Skip to main content
Meeting in low light room with laptops

CSF v11 Helps Simplify HITRUST Certification for HealthTech Companies

The HITRUST Alliance has expanded and realigned its assessment portfolio with CSF version 11 to help HealthTech organizations increase efficiencies and flexibility on the path to certification. Read on for details.

While focused on improving care and supporting the healthcare industry, your organization also may be required to demonstrate excellence in data protection and privacy. The information your organization processes, receives, and/or transmits to other organizations may be classified as Protected Health Information (PHI). The Health Information Trust (HITRUST) Alliance is considered by many as the best in class data security and privacy healthcare certification. The HITRUST Alliance now provides HealthTech organizations with three options to demonstrate their commitment to securing patient information.

New HITRUST Assessment Options

In 2023, HITRUST released CSF version 11 (v11), which consolidated all assessment options under the cyberthreat-adaptive controls model and, in doing so, increased HealthTech organizations’ abilities to initiate their certification journey while seamlessly traversing between certification options without losing the investment made in previous assessments. The CSF v11 release also has improved control mappings, which can increase efficiencies throughout the certification process.

The three HITRUST assessment options for organizations seeking certification are as follows:

  • HITRUST Essentials, 1-Year (e1) Validated Assessment + Certification
    • The e1 Validated Assessment provides entry-level assurance focused on the most critical information security controls and includes a total of 44 requirement statements that address “essential cybersecurity hygiene.”
  • HITRUST Implemented, 1-Year (i1) Validated Assessment + Certification
    • The i1 Validated Assessment includes a selection of 182 requirement statements that build upon the e1 Assessment requirement statements and provides a moderate level of assurance to address cybersecurity leading practices and a broader range of active cyberthreats.
  • HITRUST Risk-Based, 2-Year (r2) Validated Assessment + Certification
    • The r2 Validated Assessment includes the 182 i1 requirement statements as a baseline, as well as additional requirement statements that are tailored to specific organizations based on responses to scoping factors.

While HITRUST’s Risk-Based, 2-year (r2) Validated Assessment has been and continues to be HITRUST’s gold standard in providing assurance on an organization’s compliance with data security and privacy requirements, the release of CSF v11 helps give organizations more flexibility in evaluating the certification path that best aligns with their risk management levels, resource capacity, and/or unique budgetary considerations.

How Does HITRUST CSF v11 Help Simplify the HITRUST Certification Process?

Historically, when a HealthTech organization engaged with larger payors or providers, the services contracts demanded that the organization obtain an r2 Certification within 18 months of contract execution. This request resulted in an immediate need for a HITRUST Readiness Assessment ultimately leading to an r2 Validated Assessment to quickly comply with contractual mandates. The introduction of both the e1 and i1 certification options now enables HealthTech organizations to begin to demonstrate HITRUST compliance with an e1 certification and then, as customer contracts demand, slowly progress toward an r2 certification, allowing organizations more time to focus on controls which are truly value added to them, while also spreading the costs associated with HITRUST compliance over a longer period of time. The e1 and i1 certifications also are more closely aligned with other certifications and examinations such as ISO 27001 and the American Institute of CPAs’ SOC 2, allowing organizations to take advantage of the “test once, report many” approach, which can help save internal resources time and money by more efficiently bundling examinations together.

Which HITRUST Assessment Is Right for Me?

When selecting the most suitable HITRUST certification process for your HealthTech organization, consider these four factors:

  1. Contractual mandates – What, if any, contractual obligations do you have to maintain a HITRUST certification? 
  2. Timing – How much time does your organization have to complete and issue your HITRUST certification? 
  3. Complexity – How complex is your organization’s technology environment, and what type of applications/environments are you considering for certification? 
  4. Maintenance – How often do you want to evaluate your organization’s compliance with HITRUST?

The release of CSF v11 should encourage HealthTech organizations to reassess HITRUST as a certification option. Whether your organization is just beginning its compliance journey or is seeking to demonstrate best-in-class compliance, HITRUST has a certification option that can help fit the needs and maturity of virtually any organization.

How Forvis Mazars Can Help HealthTech Companies Become HITRUST Certified

We understand that your time is precious. The dedicated SOC & HITRUST services team at Forvis Mazars can help simplify the new HITRUST certification options and help equip your HealthTech organization with the knowledge to decide which path is best for your organization. For more information about the HITRUST assessment process, reach out to a professional at Forvis Mazars or submit the Contact Us form below.

Related FORsights

Like what you see?
Subscribe to receive tailored insights directly to your inbox.