How to Get HITRUST Certified: 4 Steps
Have you ever picked out a hike in the mountains, but once you arrive at the base and look up, you think to yourself, “oh man, I have to climb that?” Your enthusiasm might bleed away a little bit.
Just like it probably does after you look up the HITRUST CSF Framework and find a 600+ page PDF file. Yes, you need to be HITRUST certified, but that is a lot of information to get familiar with for a compliance assessment.
But when you’re looking up at that mountain and doubting, there are things you can equip yourself with to make the ascent easier—hiking poles, good boots, and an ample supply of water. With HITRUST, you can equip yourself with information, and as both HITRUST assessors who perform these audits and members of the HITRUST Authorized External Assessor Council, we’re going to provide it to you.
In this article, we’ll delve into what the audit process looks like when you’re getting HITRUST certified. If your assessment is a mountain hike, think of this as us carving a trail up and providing a map. That way, you’ll know what to expect, making your journey to this summit easier.
What is the HITRUST Certification Process?
HITRUST is unique in that it looks different for every organization because, of those 600+ pages, everyone has a different scope that determines what requirements they must adhere to be certified.
Let’s explore how to decide your scope and how you can complete the full HITRUST certification process.
1. Get Access to HITRUST myCSF Portal and Determine Your Requirements.
Technically, the first thing you’ll need to do is decide what type of assessment you want—security or privacy. (Most of our clients opt for the former.)
Once you’ve decided that, you’ll need to enter in the details on myCSF—things like your number of records held, number of transactions processed daily, and more. The way you answer this slew of questions will determine the respective implementation requirements that you’ll need to adhere to in order to be HITRUST certified.
Essentially, your answers will parse down those aforementioned 600+ pages into your individual scope.
You can work with an external assessor for this step, which we recommend. Assessors, and their more intimate knowledge of the framework, can help you pinpoint your requirements more accurately so that you avoid making your assessment larger than it needs to be.
To further illustrate this, take one of the assessment factor questions we mentioned before—the number of records held. Whether your answer is a high number or a low number can mean the difference between adding 150-200 implementation requirements to your certification, making it that much more important to understand what counts and what doesn’t.
2. Create Your Narrative in myCSF and Self-Score.
You'll also work with your assessor during this step, where you’ll create your narrative in my CSF and this will include the requirements you’re set to be evaluated against—however many there are, they’ll be spread across 19 domains. At this point you’ll score yourself as to how well you meet them by choosing from five different maturity levels:
- Policy
- Procedure
- Implemented
- Measured
- Managed
The latter two areas of “measured” and “managed” are very rarely scored, especially for those going through HITRUST certification for the first time. The good news is that you don't need to score in those areas to get successfully certified—focusing on getting policy, procedure, and implemented will still work and that'll likely be the most sustainable way to get certified initially.
3. Undergo the External Audit.
Similar to other assessments, you’ll need to work with your assessor on your timeline and complete the necessary planning. And really, the actual HITRUST audit is also similar to others you might be more used to, like SOC or PCI—your third-party assessor will request evidence that you’ll need to provide.
With your initial self-scoring done, your assessor will then determine if they agree or disagree with your choices based on the evidence you provide of your implementations.
However, with HITRUST, you don’t have to be 100% with every single requirement with which you’ve been asked to comply. Here’s what we mean:
- Say you have 290 implementation requirements in scope, and these are spread across 19 different domains. In order to be high trust certified, you have to score a 3 or higher in each of those 19 domains.
- During your planning period, you might realize that there are certain requirements that you just don't have the time or the resources to put into place initially—maybe they're in a domain that has 45 other implementation requirements.
- As long as you get to that average score of a three for the domain, you can take gaps for those hard-to-address requirements.
But once the assessor has concluded their evaluation, they’ll upload the evidence to myCSF before submitting it to HITRUST who will then choose whether issue your certificate.
4. Wait on HITRUST’s Quality Assurance Review & Approval.
It’s not a done deal once things are submitted to HITRUST, because 2-3 weeks after the end of your assessment, they’ll perform a quality assurance review that’ll involve choosing a series of relevant requirements to evaluate how your external assessor performed.
It’s important to bear in mind that just because your external assessor scores you for certification, you still may not get it if HITRUST finds that your assessment was not performed to standard and they disagree with some of the scores. (Particularly with HITRUST, a lot rests on the reputation of your chosen external assessor so make sure you choose the right one for you.)
Depending on what HITRUST finds, there may be some back-and-forth with your assessor for some follow-up questions, but once that's complete and they approve your assessment, they’ll send you a draft report through the myCSF portal.
You’ll then review, provide feedback, and approve that before HITRUST then issues the final report—your initial certification.
Next Steps for HITRUST Certification
Once you do become HITRUST certified, you’ll begin your two-year certification cycle that will involve both:
- Completing an annual interim assessment, which will examine just one chosen implementation requirement from each of the domains; and
- Fulfilling any corrective action plans (CAPs) from your initial assessment, i.e., strengthening any requirements where you scored below a 3+.
* This does not have to mean everything “fully implemented”—corrective action plans generally just require that some progress has been made toward that goal.
All that will need to be done before the first anniversary of your initial certification date, or you risk HITRUST revoking your certificate. At the end of the full two-year cycle, you’ll restart this entire process—steps 1-5, plus the interim assessment and CAPs—all over again.
Now that you know what steps must be taken to become HITRUST certified, you’re that much closer to climbing this mountain and providing assurance to your customers. But if you find that you still have questions about what is a very unique framework, please contact us so that our team of experts can further clarify your path forward to certification.
About DOUG KANNEY
Doug Kanney is a Principal at Schellman based in Columbus, Ohio. Doug leads the HITRUST and HIPAA service lines and assists with methodology and service delivery across the SOC, PCI-DSS, and ISO service lines. Doug has more than 17 years of combined audit experience in public accounting. Doug has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.