AuditXYZ

Lesson 5 of 5

HITRUST Certification Process: From Preparation to Certification

13 min readAdvanced

HITRUST Certification Process

The HITRUST certification process involves several phases — scoping, readiness, validated assessment, quality assurance, and certification. Understanding each phase helps you plan effectively and avoid common pitfalls that cause delays.

Phase 1: Scoping and Readiness

Begin by defining your assessment scope in the HITRUST MyCSF platform. Scope includes the systems, applications, and data flows that will be assessed. HITRUST uses your scoping inputs to generate the applicable control set. Conduct a readiness assessment — either internally or with a consultant — to identify gaps between your current state and HITRUST requirements.

Phase 2: Gap Remediation

Address findings from the readiness assessment. This is typically the longest phase, involving policy creation or updates, technical control implementation, process establishment, and evidence collection. For r2 assessments, controls must demonstrate maturity — they need operating history, measurement, and management oversight.

Phase 3: Selecting an Assessor

HITRUST assessments must be performed by authorized HITRUST assessor organizations. Select an assessor with experience in your industry and organization size. Engage early — assessors have busy schedules, especially in Q4. Discuss scope, timeline, pricing, and communication expectations upfront.

Phase 4: Validated Assessment

The assessor evaluates each in-scope control, reviewing documentation, interviewing staff, examining configurations, and testing control operation. They score each control on the HITRUST maturity model. This phase typically takes 4 to 8 weeks for i1 assessments and 8 to 16 weeks for r2.

Phase 5: HITRUST Quality Assurance

After the assessor completes their work, HITRUST performs quality assurance review. HITRUST independently reviews a sample of the assessor's work to ensure consistency and accuracy. This phase can take 4 to 8 weeks and may result in additional questions or requests for evidence.

Phase 6: Certification Decision

HITRUST issues the certification decision based on the assessment scores and QA review. If scores meet the required thresholds, certification is granted. If not, HITRUST identifies the gaps that must be addressed. Corrective Action Plans (CAPs) may be allowed for minor shortfalls.

Maintaining Certification

r2 certification is valid for two years with a required interim assessment in year one. e1 and i1 certifications are valid for one year. Plan for renewal well before expiration — starting the process 6 months early ensures continuity.