HITRUST Compliance and Certification Services


LBMC HITRUST External Assessor

The HITRUST Common Security Framework (CSF) allows healthcare entities to demonstrate compliance with many different standards and regulations such as HIPAA, ISO, NIST, SOC 2, GDPR, PCI, CMS, MARS-E, and more. You can learn more about their background here: https://hitrustalliance.net/about-us/

One of a select group of HITRUST CSF assessors, LBMC Cybersecurity participated in the effort to integrate security standards from the Centers for Medicare and Medicaid Services (CMS) and NIST into the HITRUST Alliance framework. In 2010, we became one of the first HITRUST CSF assessor organizations, making us exceptionally qualified to use HITRUST CSF to ensure your organization’s information is safe and secure.

Webinar: What is HITRUST?

HITRUST, in collaboration with leaders from the private sector, government, technology, and information privacy and security spaces, established the HITRUST CSF, a certifiable framework that can be used by any organization that creates, accesses, stores, or exchanges sensitive information. 

Every organization can achieve the coveted HITRUST CSF Certification, but it will take a little patience, a lot of executive support, and, sometimes, a helping hand. 

Learn more about HITRUST, HITRUST CSF, and the top six key benefits of using a HITRUST assessment.

On-Demand Webinar Duration: 0:05:47


  • Robyn Barton, Shareholder, Practice Leader, HITRUST Authorized External Assessor Council & Quality Subcommittee Member
Watch Webinar

WEBINAR: HITRUST i1 Assessment

In December 2021, HITRUST announced the newest service offering – the new i1 Implemented Certification.
In this video, you will learn:
  • What is the HITRUST i1 Implemented Verified Assessment and Certification?
  • Why was this new option was created?
  • Key differences between i1 vs r2.
  • How to choose which option is right for you.

On-Demand Webinar Duration: 7:36

Watch Webinar

Client Testimonial

Testimonial Icon
I have worked in Technology for over 30 years and engaged all large firm assessors in this space. LBMC is second to none. Through the HITRUST process, their team became an extension of ours, making the experience enjoyable and extremely rewarding!
Vice-President and Chief Information Security Officer at a nationwide leader in post-acute healthcare
Testimonial Icon
LBMC is very flexible and accommodating to our specific needs. They gave us a unique advantage with HITRUST certification, demonstrating compliance with various standards and regulations. With LBMC, you get the ‘Big 4’ service without the extreme costs. Their local access and service level are unmatched by large, national providers.
Vice-President of Information Security Risk Management at a large healthcare technology company
Testimonial Icon
We needed a HITRUST assessment partner with experience and local presence for routine face-to-face engagement. LBMC’s resources, solid reputation, and accessible expertise made it a perfect choice. Our team values their highly qualified professionals.
Chief Information Security Officer at a healthcare management company in Nashville

Do your policies and procedures address the HITRUST criteria?

Whether maintaining or pursuing certification, now is a good time to review and ensure your policies and procedures meet HITRUST standards. 

1. Applicability

  • Policy and procedure maturity levels and scoring are only applicable for a r2 assessment.  
  • e1 and i1 assessments focus on control implementation only but may still require policy and procedure review. 

2. Incubation Period

  • Remediated or newly implemented policies/procedures must be in place for at least 60 days (about 2 months) to be considered for scoring.  
  • Policies and procedures in place for 60 days (about 2 months) can be used in validated assessments. 
  • For implemented, measured, and managed maturity levels, the period is 90 days (about 3 months). 

3. Scoring

  • Maturity levels are scored based on the HITRUST Control Maturity Scoring Rubric, considering the strength and percentage of evaluative elements being addressed. 
Do your policies and procedures address the HITRUST criteria?

4. Format

PolicyHigh-level principles or actions intended to guide present and future decision-making in line with management’s philosophy and objectives. 
ProcedureDetailed steps necessary to perform specific operations in compliance with standards. 

Documentation can include standards, handbooks, guidelines, and directives, not just traditional policy, or procedure documents. 

Misconceptions About HITRUST

The HITRUST® framework is growing rapidly by helping organizations address security, privacy, and regulatory challenges. However, there are common misconceptions. 

1. Can you be certified by HIPAA?

The HIPAA Security Rule’s standards for safeguards are not prescriptive enough for implementation by healthcare organizations. The HITRUST CSF® maps to the HIPAA Security Rule, Breach Notification, and Privacy Rule, assuring that your organization meets these requirements. The MyCSF Compliance and Reporting Pack for HIPAA generates a report to demonstrate compliance to auditors or investigators. 

2. Is certification limited to healthcare entities?

No, it is applicable across various industries, including manufacturing, banking, entertainment, and telecommunications. The framework is developed with input from leaders in privacy, information security, and risk management, making it relevant to many sectors. 

3. Was the framework created due to failed OCR HIPAA audits?

This is incorrect. HITRUST was founded in 2007, while OCR HIPAA audits began in 2011. LBMC has supported the CSF since 2010. 

4. Can an organization certify to the NIST Cybersecurity Framework (CSF)?

Yes, many organizations prefer the NIST CSF. HITRUST provides a NIST CSF report scorecard detailing compliance with related controls included in the CSF framework. 

5. Is this program an “Assess Once, Report Many™” audit program?

Yes, experienced audit firms can combine criteria for multiple audit needs, leading to increased efficiency, reduced audit fatigue, and higher quality results. 

6. Can the framework support ISO 27001 certification efforts?

Yes, The HITRUST CSF framework can assist with ISO 27001 certification, but it’s essential to select skilled service providers for compliance and effectiveness. 

The CSF offers comprehensive control requirements and rigorous assessment procedures to gauge the level of residual risk to electronic Protected Health Information (ePHI). The testing must be performed by an approved assessor, ensuring quality assurance. 

HITRUST Services

  • Scoping and Certification Selection: The assurance program allows for independent certification or validation against the framework. These engagements must be performed by trained and vetted assessors, experienced in healthcare information security. We can help your organization with the critical step of understanding and defining your scope, as well as selecting the best assessment scoping strategy for your organization.
  • Readiness and Consulting Services: LBMC Cybersecurity’s experts ensure that your organization is prepared for HITRUST as you embark on the journey of certification, establishing a well-known and generally accepted security framework across any industry. We provide readiness assessments, project management, remediation assistance, score improvement guidance, and more.
  • Certification (Validation, Interim, & Rapid Recertification Assessments): Ready to certify or have a certification in place? LBMC can help you. An interim assessment is required one year after certification to evaluate the organization’s current state against the CSF. LBMC Cybersecurity provides this service and submits an Annual Review Letter. 
  • Bridge Assessment: In response to COVID-19 related challenges, extensions for certification periods are permitted. LBMC, with a decade of experience and the most seasoned team in the industry, offers external assessment services to guide you through the bridge process. 

As the leader of the “10-year club” of assessors, LBMC is the longest-serving assessor in the business with the most experienced team in the industry. In February 2010, our leaders signed on the dotted line to join a movement that has become the modern-day gold standard in security and privacy assessments. We have cultivated a team of assessors led by experts who have contributed to this success the longest. 

We have helped countless organizations reach their HITRUST CSF Certification goal. And, yes, we have learned many lessons along the way. We are assessor council members and assist the industry with education and outreach. We feel compelled and obligated to offer encouragement and advice to those embarking on this journey. Please reach out any time with how we can assist you on your journey! 

Executive Team

Link to Drew HITRUST

Drew Hendrickson

Shareholder & Practice Leader, Cybersecurity

phone icon email icon Nashville
phone icon email icon Nashville
Link to Robyn HITRUST

Robyn Barton

Shareholder, Cybersecurity

phone icon email icon Nashville
phone icon email icon Nashville

We’re happy to answer any questions you may have on what our security experts can do for you. Submit the form below and one of our professionals will get back to you promptly.