Book a Demo

A Comprehensive Guide to Achieving HITRUST Certification for Healthcare Organizations

Report by FortifyData

In an era where data breaches and supply chain attacks are increasingly prevalent, demonstrating robust security practices is paramount. HITRUST, established in 2007, offers a structured approach to cybersecurity assurance through its Common Security Framework (CSF) and validated assessments. HITRUST (Health Information Trust Alliance), is a widely recognized and rigorous certification designed to help organizations manage risk and comply with industry standards.

Achieving HITRUST certification demonstrates a healthcare organization’s commitment to data security and provides assurances to patients, partners, and regulators. However, navigating the path to HITRUST certification can be daunting without the right guidance and tools.

This comprehensive guide will walk you through the key steps, best practices, and resources required to achieve HITRUST certification. Additionally, we’ll highlight how platforms like FortifyData can streamline the process by providing automated assessments, risk identification, and ongoing compliance monitoring.

Read the report guide or Download the PDF.

Download PDF
Guide to achieving Hitrust Certification

What is HITRUST and Why is it Important?

HITRUST is a certifiable framework that integrates various security, privacy, and regulatory requirements into a single comprehensive framework known as the HITRUST CSF (Common Security Framework). The CSF harmonizes multiple regulations and standards, including HIPAA, ISO, NIST, COBIT, and PCI-DSS, allowing healthcare organizations to address multiple compliance requirements simultaneously.

Less than 1% (0.64%) of organizations that achieved HITRUST certifications have reported a security breach to HITRUST in the past two years.


Source: HITRUST 2024 Trust Report

Key Benefits of HITRUST Certification:

John Houston, VP of Information Security at UPMC had this to say about HITRUST certification:

“That shows you how well-respected HITRUST is in our industry. We’ve been committed to HITRUST for a long time and find great value in using the framework to make sure our IT systems protect the sensitive information of the organization and our patients. In addition to assessing current vendors and getting them to agree to be HITRUST certified for security and compliance, we needed to evaluate new vendors. Our main focus initially was to make certification a requirement for entry into our vendor environment.

  1. Demonstrated Commitment to Security: Proves that the organization takes patient data protection seriously.
  2. Regulatory Alignment: Ensures compliance with key regulations such as HIPAA, GDPR, and more.
  3. Risk Reduction: Enhances the organization’s ability to identify, assess, and mitigate risks.
  4. Competitive Advantage: Builds trust with stakeholders, partners, and customers.

 

Additionally, organizations are making HITRUST certification a requirement of their vendor compliance program. Being ‘in-progress’ or having achieved HITRUST certification strengthens the supply chain against cyber incidents through the use of a shared certification process.

Steps to Achieve HITRUST Certification

HITRUST Certification Options: Tailored to Your Needs

HITRUST offers a suite of assessments and certifications—e1, i1, and r2—designed to accommodate organizations of varying sizes and risk profiles. These assessments, all built upon the HITRUST CSF, allow organizations to leverage previous efforts as they progress towards higher levels of assurance. Additionally, organizations can benefit from inheriting controls from certified cloud service providers, streamlining their compliance journey.

Marc Ennico, Director of GRC, Sequential Tech had this to say about starting with an e1 assessment and progressing to an i1 assessment with a dual goal to enter the healthcare market with confidence and protect sensitive data according to a recognized and accepted framework, HITRUST.

HITRUST Assessment and Certification Options (As of February 2025):

 

HITRUST e1 (1-year Validated Assessment):

  • Ideal for startups and organizations with lower risk profiles.
  • Focuses on foundational information security practices, covering 44 fundamental security controls.
  • Provides a stepping stone towards more advanced certifications.

 

HITRUST i1 (1-year Validated Assessment):

  • Suited for organizations with established security programs demonstrating leading security practices.
  • Offers a higher level of assurance than e1, incorporating a broader range of controls.
  • Serves as a pathway to r2 certification.

 

HITRUST r2 (2-year Validated Assessment):

  • Designed for organizations requiring stringent regulatory compliance, such as HIPAA and NIST CSF.
  • Accommodates tailored controls based on specific risk factors.
  • Provides the highest level of assurance through a comprehensive and rigorous assessment.

 

HITRUST AI Risk Management Assessment:

  • Provides in-depth insights into AI risk management, aligned with ISO 23894 and NIST AI RMF.
  • Covers 51 relevant AI risk management controls.

 

HITRUST AI Security Assessment and Certification:

  • Equips AI platforms and service providers with practical security controls.
  • Supports shared responsibility inheritance.
  • Can be paired with e1, i1, or r2 for formal AI security certification.

Key Differences Between HITRUST Certification Options:

  • Scoping: e1 and i1 use static control sets, while r2’s scope is tailored to organizational risk.
  • Maturity Levels: e1 and i1 focus on control implementation, while r2 assesses five maturity levels: policy, procedure, implemented, measured, and managed.
  • Certification Duration: e1 and i1 offer one-year certifications, while r2 provides two-year certifications with an interim assessment.
  • Recertification: The i1 has a rapid recertification option, while the e1 does not.
  • AI Security: The AI Security assessment can be paired with the other assessments to produce an AI security certification.

HITRUST certifications offer a valuable framework for organizations seeking to demonstrate their commitment to cybersecurity. By choosing the appropriate certification level, organizations can effectively manage their risk and build trust with stakeholders.

1. Identify and Define the Scope

Determining the scope of HITRUST certification is a critical step. This involves identifying which systems, processes, and data assets need to be included. The scope should encompass all areas where protected health information (PHI) is processed, stored, or transmitted. You’ll also decide which HITRUST assessment—e1, i1, or r2—is most appropriate for your organization’s needs and risk profile. This scoping can be conducted with the assistance of an approved third-party assessor or an internal subject matter expert.

Best Practices:

  • Include all critical assets and systems that handle PHI.
  • Ensure that third-party vendors and partners are considered, as they may impact your security posture.
  • Leverage asset discovery tools to ensure comprehensive scoping.

2. Conduct a Readiness Assessment

Before embarking on the HITRUST certification journey, it’s essential to understand where your organization currently stands in terms of security and compliance. A readiness assessment helps identify gaps in your existing security posture and provides a roadmap for remediation in addition to identifying overlap opportunities from existing investments in other compliance certification efforts (PCI, ISO, NIST, etc.).

How FortifyData Can Help: FortifyData’s platform offers an automated readiness assessment that maps your current security controls against HITRUST CSF requirements, identifying gaps and providing actionable insights to close them.

3. Implement Required Controls, Policies and Procedures

HITRUST CSF includes 19 domains and over 150 controls, depending on your chosen implementation level. You must have policies and procedures in place that address at least 19 HITRUST control domains. Your organization must receive a maturity score of at least “3” (on a scale from 1-5) for each control domain to earn HITRUST r2 certification. The HITRUST CSF control domains are:

  1. Information Protection Program
  2. Endpoint Protection
  3. Portable Media Security
  4. Mobile Device Security
  5. Wireless Security
  6. Configuration Management
  7. Vulnerability Management
  8. Network Protection
  9. Transmission Protection
  10. Password Management
  11. Access Control
  12. Audit Logging and Monitoring
  13. Education, Training, and Awareness
  14. Third-Party Assurance
  15. Incident Management
  16. Business Continuity and Disaster Recovery
  17. Risk Management
  18. Physical and Environmental Security
  19. Data Protection and Privacy

The framework categorizes controls into three levels based on risk and organizational size. Level 1 includes baseline controls, while Levels 2 and 3 require more rigorous implementations.

 

Key Areas to Focus On:

  • Access Control: Implement role-based access and least privilege.
  • Incident Response: Develop and regularly test incident response plans.
  • Data Encryption: Ensure encryption of data both at rest and in transit.
  • Audit Logging: Implement centralized logging and monitoring.

4. Conduct a Self-Assessment or Engage an External Assessor

Once controls are in place, organizations must conduct a self-assessment or engage a HITRUST-approved external assessor to validate compliance. Your assessor (whether internal subject matter expert our third-party assessor) will perform tests to understand your organization’s environment and data flows, identifying any potential security gaps. These gaps are then prioritized based on risk level, providing you with a clear roadmap for remediation prior to the validated assessment.

FortifyData’s Value: FortifyData’s automated control assessment feature simplifies the self-assessment process by continuously evaluating your security posture against HITRUST CSF requirements.

5. Perform a HITRUST Validated Assessment

The validated assessment, whether e1, i1, or r2, involves a thorough review and validation of your organization’s security controls by the assessor. Once completed, the assessor submits the final assessment to HITRUST for approval. HITRUST’s quality assurance (QA) process, which can take four to ten weeks depending on the assessment type and assessor responsiveness, determines whether certification is granted.

Tips for Success:

  • Ensure all documentation is complete and up-to-date.
  • Conduct internal audits to verify that all controls are functioning properly before engaging the external assessor.
  • Address any identified gaps promptly.

6. Completing an Interim Assessment (r2 Only)

For organizations achieving r2 certification, an interim assessment is required at the one-year mark to maintain certification. This assessment ensures ongoing compliance and security effectiveness. It’s important to note that interim assessments are not required for e1 or i1 certifications.

7. Remediation and Continuous Improvement

If gaps or deficiencies are identified during the validated assessment, remediation is required. Once remediation is complete, the assessor will verify the fixes, and the certification process can proceed.

Continuous Monitoring: Achieving HITRUST certification is not a one-time effort. Continuous monitoring and periodic assessments are necessary to maintain certification and ensure ongoing compliance. HITRUST is moving towards a model of “Continuous Assurance,” which emphasizes ongoing monitoring of security controls rather than just point-in-time assessments to maintain a proactive and robust posture against cyber threats.   This reflects the reality of the dynamic threat landscape, where security postures can change rapidly.

FortifyData’s Role: FortifyData enables continuous monitoring by providing real-time visibility into your security posture, automating risk assessments, and alerting you to potential issues before they become critical.

8. Receiving HITRUST Certification

HITRUST Assurance and Compliance teams will review your Validated Assessment and, assuming a passing score, will issue your HITRUST Certification. The HITRUST Assurance Program provides prescriptive methodology and granular oversight to ensure the consistency and quality of all HITRUST Assessments.

Receive your HITRUST Letter of Certification, which is valid for two years with an r2 Assessment and one year with an i1 Assessment or e1 Assessment. Maintain your r2 Certification by completing an interim assessment at the one-year mark. Since the i1 and e1 Certifications are valid for one year, recertification is required annually.

Download PDF

Common Challenges in Achieving HITRUST Certification

1. Complexity of Controls: HITRUST CSF encompasses a wide range of controls, which can be overwhelming without proper guidance.

  • Solution: Break down the implementation into manageable phases and use automated platforms to streamline control validation.

2. Documented Policies and Procedures: HITRUST will look extensively at the policies and procedures in place as a foundational element for cybersecurity and risk management at the organization to meet certification requirements.

3. Resource Constraints: Many healthcare organizations lack the resources to dedicate to HITRUST compliance.

– Solution: Consider leveraging third-party platforms like FortifyData to reduce the burden on internal teams.

4. Third-Party Risk: Vendors and partners often introduce risk, making it challenging to ensure compliance across the board.

  • Solution: Use third-party risk management solutions to continuously monitor vendor security postures in addition to exploring contract language that third parties also achieve HITRUST certification.

5. Investment Buy-In: Expect HITRUST certification costs to fall between $40,000 and $200,000, varying based on your organization’s size, risk, and assessment scope. More controls and a larger environment mean higher costs.

  • While self-assessments are cheaper, they don’t provide the third-party validation of a full HITRUST assessment.

Best Practices for Achieving and Maintaining HITRUST Certification

Leverage Automation: Use platforms like FortifyData to automate assessments, manage evidence, and monitor risks.

 

Engage Leadership: Ensure that executive leadership understands the value of HITRUST certification and provides the necessary support.

 

Create a Cross-Functional Team: Involve IT, security, compliance, and legal teams to ensure comprehensive coverage.

 

Stay Current: Regularly review HITRUST CSF updates and adjust your controls as needed.

 

Invest in Training: Ensure that your team is well-versed in HITRUST requirements and best practices.

Achieving HITRUST certification is a significant undertaking, but it is essential for healthcare organizations aiming to strengthen their cybersecurity posture and demonstrate compliance with industry regulations. By following the steps outlined in this guide and leveraging advanced tools like FortifyData, organizations can streamline the certification process, reduce risks, and maintain a robust security posture.

FortifyData supports organizations at every stage of the HITRUST journey; from readiness gap analysis through validated assessment preparation, interim assessment maintenance, and the continuous monitoring that HITRUST’s move toward Continuous Assurance requires. The platform automates control assessments against HITRUST CSF requirements, manages evidence collection, tracks remediation progress, and provides real-time visibility into security posture changes that affect your certification status. For organizations managing HITRUST alongside HIPAA compliance and third-party risk oversight, FortifyData consolidates those programs in a single platform rather than requiring separate tools for each workstream.

Frequently asked questions about HITRUST certification

What is HITRUST certification and why do healthcare organizations need it?

HITRUST certification validates that an organization has implemented and maintains the security controls defined in the HITRUST Common Security Framework, which harmonizes requirements from HIPAA, ISO, NIST, COBIT, PCI-DSS, and other standards into a single certifiable framework. Healthcare organizations pursue HITRUST certification to demonstrate a credible, third-party-validated commitment to data security — both to regulators and to business partners who increasingly require it as a condition of doing business. Less than 1% of organizations that have achieved HITRUST certification have reported a security breach to HITRUST in the past two years, according to the HITRUST 2024 Trust Report, which reflects the program’s effectiveness as a security posture signal.

What are the different HITRUST certification levels and which one is right for my organization?

HITRUST offers three primary certification levels — e1, i1, and r2 — designed for organizations of different sizes, risk profiles, and maturity levels. The e1 is a one-year validated assessment covering 44 foundational security controls, suited for startups and lower-risk organizations entering the healthcare market. The i1 is also a one-year assessment offering a higher level of assurance with a broader control set, suited for organizations with established security programs. The r2 is the most rigorous option, a two-year validated assessment with tailored controls based on specific risk factors, required for organizations needing stringent regulatory compliance. Many organizations start with an e1 or i1 assessment and progress to a higher level on annual or biennial cycles as their security program matures — this staged approach allows organizations to enter the market with a credible certification while building toward the higher assurance level their partners or regulators may eventually require.

How long does it take to achieve HITRUST certification?

The timeline varies significantly based on the certification level pursued and the organization’s current security posture. The readiness assessment and gap remediation phase typically takes three to six months depending on the number and complexity of gaps identified. The validated assessment itself, once completed by the assessor, goes through HITRUST’s quality assurance process which can take four to ten weeks depending on the assessment type and assessor responsiveness. Organizations with mature security programs and strong documentation may move faster. Those starting from a lower baseline should plan for a 9-18 month timeline from initial scoping to receiving the Letter of Certification for an r2 assessment.

How much does HITRUST certification cost?

HITRUST certification costs typically range from $40,000 to $200,000, varying based on organization size, risk profile, assessment scope, and the certification level pursued. Larger environments with more systems in scope and more controls to assess cost more. The assessor fees, internal staff time, remediation costs for identified gaps, and any technology investments required to meet control requirements all contribute to the total. Self-assessments cost less than validated assessments but do not provide the third-party validation that business partners and regulators recognize. Organizations should also budget for ongoing maintenance costs — interim assessments for r2 certifications and annual recertification for e1 and i1.

What is the difference between a HITRUST self-assessment and a validated assessment?

A HITRUST self-assessment is conducted internally by the organization and provides a view of current security posture against HITRUST CSF requirements without external validation. It is useful for readiness evaluation and gap identification but does not produce a HITRUST certification. A validated assessment is conducted by a HITRUST-approved external assessor who verifies the organization’s controls through testing and documentation review, then submits findings to HITRUST for quality assurance review. Only validated assessments produce HITRUST certification. Most business partners and health systems requiring HITRUST certification specifically require the validated assessment result, not a self-assessment.

How does HITRUST certification relate to HIPAA compliance?

HITRUST CSF incorporates HIPAA Security Rule requirements within its control framework, meaning an organization that achieves HITRUST certification has demonstrated compliance with HIPAA security requirements as part of the certification process. However, the two are not identical — HITRUST is more prescriptive and more rigorous than HIPAA’s minimum requirements, and HITRUST certification does not guarantee full HIPAA compliance in areas beyond the Security Rule, such as Privacy Rule obligations. For most healthcare organizations, achieving HITRUST r2 certification provides a stronger and more defensible demonstration of HIPAA Security Rule compliance than a self-conducted risk assessment, because it involves third-party validation of control implementation rather than self-attestation.

FortifyData: One Platform, Total Visibility, Continuous Protection

For healthcare organizations managing HITRUST alongside broader cyber risk and HIPAA compliance requirements, see how FortifyData approaches healthcare cyber risk management.

FortifyData is a leading automated Cyber GRC and continuous cyber risk monitoring platform that empowers clients to reduce their cyber risk. By consolidating tools and providing a unified view of integrated security data and compliance, FortifyData offers continuous monitoring and automation, acting as a force multiplier for security and compliance teams and significantly improving cybersecurity posture.

FortifyData’s platform helps hospitals and healthcare organizations to prevent breaches, defend patient data, and meet security expectations and requirements while streamlining and rationalizing cybersecurity investments.

FortifyData dashboard 2026

Have questions about this white paper or want to see a demo?

Reach out to FortifyData to discuss your organization’s approach and needs.