HITRUST CSF

Simplifying the Path to HITRUST Certification

HITRUST Made Easy

As an international gold standard of security, HITRUST can demonstrate that your organization meets the highest standards in information security. As a HITRUST Authorized External Assessor, BARR has extensive experience in the HITRUST process and tools, and can serve as your trusted partner every step of the way.

How it Works

Phase 1

HITRUST Readiness Assessment

A readiness assessment is recommended prior to the validated assessment in order to identify control weaknesses that need correction. Deliverables from the readiness assessment include:

Preliminary control discovery results that will assist in documenting process narratives and crafting the description of controls;
Control gaps and areas of improvement; and,
Prioritized observations and recommendations for remediation.

The advantage of performing a readiness assessment prior to a HITRUST assessment is to give management an opportunity to address control gaps prior to an inaugural examination as well as help with required risk assessment activities.

Phase 2

HITRUST Validated Assessment

The validated assessment includes a number of testing procedures to ensure compliance gaps have been appropriately identified and controls are implemented and operating effectively. Testing procedures include:

Walkthroughs with personnel interviews to verify policies and procedures are documented;
Inspection of CSF-relevant policies and procedures to verify adequate coverage of CSF requirements;
Technical testing to validate the implementation of relevant controls; and,
Observation of relevant controls and control processes
Inspection of mechanisms used to manage relevant controls.

HITRUST Open House

Join us for our HITRUST Open House on Wednesdays from 11 a.m. to noon CST and learn the process and benefits of obtaining a HITRUST Certification.

Save Your Seat

HITRUST Frequently Asked Questions

Who needs a HITRUST certification?

HITRUST CSF is a standard that organizations can use effectively across any industry — not just healthcare. HITRUST compliance provides a consensus-driven standard of due care and diligence for protecting information. This includes electronic protected health information (ePHI), personally identifiable information (PII), payment card data, proprietary information, or other sensitive information. Because HITRUST offers a portfolio of validated assessment options based on complexity and risk profile, it also can be used for organizations of any size.

Which HITRUST certification is right for my organization?

When it comes to HITRUST assessments, the level of effort each assessment takes directly correlates to the level of assurance it provides. For example, while the e1 Assessment is low effort, it provides only basic assurance. The r2 Assessment requires significantly more effort, but a higher level of risk assurance. Learn more about the different types of HITRUST certifications.

How long does the HITRUST audit process take?

The timeline for the HITRUST assessment process can vary depending on the type of HITRUST certification. On average, the e1 Assessment takes 3 months, the i1 Assessment takes 6-12 months, and the r2 Assessment takes 18-24 months.

What are the benefits of HITRUST compliance?

In addition to safeguarding your organization’s data, obtaining a HITRUST certification can demonstrate a commitment to the security and privacy of your customers. A HITRUST assessment and resulting certification can also convey assurances over other authoritative sources like HIPAA and ISO.

How long is a HITRUST certification valid?

The HITRUST e1 and i1 Assessments remain valid for one year after the issuance date. After that year, we recommend building on the established cybersecurity foundation with a higher-level HITRUST certification. The HITRUST r2 Assessment is valid for two years with an interim period in between.