What Is HITRUST?
HITRUST (formerly the Health Information Trust Alliance) is an organization that created and maintains the HITRUST Common Security Framework (CSF) — a comprehensive, certifiable security and privacy framework that harmonizes over 60 standards, regulations, and industry best practices into a single control set.
HITRUST certification is widely considered the gold standard for information security in healthcare. It provides a standardized way for healthcare organizations and their vendors to demonstrate that their security controls are not just documented but independently validated and continuously updated against evolving threats.
Why it matters: Unlike HIPAA — which tells you what to protect — HITRUST tells you exactly how to protect it, through prescriptive controls that are independently validated by an authorized assessor and reviewed by HITRUST itself. That combination of prescriptiveness and independent validation is what makes HITRUST certificates meaningful to healthcare enterprise buyers.
Who Needs HITRUST Certification?
HITRUST was originally built for healthcare — but it has expanded well beyond hospitals and health insurers. Today it's required or strongly preferred by a wide range of organizations:
- Healthcare SaaS vendors — any software company selling to hospitals, health systems, or payers
- Digital health and health tech companies — telehealth, RPM, patient engagement, clinical decision support
- Health insurance technology providers — claims processing, enrollment platforms, benefits administration
- Business associates — any vendor that processes PHI on behalf of a covered entity
- Financial services companies — especially those handling health-related data or working with healthcare payers
- Technology companies bidding on healthcare enterprise contracts — large health systems and payers increasingly require HITRUST as a vendor qualification
In 2024, SaaS and technology companies accounted for more than 37% of HITRUST certifications — it's no longer a healthcare-only credential. If you sell to healthcare enterprises or handle any PHI, expect to be asked for it.
The Three Assessment Tiers: e1, i1, and r2
HITRUST's most important structural feature is its tiered assessment portfolio. Each tier builds on the previous one, allowing organizations to start at an appropriate level and mature over time. All three are built on the same HITRUST CSF, so prior work carries forward.
Foundational security hygiene. Ideal for low-risk organizations, early-stage startups, or companies that need a basic assurance credential quickly. Valid for 1 year.
Moderate assurance. Covers e1's 44 controls plus 138 additional implemented controls. Appropriate for organizations with established security programs. Valid for 1 year with rapid recertification option.
Comprehensive assurance. Uses i1's 182 controls as a baseline and adds tailored requirements based on your risk profile. Required by most healthcare enterprise customers. Valid for 2 years.
Which tier is right for you?
e1 is best if you're early-stage, have a small attack surface, and need to demonstrate basic security hygiene to a prospect who hasn't specified a tier. It's increasingly seen as a starting point rather than a final destination — most healthcare enterprise customers will eventually require i1 or r2.
i1 is the right choice for companies with a mature security program that need moderate assurance and want the option of rapid recertification. Many mid-market healthcare technology companies find i1 satisfies the majority of their customer requirements.
r2 is the gold standard and what large payers, hospital systems, and health plans typically require from their vendors. It's the most comprehensive, most expensive, and most credible. If you're selling to enterprise healthcare organizations or handling large volumes of PHI, r2 is almost certainly where you need to be.
Ask before you commit: Before choosing a tier, ask your top prospects and customers specifically what they require. Many organizations will accept i1 as a near-term substitute for r2, with an expectation that you'll upgrade. Spending the full r2 cost when your current customers accept i1 is an avoidable expense.
The HITRUST CSF: Structure and Controls
The HITRUST Common Security Framework is organized into 14 control categories covering 49 objectives and 156 control references. These control categories map to the 19 domains of the broader CSF:
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Protection
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging & Monitoring
- Education, Training & Awareness
- Third-Party Assurance
A key feature of the HITRUST CSF is risk-based tailoring. The number and stringency of controls applied to your organization is adjusted based on organizational factors (size, complexity), system factors (what data you process, how), and regulatory factors (which laws apply to your business). Two organizations in the same industry may have different control sets because their risk profiles differ.
The HITRUST CSF is updated regularly — version 11.5.1 is the current release (2025). Updates consolidate overlapping controls, add new regulatory mappings, and incorporate emerging threat intelligence. Organizations certified under older versions must transition at their next assessment cycle.
HITRUST vs. HIPAA: What's the Difference?
This is the most common question from healthcare technology companies. They're related but serve fundamentally different purposes:
| Dimension | HIPAA | HITRUST |
|---|---|---|
| Nature | US federal law (mandatory) | Private certification framework (voluntary) |
| Enforced by | HHS Office for Civil Rights (OCR) | HITRUST Alliance (independent assessors) |
| Prescriptiveness | Principles-based — defines what to protect | Highly prescriptive — defines exactly how to implement controls |
| Validation | Self-attestation (no formal audit required) | Independent third-party assessment and HITRUST Q/A review |
| Result | Compliance status (no certificate) | Formal certificate valid for 1–2 years |
| Scope | PHI protection, patient rights, breach notification | Broad security and privacy across 60+ frameworks including HIPAA |
| Updates | Rarely updated | Updated 1–2 times per year |
HIPAA tells you that you need to implement access controls, encryption, and audit logging — but leaves the implementation details to you. HITRUST tells you exactly which controls to implement, how to implement them, and validates that you actually did. A HITRUST r2 certification is the strongest available evidence of HIPAA Security Rule compliance — though the two remain legally separate.
See our full HIPAA compliance checklist for the complete HIPAA requirements if you're also working on direct HIPAA compliance.
HITRUST vs. SOC 2: Do You Need Both?
For healthcare technology companies, this is the practical question. The short answer: they serve different audiences, and many companies eventually need both.
| Dimension | SOC 2 | HITRUST |
|---|---|---|
| Primary audience | US enterprise B2B customers broadly | Healthcare organizations specifically |
| Type | CPA attestation report | Independent certification from HITRUST |
| Framework | AICPA Trust Services Criteria | HITRUST CSF (harmonizes 60+ frameworks) |
| HIPAA coverage | ~ Partial overlap | ✓ Direct HIPAA mapping |
| Required in healthcare enterprise | ~ Often | ✓ Increasingly required |
| Can be combined | ✓ Yes — single assessment can produce both | |
The good news: because the HITRUST CSF was designed to align with the AICPA's Trust Services Criteria, qualified auditing firms can issue both a HITRUST certification and a SOC 2 report from a single combined assessment engagement. This significantly reduces total cost and effort for companies that need both — which is most healthcare technology companies selling to enterprise customers.
Recommended sequencing for most healthcare SaaS companies: Start with HIPAA compliance first if you already handle PHI — it's legally required. Then pursue HITRUST (starting with i1 if resources are constrained, r2 if your target customers require it). Consider combining with SOC 2 in a single assessment engagement to maximize efficiency. Organizations with ISO 27001 can leverage significant control overlap to accelerate all three.
The HITRUST Certification Process
HITRUST certification follows a specific process involving the MyCSF tool, an authorized external assessor, and HITRUST's own quality review. You cannot self-certify — all validated and certified assessments require an authorized external assessor.
-
Choose your assessment type Determine whether e1, i1, or r2 is appropriate based on your risk profile and customer requirements. When in doubt, ask your top healthcare prospects what they require — the answer determines your tier.
-
Subscribe to MyCSF MyCSF is HITRUST's SaaS portal where all assessment work is managed. An annual subscription is required (~$15,000/year). This is where you document controls, manage remediation, and receive your assessment results and certificate.
-
Define your scope Identify which systems, applications, data flows, and physical locations are in scope for the assessment. Scope directly determines assessment complexity and cost — define it narrowly but honestly.
-
Run a gap assessment Compare your current controls against the HITRUST CSF requirements for your chosen assessment type. Our free gap assessment tool provides an initial readiness score. This gap list becomes your remediation roadmap.
-
Remediate gaps and generate evidence Implement missing controls, write required policies and procedures, and generate operating evidence. This is typically the longest phase — 3–9 months depending on your starting point and assessment tier.
-
Select an authorized external assessor Engage a HITRUST-authorized external assessor firm. Only authorized assessors can conduct validated or certified assessments. Get quotes from at least two firms — fees vary significantly.
-
Complete the validated assessment The external assessor reviews your MyCSF documentation and tests your controls. Their findings are submitted into MyCSF and then go through 150+ automated quality checks and five independent HITRUST quality reviews before certification is issued.
-
Receive certification and maintain e1 and i1 certifications are valid for 1 year; r2 is valid for 2 years with interim assessments. Budget for annual maintenance costs — controls that lapse between assessments can result in certification issues at renewal.
Cost and Timeline
HITRUST is among the more expensive compliance certifications, primarily because of the MyCSF subscription requirement and the complexity of the external assessor process. Here are realistic ranges:
| Cost Category | Typical Range |
|---|---|
| MyCSF subscription Required annual fee; scales with organization size | ~$15,000/yr |
| External assessor fees Varies by tier and organization size; get multiple quotes | $30,000–$150,000+ |
| Remediation (technology & tools) Depends heavily on starting point | $10,000–$100,000+ |
| Internal staff time 20–30 hrs/week for 2–3 months is typical | $15,000–$60,000 |
| Consulting support (optional) Readiness preparation and project management | $10,000–$50,000 |
| Total — e1 or i1 (smaller org) | $50,000–$150,000 |
| Total — r2 (mid-to-large org) | $150,000–$400,000+ |
Timeline: e1 can be achieved in 3–6 months for organizations with mature security programs. i1 typically takes 6–9 months. r2 for complex organizations can take 12–18 months. The largest variable in both cost and time is your current security maturity — organizations with existing ISO 27001 or SOC 2 programs can leverage significant control overlap to accelerate HITRUST considerably.
Leverage existing compliance work: If you have ISO 27001 or SOC 2, you've already done 40–60% of the work required for HITRUST. The CSF is explicitly designed to harmonize with these frameworks. Map your existing controls to HITRUST requirements before estimating remediation cost — you'll likely find significantly less new work than you expect.
Know Your HITRUST Gaps Before You Start
Our free assessment benchmarks your current security controls and gives you an initial readiness picture — before you subscribe to MyCSF or engage an external assessor.
Start Free Assessment →Frequently Asked Questions
Is HITRUST required by law?
No. HITRUST certification is voluntary — no US law mandates it. However, it is increasingly required by large healthcare enterprises as a vendor qualification condition. Many hospital systems, health plans, and payers will not contract with vendors who cannot demonstrate HITRUST certification or a credible path toward it. Voluntary in law, mandatory in practice for much of the healthcare enterprise market.
What is the difference between HITRUST validated and HITRUST certified?
In older HITRUST terminology, "CSF validated" referred to an external assessor-led assessment without full certification, while "CSF certified" required meeting all certification requirements. The current portfolio (e1, i1, r2) uses the term "certified" for all three tiers once they pass HITRUST's quality review process. All current HITRUST assessments that pass review result in a formal HITRUST certificate.
Can I inherit controls from my cloud provider?
Yes — this is one of HITRUST's most practical features. If your cloud infrastructure provider (AWS, Azure, Google Cloud) holds HITRUST certification, you can inherit their certified controls rather than re-testing them. AWS has 177 services certified under HITRUST as of 2025. This inheritance significantly reduces your assessment scope and cost — confirm with your external assessor which controls are inheritable based on the services you use.
How does HITRUST relate to the CMS Interoperability Framework?
CMS's interoperability and data sharing rules increase the importance of demonstrated security governance for healthcare organizations and their technology partners. HITRUST certification is increasingly referenced as evidence of the security posture required to participate in data sharing networks under these frameworks. Organizations seeking to participate in CMS-regulated data exchanges benefit from HITRUST certification as a trust signal to trading partners.
Does HITRUST have AI-specific certifications?
Yes. HITRUST launched two AI-specific assessment products: the HITRUST AI Security Assessment (44 controls for AI platform and service providers) and the HITRUST AI Risk Management Assessment (51 controls aligned with ISO/IEC 23894 and NIST AI RMF). These can be combined with e1, i1, or r2 assessments. For healthcare AI companies, these assessments address both the security and governance dimensions of AI systems handling PHI. See our NIST AI RMF guide for context on the broader AI risk management landscape.