What Is HITRUST And How Can It Benefit Your Organization?


Today, covered entities and business associates are addressing a wide-range of regulatory requirements necessary to solve the growing complexities in the healthcare industry. Evolving technologies, migration to the Cloud and cyber threats like ransomware are just a few top-of-the-mind issues. Combine those with regulations under HIPAA, Meaningful Use, PCI, COBIT and ISO, and you will find that covered entities and business associates need a way to more effectively manage their security programs.

 What is the HITRUST Common Security Framework (CSF)?

The HITRUST CSF is the leading information security framework for the healthcare industry. According to the Health Information Trust Alliance, the HITRUST CSF was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations through a comprehensive and flexible framework of prescriptive and scalable security controls. The CSF includes federal and state regulations, standards and frameworks, and incorporates a risk-based approach, that provides specific criteria to assess the protection of confidentiality, integrity, and availability of information systems. What makes the CSF so unique is it is the only security framework designed specifically for healthcare.


“Gold Standard” of Healthcare Data Security. Healthcare payers and an increasing number of health systems and hospitals, are requiring their Business Associates become HITRUST certified because the certification demonstrates that your organization has made a dedicated commitment to maintain the greatest level of protection for your customer’s healthcare data.

Scalable and Cost-Effective. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address today’s information security challenges through a comprehensive and flexible framework of prescriptive and scalable security controls. With this consolidated controls approach you can generate multiple reports addressing legislative, regulatory or best practice frameworks with just one assessment. You will have a well-established, prepared and documented security program to present whenever needed. Though it is a rigorous process, once certified your business will be able to respond faster, more thoroughly, using fewer resource hours and in a repeatable manner to the continuous stream of arduous and lengthy security questionnaires that are a customary part of doing business as a healthcare technology or services company.

Competitive Advantage. Your clients are aware and concerned of the ever-growing threat to their data security. They understand the importance of working with organizations who are not only educated on these threats, but have taken the necessary steps to make sure they are protected according to the highest standards in the industry. With HITRUST Certification, your organization will be able to market its leadership in security, privacy and compliance. And have the certification to back it up. This credibility and status in the healthcare industry will set you apart from others.

How to achieve HITRUST Certification?

The HITRUST Certification process consists of an initial baseline self-assessment utilizing the MyCSF web application, a Corrective Action Plan(s) based on responses and associated remediation needs, a validated self-assessment by a CSF Assessor and a final submission to the HITRUST Alliance (who certifies the information provided).

For each assigned control in MyCSF, a submitter must score themselves on five evaluation criteria, which are then weighted differently by the HITRUST Alliance during submission:

Evaluation Criteria Weight
Policy 25%
Procedures 25%
Implemented 25%
Measured 15%
Managed 10%


For each evaluation criterion under each control, submitters assign a compliance score for themselves based on their level of maturity, which is measured on a scale of 0-100 and in increments of 25.

maturity levels

HITRUST will provide a report of findings to your organization indicating that the security controls, as identified in the CSF, were of a sufficient or insufficient maturity level to be deemed adequate both objectively and in relation to peers in the healthcare industry. Ultimately, the overall maturity level score determines whether you achieve HITRUST Certification.

BluePrint Healthcare IT is the longest tenured 100% healthcare-focused HITRUST Certified Assessor. We have taken both our covered entity and business associate clients through the certification process while helping them to simplify the complexities of HITRUST through our depth, experience, proven methodology, client partnerships and purpose-built tools to complement and streamline the use of the MyCSF portal.

Contact us to learn more how you can begin your HITRUST Certification journey today.