What is the HITRUST CSF®?

The HITRUST CSF was developed in collaboration with healthcare and information security professionals to provide a prescriptive framework to simplify security and privacy requirements. It is the most widely-adopted security framework in the U.S. healthcare industry. HITRUST offers a Readiness Assessment and a Validated Assessment against the HITRUST CSF. A Validated Assessment is conducted by a HITRUST Authorized External Assessor, like BARR, and is the only assessment that produces a validated certification report. 

Who needs to be HITRUST CSF Certified®?

HITRUST CSF Certification is triggered by customers. For example, to do business with covered entities. Additionally, HITRUST is an important framework to adopt for organizations looking to comply with other regulatory frameworks like HIPAA, PCI, NIST due to its prescriptive nature.

What are some key benefits of being HITRUST CSF Certified?

There are many benefits to being HITRUST CSF Certified, including:

  • Decreased risk of data loss or breach;
  • Access to ongoing improvement plans with interim assessments;
  • Builds trust among stakeholders;
  • Staying up-to-date on the latest security risks;
  • Differentiates your business from the competition; 
  • Increases awareness of your current security posture and inherent risk;
  • Demonstrates your commitment to managing risk and improving security;
  • Reduces unnecessary efforts of responding to third-party questionnaires; and,
  • Peace of mind knowing patient data is protected.

How long does it take to get HITRUST CSF Certified?

Certification timing is dependent on several factors, but typically takes four to six weeks for a Validated Assessment. Determining factors include the organization’s unique environment, the scope of the engagement, and the organization’s experience with HITRUST CSF. When planning the timeline of a HITRUST CSF Certification, there are two factors most important to consider:

  1. HITRUST Authorized External Assessor organizations have 90 days to test and submit a Validated Assessment to HITRUST. 
  2. Once the Validated Assessment is submitted, HITRUST will complete the review. The timeline of review is dependent on the unique scoping and complexity of each assessment.  

What are the costs associated with getting HITRUST CSF Certified?

The first cost to consider is that associated with the Readiness Assessment. A Readiness Assessment is not required for HITRUST CSF Certification, but is recommended by many external assessors, including BARR, in order to define scope and identify gaps in preparation for the Validated Assessment. 

In addition to Readiness Assessment fees, there are also external assessor fees, which depend on the assessment scope and varies by organization. It could be a number of control systems, or even regulatory factors that play a role in the overall cost of getting HITRUST CSF Certified. Be sure to discuss with your HITRUST Authorized External Assessor to get an accurate cost estimate for your organization. 

How important is it to do a Readiness Assessment and what’s BARR’s approach?

A Readiness Assessment is not required for HITRUST CSF Certification, but it is very helpful in preparing for certification. BARR helps clients with scope discussions to ensure complete understanding of gaps, plan remediation of those gaps, implement proper systems, and identify the evidence HITRUST will evaluate for specific requirements.

How is the HITRUST CSF structured?

The HITRUST CSF’s core structure is based on ISO/IEC 27001:2005 and 27002:2005, published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), and incorporates more than 40 other security and privacy related regulations, standards, and frameworks providing comprehensive and prescriptive coverage.

What is an interim assessment?

HITRUST CSF Certification is valid for two years with an interim assessment occurring one year after the initial HITRUST Validated Assessment. 

How does the access differ for MyCSF subscribers and non-subscribers?

MyCSF subscribers can begin the interim assessment process 120 days before the submission date by manually creating the object. For non-subscribers the access would only last for 60 days and they are required to reconstruct the assessment scores and comments for N/A’s from the previous year.

When should I contact my HITRUST Authorized External Assessor firm?

As soon as possible. HITRUST Authorized External Assessors, like BARR, provide guidance through the Readiness Assessment, which defines scope, identifies initial gaps, and sets a strong foundation for the Validated Assessment. Connecting with your assessor firm early in the process will set you up for a successful certification process.

Where should I go for more information about HITRUST CSF Certification?

HITRUSTAlliance.net offers publicly available downloads, webinars, training, and more to help organizations prepare for HITRUST CSF Certification. Organizations should always connect with their HITRUST Authorized External Assessor organization for more details and guidance on their HITRUST CSF Certification.

HITRUST Resources

Contact Us for a Free Consultation

We’re here to help you! Speak with a BARR specialist about your security and compliance needs.