What is HiTrust? How do I get certified for it?


In the last 11 years, there have been almost 4,000 data breaches, consisting of more than 500 or more patient records, reported to the Office for Civil Rights as HIPAA violations. Combined, those breaches have led to the loss, theft or exposure of over 250 million healthcare records – equating to 80% of the US population. 

HIPAA came into force back in 1996 and yet, as these statistics show, compliance continues to be a struggle for many organizations. While the reasons vary for this, often they can be traced back to a lack of understanding, simple oversight and the increasing complexity of today’s digital supply chains.

Enter HiTrust, a non-for-profit organization that was established to help companies that manage protected health information (PHI) to meet their security and compliance obligations. 

HiTrust was initially created to solely help healthcare organizations demystify their compliance obligations under HIPAA. However, as digital supply chains have expanded and organizations have become more interconnected, HiTrust now assists organizations in all sectors who may come into contact with healthcare information or healthcare organizations. 

IS HIPAA different from HiTrust?

In a word, yes. HIPAA is the Health Insurance Portability and Accountability Act; a federal law that mandates certain safeguards be put in place to protect patient health information. 

By contrast, HiTrust is a way for organizations to verify their compliance with HIPAA. With mass data breaches on the rise, more and more organizations are becoming wary of suppliers, contractors and partners who self-attest to HIPAA compliance. They want proof and assurance that sensitive data is truly protected. 

This is where HiTrust comes in; it offers a framework and route to certification that validates HIPAA compliance, rather than organizations having to take each other’s word for it. 

Why is HiTrust certification Important?

Creating a secure operational environment – and verifying to partners that this environment is truly secure – is a challenge across industries. The increase in supply chain attacks, such as the Kaseya ransomware attack and SolarWinds breach, have highlighted the dangers of being connected to an insecure firm. 

However, many recent high-profile breaches are not the work of dark magic, but simple and avoidable mistakes. Had patches been implemented, data stored securely and cyber hygiene practices followed, these breaches could have been prevented. 

Of course, though, it can be difficult for organizations to know what to do. Wanting to be secure is one thing, knowing how to be is a different matter. 

HiTrust solves this issue. It offers a sound, concrete method for organizations to validate their compliance with HIPAA’s requirements, based on a uniform information security framework – the CSF. This validation acts as an assurance mechanism within the digital supply chain, creating trust between organizations that work together. 

While there are other frameworks and methodologies for HIPAA compliance, HiTrust is the only body that offers a formal certification process, based on a maturity assessment model.

What is the HITRUST CSF?

The HiTrust CSF is an acronym for Common Security Framework. This framework is the foundation of all of HiTrusts programs and services. It rationalizes and harmonizes standards like NIST, PCI, ISO/IEC 27000-series and HIPAA into one cohesive overarching privacy framework. 

Over the last two decades, the use of technology in the healthcare industry has skyrocketed. But, as we all know, healthcare data is a prime target for cyber criminals. Security and compliance are essential. However, HIPAA requirements can be vague and difficult to understand. For example, HIPAA wording might say that “reasonable controls” needed to protect data, but not explicitly define what reasonable is. 

This is where CSF comes into play. For organizations in highly regulated industries, or who are concerned about meeting their compliance obligations, the CSF demystifies these obligations, and offers a clear, consistent path to compliance. 

The HITRUST CSF utilizes both risk and compliance-based principles, meaning that organizations with ranging risk profiles can tailor their security and privacy control requirements through a variety of factors, such as organization type, size, systems, and regulatory commitments. 

How is the HiTrust CSF framework structured?

The CSF is divided into 19 different domains, each of which aligns with common IT process areas.  Each domain features a number of control objectives, which relate to broad cybersecurity goals. Each objective then features specific controls, which mandate security measures that need to be taken. In total, these domains include 135 security controls and 14 privacy controls. 

For the mandated actions – or requirements – of the CSF, the framework recognizes that organizations of different sizes and sectors can stand different levels of risk. For this reason, the CSF offers a number of requirements levels, tailored to different organizations. These levels are numbered, with 1 being the lowest level of risk and 3 the highest.

Who needs HiTrust certification?

HiTrust is not a government-mandated certification, but it has become an industry standard – especially in the healthcare industry. 

If your organization processes PHI or PII, then HiTrust certification will likely be useful for you – particularly if you are concerned about meeting your compliance obligations. 

How can I achieve HiTrust certification? 

HiTrust certification is a process with many steps. It starts with a self-assessment; a questionnaire that helps you uncover your organization’s risk profile. Using this questionnaire, you can then determine what controls, requirements and requirement levels you’ll need to implement.

Often, organizations choose to work with security vendors and specialist third-party vendors to help them on the road to certification. The process ends with an official assessment, which must be conducted by an approved third-party assessment organization that HiTrust has vetted. 

How Much Does the HITRUST CSF Cost?

Access to the HiTrust CSF is free of charge – although official certification will set you back anywhere from $30,000 – $200,000, depending on the certification body you choose to work with. 

While this cost is no doubt high, it makes sense within the context of the depth of the assessment. Typically, these assessments take into account more than 200 security controls – each of which must be assessed in line with five different maturity states. 

How long does certification last?

Certification lasts for two years from the data of certification. After a year, the organization must undertake an interim assessment to ensure that they are continuing to operate securely. The interim assessment is typically a much smaller undertaking than the initial assessment. 

However, if the organization undergoes significant operational changes after their initial certification, then they will need to retake a full assessment to ensure they are still secure.

Next steps 

For more information on HiTrust certification, review this document for background on the assessment process. 

As a next-generation data loss prevention (DLP) provider, Polymer is well-placed to help you meet HIPAA requirements, as well as HiTrust certification. Our solution identifies, alerts & secures sensitive healthcare data in real-time over chats, file storage platforms, ticketing systems & codebases.

Request A Demo For Enterprise Solutions