Article
Compliance steps for success: Preparing for your HITRUST® external assessment
Feb. 18, 2025 · Authored by Emily Di Nardo, Sam Boterman, Nicole Kramer
Why select HITRUST for your compliance needs?
HITRUST is a comprehensive cybersecurity framework designed to help organizations manage and protect sensitive information. The framework integrates various security, privacy, and regulatory requirements from multiple existing standards and regulations, such as Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), National Institute of Standards and Technology (NIST) and Payment Card Industry Data Security Standard (PCI DSS), simplifying the compliance process and reducing the complexity of managing multiple requirements.
Powered by the HITRUST CSF® at its core, HITRUST provides organizations with a certifiable set of controls to help ensure compliance within a wide range of regulatory and industry standards, making it particularly useful for highly regulated industries like healthcare, financial services and defense.
HITRUST is widely recognized for its rigorous controls and structured approach to risk management. When using HITRUST, organizations can more proactively identify and mitigate security risks, which in turn serves to enhance overall security posture and credibility with stakeholders.
While no framework can guarantee absolute security, HITRUST-certified organizations have a significantly lower breach rate: only 0.59% [1] reported breaches in 2024, clearly demonstrating the effectiveness of HITRUST in reducing the likelihood and impact of security incidents.
The following programs recognize HITRUST certification as an independent assessment:
- Microsoft Supplier Security and Privacy Assurance (SSPA): If a supplier is a healthcare provider in the United States or covered entity, Microsoft accepts a HITRUST report for privacy and security coverage.
- Trusted Exchange Framework and Common Agreement (TEFCA): The TEFCA Recognized Coordinating Entity (RCE) – The Sequoia Project – has selected HITRUST and the HITRUST Risk-based, two-year (r2) Certification as the first certifying body and certification for organizations to prove they comply with the TEFCA security requirements for their Qualified Health Information Network (QHIN) designation. HITRUST is also available to support TEFCA participants and sub-participants in the security of TEFCA Information (TI) under the framework agreements
HITRUST integration with other compliance work
HITRUST certification allows you to save time and avoid frustration. This proprietary matrix streamlines multiple compliance efforts through one universal control framework. The result? Reduced need for multiple, separate audits and a “test once, use many” audit approach, which leverages a process or system control test to support assessments across multiple related departments or timeframes within an audit.
HITRUST is compatible with many common key frameworks, including:
- ISO/IEC 27001 and 27002: International standards for information security management systems
- NIST SP 800-53: A set of guidelines for federal information systems
- HIPAA: Health Insurance Portability and Accountability Act, which sets the standard for protecting sensitive patient data
- PCI-DSS: Payment Card Industry Data Security Standard, which ensures secure handling of credit card information
- GDPR: General Data Protection Regulation, which governs data protection and privacy in the European Union
- SOC 2®: A set of standards developed by the AICPA focusing on the following Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy
The list below will help you confirm HITRUST CSF is compatible with providing a single universal point of control for your organization’s current frameworks.
All-inclusive authoritative sources included in the HITRUST Framework (HITRUST CSF) Version 11.4 [2]
| 1 TAC 15 390.2 | 16 CFR 314 | 16 CFR 681 | 201 CMR 17.00 |
| 21 CFR 11 | 23 NYCRR 500 Second Amendment | 45 CFR HIPAA.BN | 45 CFR HIPAA.PR |
| 45 CFR HIPAA.SR | AICPA TSP 100 | APEC | CCPA 1798 |
| CIS Controls v8 | CMMC | CMS ARS v5.1 | COBIT 5 |
| CSA CSM v4 | DORA | EU GDPR | FedRAMP (r5) |
| FFIEC IS | FFIEC CAT | FISMA | HHS Cybersecurity Performance Goals |
| HICP 2023 | HITRUST De-ID Framework v1 | IRS Pub 1075 (2021) | ISO/IEC 23894:2023 |
| ISO/IEC 27001:2022 | ISO/IEC 27002:2022 | ISO/IEC 27799:2016 | ISO/IEC 29100:2011 |
| ISO/IEC 29151:2017 | ISO 31000:2018 | MARS-E v2.2 | MITRE ATLAS |
| NAIC 668 | NIST AI RMF 1.0 | NIST CSF 2.0 | NIST Cybersecurity Framework v1.1 |
| NIST SP 800-53 R4 | NIST SP 800-53 R5 | NIST SP 800-171 R2 | NIST SP 800-171 R3 |
| NRS 603A | NY OHIP Moderate-Plus Security Baseline v5.0 | OCR Audit Protocol (2016) | OCR Guidance for Unsecured PHI |
| OECD Privacy Framework | OWASP AI Exchange | OWASP ML Top 10 | PCI DSSv4 |
| PDPA | PHIPA | SCIDSA 4655 | State Ramp r5 |
| TJC | Texas Medical Records Privacy Act | TXRAMP r5 | VA Directive 6500 |
Compliance steps for success: Preparing for your HITRUST external assessment
Take the guesswork out of getting started. Set your organization on the path to HITRUST assessment success with these five steps:
Executive buy-in is vital for HITRUST compliance. Your organization should engage executives early to promote a culture of security and compliance across the organization, align HITRUST goals with strategic objectives and ensure ample resources, both financial and human, are allocated.
Before starting your HITRUST compliance process, you should appoint a HITRUST Project Manager (PM) or liaison to oversee security and compliance efforts. This individual will be responsible for assembling a team of security experts, coordinating HITRUST engagement and managing evidence collection. Also, you should clearly define the roles and responsibilities of all employees and security teams, including incident response and endpoint management teams, from the beginning.
The HITRUST PM or liaison should meet with leadership, stakeholders and personnel handling sensitive information to establish key security policies and procedures following relevant regulations. They must identify security gaps, use appropriate tools, plan the project and document each step thoroughly. HITRUST advises appointing a PM or liaison at least two months before the audit.
Organizations may opt for their HITRUST PM or liaisons to attend CCSFP training and obtain certification in the HITRUST framework due to its comprehensive methodology and scoring. This certification can also enable certified individuals to act as internal assessors.
As with any compliance assessment, define your scope at the outset, delineating the systems and supporting infrastructure to be evaluated under the HITRUST framework audit. Without a clear directive, it can be a challenging task. Begin by reviewing these areas of focus:
- Business units/user entities: Evaluate each business unit to understand the types of data being handled and the systems in use
- Infrastructure: Identify critical systems within your organization that house or transmit sensitive data. Once the relevant business units and systems are identified, trace supporting infrastructure throughout the entire IT stack to identify key sub-service organizations
- Contractual requirements: Examine related contractual commitments with user entities to determine the regulatory factors formally defined as requirements
- Regulatory factors: Consider other pertinent compliance timelines in the organization (SOC, HIPAA, NIST, etc.) to prepare a comprehensive compliance scope across these frameworks
Upon determining business units and systems for the audit, you’ll want to document your organization’s life cycle of sensitive information, including data flows and classification. At this juncture, it is advisable to engage a certified HITRUST external assessor as clients are recommended to begin collaborating with their external HITRUST assessor during the scoping exercise.
Collaborating with your external HITRUST assessor will not only assist in determining the landscape and ensuring critical components, including systems and regulatory factors, are appropriately included, but also will significantly enhance crucial understanding of your organization’s HITRUST maturity when selecting the appropriate assessment. At Baker Tilly, our extensive experience with complex clients and environments provides valuable insights into these processes.
After defining the scope, the next step is to assess your organization’s readiness against the HITRUST framework. The purpose of a readiness assessment is to evaluate your organization's current security posture in relation to the HITRUST CSF and identify any gaps in security practices as they relate to the controls.
A comprehensive readiness assessment should include a review of policies and procedures. For an r2 assessment, each HITRUST control must have a corresponding policy and procedure. However, for i1 or e1 assessments, only a limited number of controls require specific policies and procedures, focusing solely on evidence-based implementation. As you identify gaps from your readiness assessment, it will become clear what additional technical testing may be needed, such as vulnerability scanning and penetration testing. It is advisable to consult with your external assessor for the best practice recommendations on addressing gaps identified during the readiness assessment.
At Baker Tilly, we are commonly asked when concluding the post-analysis readiness assessment: “How quickly can I get certified?” It may seem simple, but the answer depends on many factors: assessment type, scoping, number of identified gaps, etc. Most organizations require six months to a year to complete the scoping process, readiness assessment and certification. To maximize efficiency, you should work closely with your external assessor to develop a timeline and discuss the dependencies of achieving certification.
Upon completion of the readiness assessment, your organization should be left with a number of gaps and associated recommendations for remediation, giving your project coordinator a roadmap to successful implementation.
HITRUST requires a minimum of 90 days, a bake-in period, following a major implementation before your organization may begin the validation assessment toward certification. Your external assessor will engage with you through a detailed process of gathering evidence, conducting walkthroughs, testing and analyzing evidence and making conclusions on the scoring of the controls. Provided all goes well, your external assessor should conclude your organization is at a threshold to pass for certification and will submit your assessment to HITRUST for their review and final decision.
Baker Tilly is an authorized HITRUST Authorized External Assessor firm. Our team of cybersecurity professionals can guide your organization through all stages of HITRUST and other framework assessments. We employ a unique method of recycling and reusing collected and tested evidence, enabling Baker Tilly to conduct a single assessment that can be reported across multiple frameworks. This approach reduces the effort required for evidence collection and associated costs when combining these efforts.
[1] HITRUST (HITRUST's Inaugural Trust Report) (Feb. 20, 2025)
[2] HITRUST (HITRUST Announces the Release of Version 11.4.0 of the HITRUST Framework (HITRUST CSF®)) (Dec. 6, 2024)
Related sections
Next up