Published on: Jul 28, 2022
Managing Risk and Compliance with HITRUST CSF
Although HITRUST CSF is very popular in the healthcare industry, many other organizations are implementing this framework too.
Why?
Because it's a risk and compliance-based framework that boosts overall efficiency and data protection, which is essential for every organization.
Is HITRUST the right framework for you?
This simple guide will help you understand what HITRUST is, its structure, certification process and, more importantly, if you should adopt this framework or not.
Let's get started!
HITRUST Cybersecurity Framework
The proliferation of technology left governments and regulators scrambling to develop data privacy and information security regulations. Unfortunately, due to their rapid development, many of these newly created regulations, like the Health Insurance Portability and Accountability Act (HIPAA), contained non-descript requirements open to interpretation. Consequently, this lack of clarity leaves potential gaps in information security programs across the country.
To minimize the confusion around HIPAA compliance, The Health Information Trust Alliance (HITRUST) initially established their cybersecurity framework to provide clarity to healthcare organizations regarding HIPAA compliance. As a result, organizations have since adapted HITRUST CSF to include nationally and internationally accepted security and privacy-related regulations, standards, and frameworks.
Some examples are ISO, NIST, PCI and COBIT.
What is HITRUST CSF?
HITRUST CSF plays a pivotal role in the healthcare industry. Therefore, other sectors that need to manage and safeguard sensitive data have adopted it too. Also, due to a global need for information security, organizations striving to comply with numerous regulations focus on implementing a HITRUST CSF compliant program.
Additionally, companies can improve overall efficiency and boost data protection levels by following the best practices prescribed by HITRUST CSF.
HITRUST CSF is both a risk and compliance-based framework. Moreover, it contains a comprehensive set of controls that help with:
Who should adopt HITRUST CSF?
HITRUST simplifies the data security assessment and attestation process for covered entities, including:
Healthcare providers such as doctors, dentists, and nurses.
Establishments or entities like urgent care clinics, nursing homes, hospitals, pharmacies, and their associates.
Indeed, many healthcare organizations require their vendors to be HITRUST CSF compliant and only open their doors to trustworthy vendors. Therefore, businesses that intend to work with major healthcare organizations will likely need to be HITRUST certified.
Information security is not an industry-specific issue. For instance, many organizations outside of healthcare require some assurance and are working towards HITRUST CSF compliance.
Why is this happening?
Because it is an amalgamation of best practices drawn from standards like ISO, NIST and PCI DSS.
Is HITRUST Considered an International Standard?
While HITRUST CSF originated in the United States, it has evolved into a globally recognized framework. This evolution is largely due to the way HITRUST incorporates a variety of international regulations and standards—such as the General Data Protection Regulation (GDPR) for Europe and the Asia-Pacific Economic Cooperation (APEC) Privacy Framework—into its set of controls.
By aligning with these globally accepted requirements, HITRUST CSF helps organizations demonstrate compliance not just domestically, but internationally as well. This broad adoption makes it a practical solution for businesses operating across borders or managing data subject to different regional privacy laws.
HITRUST vs HIPAA
Diving into HITRUST CSF and HIPAA, you may be wondering:
How is HIPAA linked to HITRUST?
Are they compatible with each other?
If an organization is HIPAA compliant, does it need HITRUST certification also?
Which one is superior to the other?
As discussed earlier, HITRUST is a wider-reaching framework built upon best practices from other regulations and standards " including HIPAA.
HIPAA is a baseline to protect sensitive health information and ensure its accessibility. However, it is limited to medical professionals, vendors and others on a need-to-know basis. Furthermore, the scope of HIPAA is limited to only protecting patient information and does not impart any guidelines for overall information security.
On the other hand, HITRUST CSF is a cybersecurity framework that draws from different standards building upon existing regulations. In particular, HITRUST CSF unifies all the requirements outlined in HIPAA and other widely recognized acts and standards.
What is the goal of this integration of acts and standards?
To create a single comprehensive framework that any organization can work towards. HITRUST CSF comprises extracts from the following:
Control Objectives for Information and Related Technology (COBIT)
International Organization for Standardization (ISO)
Federal Trade Commission (FTC)
Centers for Medicare and Medicaid Services
National Institute of Standards and Technology (NIST)
Payment Card Industry Data Security Standard (PCI DSS)
Other federal and state entities
Particularly for healthcare, HITRUST CSF compliance ensures you are HIPAA compliant while providing greater security to confidential or sensitive patient information. In addition, it helps optimize security operations, reduces organizational risks, and addresses HIPAA's fundamental limitations in securing the flow of sensitive information.
How does HITRUST Approach Review Controls Differently?
While many security frameworks focus heavily on technical safeguards, HITRUST stands out by emphasizing both robust governance and the importance of regular review controls for ongoing protection.
For example, it’s not just about having the right tools in place—like firewalls or encryption standards—but about clearly documented policies and evidence showing these protections are consistently reviewed and updated. Rather than stopping at a high-level statement (such as "we encrypt data"), organizations must provide detailed policies that explain exactly how and where encryption is applied, both when data is at rest and as it moves across networks.
HITRUST takes it a step further with review controls. Many frameworks, including ISO and NIST, require secure configurations, but HITRUST adds a layer of accountability. It mandates that organizations not only implement controls (e.g., deploying firewalls) but also periodically review them. For instance:
Firewall Rule Reviews: Organizations must formally review and document their firewall rules at least once a year, ensuring they’re still appropriate and effective—not simply set-and-forget security.
Policy and Procedure Reviews: Documentation isn’t static. HITRUST expects that your security policies and operational procedures are not only current but also actively reviewed, updated, and approved by management regularly.
Continuous Monitoring: Beyond annual reviews, ongoing oversight of access controls, audit logs, and other key systems keeps security from falling behind evolving threats.
In short, HITRUST’s approach bridges the gap between policy and practice, requiring documented proof that review controls are more than a checkbox—they are an embedded, continuous process within your organization’s security culture.
Why Ongoing Firewall Rule Reviews Matter in HITRUST
Unlike some frameworks that only mandate the existence of technical controls, HITRUST places special emphasis on active, ongoing governance. This means it's not enough to simply put firewalls in place or claim you encrypt your data—HITRUST expects clear documentation spelling out exactly how these safeguards work in practice, and who is responsible for their oversight.
For instance, reviewing and documenting firewall rules on a regular basis—at least annually—is a requirement in HITRUST. This process isn’t just busywork. Here’s why it matters:
Keeps Your Security Current: IT environments change rapidly, whether due to staff turnover, new applications, or shifts in business direction. Old or unused firewall rules can easily become security gaps that cybercriminals love to exploit.
Ensures Consistency with Policy: By formally reviewing rules, organizations verify their settings still align with current policies, regulatory obligations, and evolving best practices from frameworks like NIST and ISO.
Enhances Accountability: Requiring documentation of each review session not only enforces a culture of responsibility, it also provides a solid paper trail for audits, client due diligence, or regulator inquiries.
Reduces Human Error: Firewall misconfigurations are a common cause of breaches. Regular reviews catch mistakes before they become vulnerabilities.
In short, HITRUST’s approach champions proactive maintenance. It transforms routine IT activities—like checking firewall rules—into essential components of your security governance program, dramatically reducing opportunities for threats to slip through the cracks.
HITRUST Structure
Instead of showing the full range of security controls, HITRUST defines distinct domains and control objectives. Indeed, the latest version of HITRUST v9.6.0 contains 14 control categories, comprised of 49 control objectives and 156 control specifications.
For each control, there are three levels of implementation. Level 1 is the baseline, whereas Level 3 ensures a high level of protection and includes more requirements.
Implementation Requirements provide details on the necessary controls to achieve compliance for each level. Furthermore, some requirements are industry-specific and apply to those organizations belonging to the respective industry segment.
HITRUST Scoring and Maturity Levels
So, how does HITRUST determine whether an organization meets its standards? The answer lies in its robust maturity-based scoring system, which evaluates how well each control requirement is implemented within your organization.
Each requirement is assessed across multiple maturity levels—ranging from the basics (such as having a policy in place) to ongoing management and continual improvement. For every level, your organization’s efforts are given a percentage score.
Here's a breakdown of the five compliance maturity levels:
Non-Compliant (0%)
At this stage, very little—if any—of the requirement is in place. The foundational elements might be missing or only sparingly documented.Somewhat Compliant (25%)
There are some signs of progress, with certain compliance elements developed or partially applied. However, most aspects are still lacking or incomplete.Partially Compliant (50%)
About half of the necessary measures are present. Organizations at this level have made notable strides but still have significant work ahead to address the remaining gaps.Mostly Compliant (75%)
The majority of elements are established and working; just a few areas need attention. The organization is nearing full compliance but has not fully met every requirement.Fully Compliant (100%)
Almost every facet of the requirement is thoroughly addressed, documented, and managed. In essence, the organization is meeting the highest expectations for that criteria.
These individual scores are then factored together using a weighted average—creating an overall score for each domain within the framework. The result? You gain a clear snapshot of where your organization stands, what areas require the most attention, and how close you are to achieving full HITRUST compliance.
The Three Main Types of HITRUST Assessments
To accommodate organizations of varying sizes and risk profiles, HITRUST offers three main assessment types—each designed with its own level of rigor and assurance:
HITRUST e1 Assessment (Essentials, 1-Year)
The e1 assessment serves as a streamlined entry point for organizations with lower risk exposure. It focuses on fundamental cybersecurity hygiene—think of it as covering the core basics every organization should have. The process is lighter, less demanding, and intended for groups seeking baseline assurance without the intensive scrutiny of more advanced assessments.
HITRUST i1 Assessment (Implemented, 1-Year)
Sitting in the middle, the i1 assessment targets organizations facing moderate risk. It’s built around recognized best practices, providing a more robust evaluation than e1 but without the exhaustive customization required for high-risk environments. An external assessor is needed to complete this certification, ensuring an objective review grounded in established criteria. The i1 is a go-to for those seeking a balance between thoroughness and efficiency.
HITRUST r2 Assessment (Risk-Based, 2-Year)
The r2 assessment, often referred to as the standard for “HITRUST Certification,” is the most comprehensive of the three. This option tailors requirements to the unique risks and scope of each organization—no cookie-cutter approach here. Organizations working with the r2 undergo a deep dive into their security posture, with rigorous oversight by an independent assessor. The r2 is typically chosen by entities with complex environments or significant regulatory responsibilities, as it offers the highest level of trust and assurance.
Each of these assessments is designed to match an organization's specific risk and assurance needs—ensuring flexibility for both growing startups and established enterprises looking to demonstrate their commitment to robust information security.
How Scoping Differs Across HITRUST e1, i1, and r2 Assessments
Not all HITRUST assessments are created equal—and the way requirements are determined varies depending on which assessment you choose: e1, i1, or r2.
For the e1 and i1 validated assessments, the required controls are consistent for every organization, regardless of industry or size. If you’re pursuing one of these, you can expect a predetermined set of requirements that won’t fluctuate from one company to the next. This approach keeps things simple and predictable.
The story changes when we look at the r2 validated assessment. Here, the controls you’re required to implement depend entirely on the specifics of your organization—primarily based on "scoping factors." These factors are designed to match the size and risk level of your operations. You’ll work closely with an external assessor to determine exactly which controls apply, and this scope can include variables like:
The number of sensitive records your organization holds (often measured by how many breach notifications would be necessary in a worst-case scenario).
Your organization’s industry segment and operational complexity.
As a general guide:
If you manage under 10 million sensitive records, expect around 300 controls.
Handling 10 to 60 million records bumps that up to roughly 375+ requirements.
Organizations with over 60 million records may be looking at more than 450 controls.
This dynamic approach ensures that the depth of the r2 assessment scales with your risk profile, making it much more tailored to your organization than the more uniform e1 and i1 assessments.
Understanding Risk Factors in HITRUST CSF Assessments
Now, let’s demystify the concept of risk factors within the HITRUST CSF framework, and why they matter in your path to certification.
Risk factors are the variables that determine which security requirements will apply to your organization during a HITRUST assessment. Think of them as the levers that shape the scope and rigor of your assessment, ensuring that the evaluation is tailored to your unique risk landscape—rather than a generic, one-size-fits-all checklist.
But how do these risk factors work in practice? In HITRUST’s r2 validated assessment (the more rigorous and comprehensive of the available options), several specific categories of risk factors are considered, including:
General Factors: Such as the size or complexity of your organization.
Organizational Factors: Like the industry you operate in and the types of data you handle.
Geographic Factors: Where your operations and data are located, accounting for regional legal requirements.
Technical Factors: Your technology environment, systems, and infrastructure.
Regulatory Factors: The particular regulations or standards you are subject to, from HIPAA and GDPR to PCI DSS and beyond.
Each of these factors helps determine which—and how many—requirements are relevant for your assessment. As a result, your HITRUST journey becomes highly customized, zeroing in on the controls that actually matter for your business and leaving out those that don’t make sense for your specific circumstance.
It’s worth noting that these risk factors only drive the scope of the r2 validated assessment. Less rigorous assessments, like the i1 and bC, do not utilize this dynamic risk factor tailoring, as they are intended for different assurance needs.
Understanding your unique set of risk factors is crucial, as it shapes the entire path of your assessment—and ultimately, your organization’s readiness to achieve HITRUST CSF certification.
When Are Risk Factors Applied in HITRUST Assessments?
While navigating the HITRUST certification process, it's important to understand where risk factors come into play. Risk factors are central only in the r2 validated assessment. In this more rigorous assessment, risk factors—such as organizational structure, technical complexity, industry segment, and geographic presence—help determine exactly which requirements an organization must address.
Notably, these risk factors are not a consideration in the i1 validated assessment or the bC assessment. Both i1 and bC are designed for less complex scenarios and offer a standardized, streamlined level of assurance.
To summarize:
r2 Validated Assessment: Risk factors are used to tailor requirements based on the organization’s unique characteristics.
i1 Validated Assessment & bC Assessment: Risk factors are not used; these assessments follow a more uniform set of requirements.
This distinction ensures that organizations facing greater risks or complexities are measured against a higher bar, while those with simpler profiles maintain a practical path to demonstrating security and compliance.
Understanding Maturity Levels in HITRUST Assessments
A key part of the HITRUST compliance journey is understanding how maturity levels work within their validated assessments (e1, i1, and r2). Think of maturity levels as rungs on a security ladder—the higher you go, the more robust and well-documented your controls become.
Each HITRUST assessment domain is evaluated against distinct maturity criteria. Here’s how they break down:
Policy: Do you have policies that directly address control requirements?
Procedure: Are there formal procedures in place that spell out the “who, what, when, where, and how” for each control—not just a policy, but step-by-step guidance?
Implementation: Are the requirements actually carried out in daily operations, not just on paper?
Measured: Is there evidence you’re tracking how well controls perform over time, possibly using metrics or ongoing assessments?
Managed: Are improvements and adjustments made as you monitor performance to ensure continuous enhancement?
The degree to which an organization addresses each of these areas is reflected in its score. For the comprehensive r2 assessment, each control is graded across all five maturity levels. But the focus—and the bulk of achievable points—rests on policy, procedure, and implementation (collectively accounting for 75% of the available score). The measured and managed stages, which focus on continuous monitoring and documentation, contribute the remaining 25%.
However, here’s an important tip for newcomers: Only the policy, procedure, and implementation stages are required to achieve certification in the r2 assessment. Many organizations new to HITRUST opt to omit the measured and managed levels to streamline their process.
For the e1 and i1 assessments, things are simpler: only the implementation maturity is scored, presented as a straightforward percentage.
This layered scoring approach helps organizations identify strengths, gaps, and areas for improvement—all while providing a clear pathway toward certification.
How HITRUST Scores Implementation Maturity
When it comes to implementation maturity within the HITRUST CSF, there's a structured approach to measuring how well each requirement is performed within the organization. HITUST uses a scoring system that ranges from “Non-Compliant” to “Fully Compliant,” reflecting the degree to which each element—policy, procedure, implementation, measurement, or management—is met.
Here’s a breakdown of the scoring levels:
Non-Compliant: Few, if any, aspects of the requirement are in place.
Somewhat Compliant: A handful of elements exist, but significant gaps remain.
Partially Compliant: About half of the required elements are implemented.
Mostly Compliant: Most of the requirement's expectations have been met, though there may be minor gaps.
Fully Compliant: Virtually all aspects of the requirement are present and functioning as intended.
Each requirement receives a percentage score (0% to 100%) based on this maturity scale. These individual scores are then rolled up into a weighted average for each domain, painting a clear picture of compliance strengths and areas in need of attention.
Worth noting: Certain types of HITRUST assessments, such as the e1 and i1, focus primarily on the "implementation" part of maturity, using different minimum thresholds for certification compared to more comprehensive assessments. While policies and procedures are always important in the HITRUST universe, some assessments weigh actual implementation more heavily when measuring compliance.
By understanding how these scores are determined, organizations can better target improvements and track their progress on the path to HITRUST certification.
HITRUST Certification Process
Ultimately, becoming HITRUST Certified indicates your organization's commitment to information security. As a result, it has become a benchmark for handling sensitive data with the greatest care. Also, it helps organizations, business associates, and vendors to manage risks across their third-party supply chain.
However, before the certification takes place, organizations need to prepare themselves and can perform the following:
Self-Assessment and Readiness: Organizations need to conduct risk analysis which helps in the determination of implementation level.
Remediation: Based on the risk analysis, organizations will perform remediation and patch up all risks.
Validation Assessment: CSF assessor will analyze the self-assessment reports and remediation actions performed by an organization.
Quality Assurance Review: CSF assessor will review the performance of controls and determine the satisfaction level.
Certification: A certification letter is issued if all performance controls are deemed satisfactory.
Baseline Security Assessment vs. Comprehensive Assessment
When pursuing HITRUST CSF certification, it's important to understand the distinction between the baseline security assessment and the comprehensive assessment—especially regarding which controls are certifiable.
Baseline Security Assessment: This is the core pathway to HITRUST certification. It focuses on 75 mandatory security controls that every organization must address to achieve certification. These controls are selected to provide a robust foundation in information security, ensuring an organization meets the fundamental security requirements outlined by HITRUST.
Comprehensive Assessment: In addition to the baseline, organizations that opt for a more extensive review can include up to 60 additional, optional controls. These extra controls offer broader coverage and allow organizations to further strengthen their security posture. However, while these are included in the assessment for internal improvement, only the baseline set of 75 controls is relevant to certification itself.
A key consideration: Privacy-specific controls fall within the comprehensive assessment but are not currently eligible for HITRUST certification. As such, when the goal is formal certification, organizations are advised to direct their efforts towards meeting the baseline security requirements, reserving the more expansive assessment for those seeking extra layers of due diligence or industry-specific coverage.
How HITRUST Addresses Information Security Policies and Procedures
Unlike many other frameworks that provide only general direction, HITRUST takes a deep dive into the specifics when it comes to information security policies and procedures. It doesn't just ask organizations to have policies in place—it requires those policies to be both current and formally approved. More importantly, HITRUST expects your policies to spell out how security requirements are met, not just what should be achieved.
For example, instead of simply saying "data must be encrypted," HITRUST expects detailed documentation on exactly how encryption is implemented—whether data is at rest or in transit, and across all types of IT systems. By doing so, HITRUST helps close the common gap between vague policies and real-world practice, ensuring that organizations have well-defined, actionable procedures that meet the strictest standards.
Accessing the HITRUST CSF Framework
Organizations looking to obtain the HITRUST CSF can do so directly from the HITRUST Alliance. The framework is accessible online, though you may need to register for an account and agree to the terms of use, as availability is intended for organizations working toward certification or compliance initiatives. Once registered, you can download the latest version of the HITRUST CSF to review its control categories, objectives, and specifications. This allows your team to start aligning your practices with industry-leading security standards, ensuring a smooth path toward compliance and certification.
Access and Usage Limitations of HITRUST CSF
While the HITRUST CSF is widely accessible, there are a few key limitations to be aware of. The framework itself can be downloaded directly from HITRUST, but full access to all its features and usage rights is typically reserved for qualified individuals and organizations. In practice, this means:
Individuals may need to register or meet specific criteria before downloading the full framework.
There may be restrictions on how you can use or share the framework, particularly for commercial or consulting purposes.
The documentation is meant for organizational use to guide compliance, not for broad public distribution.
So, while acquiring the HITRUST CSF isn’t overly complicated, make sure you’re respecting any terms or licensing requirements HITRUST has in place.
