alone, potentially demanding several hours of work per week. Many organizations find it challenging to balance this with their daily operations, which is why partners like Privaxi offer comprehensive support. 

“This is one of the reasons why SecurityMetrics brought Privaxi in as a partner, because a lot of our customers simply were throwing their hands up and saying this is crazy, we don't have time for this” (Lee Pierce).

Privaxi acts as an extension of your team, managing the entire process from gap analysis to evidence gathering. They break down the HITRUST domains, cross-reference existing frameworks like PCI or ISO 27001, and assist with technical configurations for platforms like AWS and Azure. They also help develop and tailor policies and procedures to your organization’s needs. By leveraging their expertise, organizations can focus on daily operations while ensuring readiness for validation with less strain on internal resources.

How much time do I need to commit a week when working with Privaxi?

When working with Privaxi, your commitment is typically 1–2 hours per week. These sessions focus on understanding your business environment, identifying systems processing ePHI, and gathering requirements. “It’s crucial and essential to understand the business operations and their environment so we can identify what's processing ePHI, who it touches, the systems that it has, and so forth” (Peter Briel). 

Privaxi handles the heavier lifting on the back end, providing full support with auditors, policy experts, and technology specialists to streamline the process.

How do I prioritize HITRUST tasks, or what should I do first? 

Start by addressing the technology requirements since HITRUST mandates a 90-day incubation period for technologies to be operational before they can be validated. For example, you can't install a firewall and submit it as evidence the next day—it must be in place for at least 90 days.

Next, focus on policies and procedures, which require a 60-day incubation period. By tackling these early, you ensure they meet the timeframe requirements while freeing up time to work on other framework areas. Using a predefined list of requirements can help streamline this process and keep you ahead of deadlines.

How does HITRUST compare to other assessments I’ve completed, such as SOC, NIST, CSF, etc.? 

HITRUST integrates elements from frameworks like NIST, ISO, PCI, and HIPAA, but it is more comprehensive and rigorous. While frameworks like NIST focus on specific controls, HITRUST covers a broader range of domains, including cybersecurity, privacy, and risk management. It also requires more thorough documentation and evidence collection—simply having policies and procedures, as in a HIPAA audit, isn't enough; HITRUST demands detailed evidence at a granular level.

HITRUST is considered the gold standard in cybersecurity because of the depth and the customization required to meet its standards. Additionally, organizations can leverage prior efforts from other assessments (like SOC or PCI) through a mapping exercise, reducing redundancy in the process.

A readiness assessment is crucial before attempting HITRUST validation. It ensures your organization is fully prepared and that the foundational work is solid, making the validation process smoother.

Have you ever worked with organizations that do little preparation and just want to focus on evidence gathering? How does that play out?

Yes, this happens often. Many organizations, due to limited resources or internal staff turnover, find themselves unable to fully prepare for assessments. They may engage us primarily to gather the necessary evidence, including policies and procedures. This situation can arise when companies are already under pressure or when key team members leave, disrupting the continuity of preparation efforts.

In these cases, we step in to assist, often offering services ranging from light consulting to full evidence gathering. Some organizations prefer minimal external involvement and may limit us to "read-only" access to their systems, while others are more open to hands-on support. The key challenge in these situations is ensuring that all required evidence is properly collected and meets HITRUST’s rigorous standards, even when preparation has been minimal.

What are the typical milestones of a HITRUST readiness assessment?

A HITRUST readiness assessment includes several milestones, such as: 

1. Scoping:

• The first step is defining the scope of the assessment. This involves creating a scoping call with the client to establish which domains and controls apply to their business.
• You'll need a MyCSF subscription for this process, which is where you’ll manage the assessment.

2. Technology and Documentation Preparation:

• Start by addressing technical requirements (such as systems, firewalls, and controls) due in the required 90-day incubation period for technology.
• Simultaneously, review and start gathering evidence for your policies and procedures.

3. Evidence Gathering

• Begin collecting evidence for both the technology and policy aspects of the assessment.

4. Timeline Estimation:

• Estimate a readiness timeline for gathering all required information and documentation. Once everything is in place, you’ll be ready to set a validation date.

5. Validation Setup:

• Define a validation date in the MyCSF portal.
• Schedule a QA slot with HITRUST to ensure everything is in order before submission to SecurityMetrics for validation.

6. MyCSF Subscription and Costs:

• The MyCSF portal typically costs between $16,000-$18,000 per year, with discounts available for multi-year agreements.
• Additional costs apply for QA reviews by HITRUST, which can cost as much as:
  
  • e1: $5,700
  • i1: $6,650
  • r2: $7,750

7. Validation and QA Review:

• After submitting the documentation and evidence, it can take several weeks for HITRUST to perform a QA review, depending on their workload and any follow-up questions regarding evidence.

8. Remote Validation:

• HITRUST validation can be completed remotely, although some clients request on-site work (which is rare).

9. Collaboration Tools:

• Throughout the process, tools like Asana, Microsoft Teams, Slack, and OneDrive are used to ensure smooth collaboration and communication between teams.

This structured approach helps ensure that the readiness assessment is comprehensive and on track for a successful HITRUST certification.

What happens if I have staff leave during the HITRUST certification process?

When staff leave during the HITRUST preparation process, it can be a significant disruption. However, having a readiness assessor partner like Privaxi helps mitigate this issue by providing additional staffing support to ensure the project continues smoothly. Here’s how it works:

1. Staff Augmentation:

• If key staff members leave, Privaxi can step in with their team to provide the necessary expertise and resources to continue moving forward with the project. This means you’re not left scrambling to fill gaps with limited internal resources.

2. Full Spectrum of Support:

• In partnership with SecurityMetrics, Privaxi can offer a wide range of services beyond just readiness assessments, including:
  
  • Penetration testing
  • Vulnerability testing
  • Forensics
  • PCI remediation
  • Technology configuration support
• This comprehensive support ensures that even with a reduced internal team, the client can continue progressing toward HITRUST certification without losing momentum.

3. Continued Progress:

• By leveraging external expertise, clients don't need to pause their efforts or put the project on hold. Whether it's for technical guidance, policy development, or evidence gathering, your readiness assessor partner can keep everything on track, regardless of staffing changes.

This approach ensures continuity and reduces the impact of staff turnover on the readiness and validation process.

Who do I engage with when working with both SecurityMetrics and Privaxi?

When working with both SecurityMetrics and Privaxi, you only need to engage SecurityMetrics for all legal and contractual aspects.

Here's how it works:

1. Single Point of Contact for Legal Documentation:

• All legal documentation, including the Master Services Agreement (MSA) and Statements of Work (SOW), will come from SecurityMetrics.
• This streamlines the process, as you only have to manage a single agreement, even though you're benefiting from both companies' expertise.

2. Carve-Out for Intellectual Property:

• There will be a carve-out in the agreement to ensure that Privaxi transfers full ownership rights of any intellectual property (IP) developed for you during the project. This ensures you maintain full control over any custom work created by Privaxi.

3. Billing and Invoicing:

• All billing and invoicing will be handled through SecurityMetrics. You won't have to deal with two separate vendors or separate invoices, which simplifies the financial side of the project.

4. Seamless Collaboration:

• Even though you’re working with both SecurityMetrics and Privaxi, you’ll only deal with SecurityMetrics for all contracts and financial matters. This allows for a smoother engagement without the complexity of managing multiple vendors.

This approach eliminates the need for multiple agreements and invoicing, offering a more streamlined experience while still getting the combined expertise of both organizations.

Can the HITRUST certification help me get other certifications?

Yes, HITRUST certification makes it easy to jump on the path to other certifications, such as:

1. NIST 800-53: If you've completed the HITRUST r2 assessment, the work you've already done for HITRUST will make the NIST 800-53 certification much easier to achieve. The controls and frameworks overlap, meaning much of the heavy lifting is already done in the HITRUST process.
2. ISO 27001: Similarly, once you have HITRUST r2, ISO 27001 certification becomes a more achievable goal. The alignment of controls within HITRUST provides a strong foundation for meeting the ISO requirements.
3. SOC 2: There’s also a significant amount of cross-referencing between HITRUST and SOC 2 controls, especially around security and operational procedures. If you’re HITRUST-certified, transitioning into SOC 2 can be more efficient due to the overlap.
4. PCI DSS: HITRUST also incorporates many PCI DSS controls, especially around endpoint protection and other technology-related security measures, making it easier to meet PCI compliance if you’re already HITRUST-certified.

HITRUST's comprehensive nature and the fact that it addresses a broad range of cybersecurity, privacy, and risk management domains mean that it provides a great foundation for achieving a variety of other certifications.

What happens if I have significant changes after completing my HITRUST validation?

If your organization undergoes significant changes after completing a HITRUST validation (such as changes in technology, processes, or business structure), here's what you need to do:

1. Notify HITRUST: Significant changes should be communicated to HITRUST to ensure they're aware of the modifications.
2. Reassessment: If the changes are substantial enough, you may need to undergo a reassessment. This means evaluating the new changes in light of HITRUST's controls and ensuring they still meet the standards.
3. Document and Submit: The changes must be documented and submitted to HITRUST for review. While you might not need to start from scratch, the changes need to be thoroughly assessed and incorporated into the certification.
4. Involve HITRUST Early: If you're undergoing a major change like a merger or acquisition, it's critical to involve HITRUST early in the process. HITRUST will provide authoritative guidance on how to proceed and whether a full reassessment is needed.

It's important to work closely with HITRUST in such situations to avoid missteps and ensure compliance with the standards. Consulting with HITRUST directly helps clarify what specific changes will trigger reassessments or additional validation.