Skip to Content
April 13, 2016 Article 3 min read
The HITRUST Common Security Framework provides an avenue for a third-party assessment to verify the controls you have in place to meet CSF Certification requirements and demonstrate HIPAA compliance. Our FAQ can help.

Woman filing recordsDid you know that it’s impossible to assert that your organization is “HIPAA compliant” due to the fact that there’s no formal certifying body to substantiate that claim?

Enter the Health Information Trust Alliance’s Common Security Framework (HITRUST CSF), which provides an avenue for a third-party assessment to verify the controls in place to meet all of the CSF Certification requirements. In addition, organizations can market compliance with the HITRUST CSF, as each certification comes complete with a validated report and letter of certification. The CSF also provides an avenue to reduce audit costs, as it can easily be mapped to other compliance frameworks in order to help organizations audit once and report many times over.

Here are a few frequently asked questions about the CSF and the certification process.

What is the HITRUST CSF?

The HITRUST CSF was developed to address the security, privacy, and regulatory challenges facing the healthcare industry. It provides a comprehensive framework of prescriptive security controls and was developed with ISO/IEC 27001 as a primary reference. Its primary goal is to give prescriptive guidance help organizations comply with HIPAA and HITECH.

What are the reporting options?

HITRUST offers a multitude of reporting options to help organizations achieve the correct level of assurance necessary for their operations. There are three options of reports that build upon each other:

  1. Self-assessment. Organizations complete an internal assessment that results in a report issued from HITRUST.
  2. Validated assessment. Once the internal assessment is complete, a certified HITRUST assessor validates and scores the response on site. The assessment is issued to the HITRUST Alliance for quality assurance, and then a validated report is issued.
  3. Validated assessment with certification. During the validated assessment, the HITRUST assessor will also be looking at the scoring achieved by the organization. If the score meets the threshold for certification, a validated report plus certification will be issued.

How do I achieve certification?

There are 66 controls required for certification dispersed among 19 different domains. An aggregate score of at least 3 must be achieved within each domain in order to become HITRUST certified.

Can I achieve certification with control gaps?

Yes. As long as organizations achieve an average score of 3 in each of the 19 domains, they can achieve certification. If control gaps are identified, however, a corrective action plan (CAP) will need to be developed and submitted.

How long does my certification last?

This interim assessment must be submitted within 60 days of the one year anniversary on the initial report date. This assessment will encompass a sample of testing in each of the 19 domains as well as a review of any CAPs that were identified after the initial assessment. This interim assessment must be submitted within 60 days of the initial certification audit.

What is a CSF subscription?

The HITRUST Alliance offers the CSF to organizations on a subscription basis. This means organizations can pay an annual fee to have 24/7 access to document controls and improvements on an ongoing basis in the tool. However, a subscription is not necessary to become HITRUST certified. All of the assessments are available for purchase outside of a subscription. Without a subscription, however, organizations only have 90 days to complete their assessments and submit them to HITRUST for review, or they’ll be deleted.

SOC 2 and HITRUST: Can we do both?

By mapping the HITRUST CSF to the SOC 2 report, organizations have a comprehensive and detailed control report to submit to their customers.  

Yes, a SOC 2 report mapped to the HITRUST CSF will ensure an organization is able to meet all of the reporting requests received. By mapping the HITRUST CSF to the SOC 2 report, organizations have a comprehensive and detailed control report to submit to their customers. In addition, while performing testing for the SOC and HITRUST CSF, we can gain efficiencies between the two reporting frameworks and assist in obtaining a validated report with certification from HITRUST. We can use the “audit once, report many” mentality to help organizations issue a HITRUST certified report from a registered HITRUST assessor as well as issue a SOC 2 report with and opinion from a registered AICPA CPA firm.