HITRUST® continues to see tremendous growth and success in the marketplace by helping address the multitude of security, privacy and regulatory challenges facing organizations. As companies start their HITRUST journey we often hear common misconceptions.  If you aren’t familiar with HITRUST, you can learn more about it here.  In this article, we share seven misconceptions that will help you as you implement HITRUST.

1. Can you be certified to HIPAA?

Unfortunately, the HIPAA Security Rule’s numerous standards and implementation specifications for administrative, technical and physical safeguards, despite what the terms imply, lack the prescription necessary for actual implementation by a healthcare organization. The HITRUST CSF® is mapped to the HIPAA Security Rule which will provide reasonable assurance that your organization is satisfying the rule’s requirements.  However, “certification” to HIPAA is not implied through HITRUST readiness, validation, or certification achievements.

There is an ability to produce a targeted assessment against any authoritative source, but this will not result in a HITRUST CSF Assessment Report.

2. If I am not a healthcare entity, can I still be HITRUST certified?

Absolutely! HITRUST, in collaboration with privacy, information security and risk management leaders from the public and private sectors, develops, maintains and provides broad access to its widely-adopted risk and compliance management framework. It now includes 44+ mapped authoritative sources and has strong adoption rates across a broad spectrum of industries including manufacturing, banking, airline/entertainment, and telecommunications. Indeed, if you fall into any of these industries, you likely are hearing about HITRUST as a way to communicate your organization’s security and privacy practices using the HITRUST CSF.

3. A popular misconception is that HITRUST came about as a result of failed OCR HIPAA audits, is this true?

The OCR HIPAA audits did not begin until 2011. HITRUST was founded in 2007.  LBMC has remained a steadfast supporter of the HITRUST CSF since February of 2010.

4. Can an organization certify to NIST CyberSecurity Framework?

The NIST CyberSecurty Framework Scorecard is included with HITRUST CSF Validated Assessment Reports. It is not one of the regulations you select to include in your assessment, as it is already included in the assessment.

5. Is the HITRUST program a true Assess Once, Report Many™ audit program?

Yes.  Experienced audit firms have developed processes to enable their staff to combine the criteria for multiple audit needs and apply those savings to your organization through increased efficiency, decreased audit fatigue, and higher quality, consistency and reliability of results.  If an audit firm dissuades you from this approach, they may not have the staff skill or tools to execute properly.

6. Is the HITRUST CSF framework designed to allow me to become ISO 27001 certified?

We support the use of the HITRUST CSF within ISO 27001 certifications, if applicable. As with any assessment, be sure to do your homework on your service provider’s skills and knowledge performing any assessment or readiness exam. There are many benefits that can be derived from combining security and/or privacy assessment testing when multiple reporting options are needed.  When combining assessments, the intent and specific requirements of the certification must be taken into account – beginning at the planning stage of the project.

Here are a couple of points to consider from HITRUST’s FAQ on the subject, if you are seeking a firm that can support you in your pursuit of multiple certifications:

  • The focus of an ISO 27001 certification is on the information security management system (ISMS), which includes an evaluation of the information security risk assessment and treatment processes. However, “organizations can design controls as required, or identify them from any source” (ISO 27001, § 6.1.3.b, p. 4). Further, although ISO 27001 Annex A contains a list of control objectives and controls, they are not exhaustive and additional control objectives and controls may be needed” (Ibid., § 6.1.3.c, p. 4). And although the ISO assessor must produce a “Statement of Applicability that contains the necessary controls (see 6.1.3 b and c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A” (Ibid., § 6.1.3.d, p. 4), it doesn’t extend beyond what’s required in Annex A. Subsequently, organizations have wide latitude in the controls they specify to address the risks they identify at a level suitable to their risk appetite. ISO certification assessors also have some latitude in how they assess the effectiveness of the controls, and there is no quality control of the assessments other than a general requirement that consultants that help organizations prepare for ISO certification do not perform the certification assessment.
  • The HITRUST CSF provides a baseline of comprehensive, prescriptive control requirements tailored to specific organizational, system and regulatory risk factors. Detailed testing procedures prescribed by these baseline requirements focuses on the maturity of this control baseline’s implementation using a specific, rigorous assessment approach and scoring model in order to gauge the level of excessive residual risk to ePHI in the organization. Like ISO, the testing must be performed by an approved assessor, referred to by HITRUST as an Authorized External Assessor Organization. Quality assurance is provided by HITRUST.

More information on this subject can be found here.

7. When obtaining a SOC2+HITRUST report, does an organization need to recertify to the entire HITRUST CSF during the interim assessment?

The simple answer is no.  The validated assessment process within the HITRUST MyCSF® tool only occurs every two years during the validated assessment.  However, when obtaining a SOC 2 + HITRUST during the annual recertification (or interim year) the report will be based on either all 135 HITRUST CSF security controls or those security controls required for certification.  The AICPA’s Trust Services Criteria are aligned to the HITRUST CSF, which provides standard and comparable requirements for use in SOC 2 reporting. Depending on the scoping of your HITRUST assessment, this may mean that the burden of testing can be reduced for the SOC 2 + HITRUST report in the year of the HITRUST Interim Assessment.  For example, if an organization chooses to include certain regulatory factors in their HITRUST assessment, those requirements generally do not map to AICPA SOC 2 controls, and therefore would not need to be tested for the purpose of the SOC 2.

Keep in mind, the HITRUST Interim Assessment occurs approximately 30-90 days before the anniversary of the assessment date. The interim assessment currently requires the HITRUST External Assessor to test one control from each domain, as well as assess any changes to the scope of the assessment and progress on all corrective action plans.

More information on this subject can be found here: 

We welcome additional discussion on any of these topics!

About LBMC's HITRUST practice

As the leader of the “10 year club” of assessors, LBMC stands as the longest-serving assessor in the business with the most experienced team in the industry.  Back in February 2010, our leaders signed on the dotted line to join in a movement that has become the modern-day gold-standard in security and privacy assessments.  We have cultivated a team of assessors led by experts who have been contributing to this success the longest.

We have helped countless organizations reach their HITRUST CSF Certification goal.  And, yes, we have learned many lessons along the way.  In fact, we are assessor council members and assist the industry with education and outreach.  We feel compelled, and are somewhat obligated, to offer some words of encouragement and advice to those that are embarking on this journey.  Please reach out any time with how we can assist you on your journey!