Team members discuss strategy in a meeting

What is HITRUST?


  • Formerly known as Health Information Trust Alliance Common Security Framework, HITRUST is a security and privacy framework across all industries (not only healthcare). HITRUST was built upon the International Organization for Standardization (ISO) framework and the National Institute of Standards and Technology (NIST) framework but it has expanded to include other regulatory advancements such as the General Data Protection Regulation (GDPR) and the Cybersecurity Maturity Model Certification (CMMC). HITRUST aims to standardize requirements and is a certifiable framework. 

What is the most recent version of HITRUST?

  • As of January 2023, the most recent version of the HITRUST CSF is version 11. Subscribers of HITRUST can be certified on lower versions of the HITRUST CSF.

What are the differences between HITRUST and other assurance programs?

  • As an assessor, Baker Tilly executes the HITRUST certifiable validated assessments under non-attest standards (vs. the American Institute of Certified Public Accountants (AICPA)). HITRUST is the organization that provides its certification of the report, not the assessor. 

What is the MyCSF tool?

  • MyCSF is an online Software as a Service (SaaS) application that HITRUST owns and provides support. Once an organization becomes a subscriber to HITRUST, it will gain access to the online tool. This is the only way to efficiently tailor an assessment and generate the control requirements. The tool maintains the administrative requirements along with the selected factors used for scoping an assessment, a library of documentation and maturity of controls and domains.

What are the HITRUST assessment portfolio options?

HITRUST Basic, Current–state (bC) Assessment

  • This assessment option is certifiable by HITRUST and is considered a low level of assurance. The organization and the external assessor will utilize the MyCSF tool to manage and score 44 control requirements. This is an annual assessment that provides coverage of the fixed control requirements over implementation only.

HITRUST Implemented, 1-year (i1) Validated Assessment

  • This assessment option is certifiable by HITRUST and is considered a moderate level of assurance. The organization and the external assessor will utilize the MyCSF tool to manage and score 182 control requirements. This is a bi-annual assessment that provides coverage of the fixed control requirements over implementation only. Year two requires a rapid recertification process with a varying number of control requirements.

    Follow-up question: If it's certifiable, does HITRUST provide quality assurance (QA)?
  • Yes, the QA process is very similar to the r2 Validated Assessment option. 

HITRUST Risk-based, 2-year (r2) Validated Assessment

  • This is the former HITRUST Validated Assessment and is considered a comprehensive risk-based assessment for a rigorous approach to security and privacy. It is a tailored approach, and control requirements can be more than 1,900 (average is 360). The maturity assessment of the control requirements includes an external assessor evaluation of at least policy, procedure and implementation. The validated assessment is certifiable and involves the HITRUST QA process every two years.

How do I know which assessment I need?

  • Baker Tilly can help you identify which assessment is most appropriate for your organization. The assessment that best meets your needs depends on multiple external and internal factors such as required level of strength your board would like to have for your organization, level of compliance with contractual commitments and third-party assurance, competitive advantage against your organization in the marketplace, type of data your organization processes, and the industry of your organization. Connect with us.

What is an interim review?

  • An interim review is only related to the r2 Assessment referenced above. It occurs no earlier than 120 days prior to the one-year anniversary of the certification date. The review includes at least one control from each of the 19 domains that is randomly selected by HITRUST for the external assessor to test and validate the control is still operating effectively. 

    Will there be more than 19 controls selected?
  • At times, HITRUST may select additional controls within a domain and will always select controls that were identified to have a corrective action plan (CAP) associated to the score of the control. 

What is the timeline for certification?

How long is readiness and remediation?

HITRUST flyer timeline chart

Follow-up question: Can Baker Tilly help with remediation and policies and procedures? 

  • Yes, a separate independent team that is part of the Baker Tilly risk advisory practice can assist with remediation. 

How long will it take my organization to get certified?

  • If your organization has already completed a readiness assessment and remediation, the largest variable for time is identifying your period for the assessment. The minimal period required is 90 days for the implemented controls requirements. 

What is an external assessor?

What is an external assessor?

  • External assessors are organizations approved by HITRUST to perform assessments related to the HITRUST Assurance Program. Baker Tilly has been an approved external assessor since 2016. Baker Tilly also sits on the HITRUST Assessor Council for 2022.

What is a Certified CSF Practitioner (CCSFP)

  • A CCSFP is an individual who has completed the required HITRUST training and exam. HITRUST validation assessments are required to have at least 50% of engagement hours come from CCSFP team members.

How many external assessors does Baker Tilly have?

  • We have well over the minimal requirement, and we are supportive of having team members certified if they are interested.
Emily Di Nardo