A HITRUST assessment, or audit, helps healthcare organizations gauge their compliance with the Health Information Trust Alliance Common Security Framework (HITRUST CSF).

Increasingly, clients expect assurances regarding the information security practices of healthcare organizations and their business associates. Consequently, they’re asking healthcare providers to achieve HITRUST CSF certification to demonstrate that they’re safeguarding the integrity, confidentiality, and accessibility of individuals’ protected health information (PHI).

The HITRUST CSF brings together the security controls from federal law, such as HIPAA (Health Insurance Portability and Accountability Act) and NIST (National Institute of Standards and Technology), as well as state law, and industry standards into a certifiable framework that’s focused on risk management and geared toward use in the healthcare industry. 

The HITRUST CSF was established to address the numerous cybersecurity, privacy, and regulatory challenges facing organizations. 

Understanding the HITRUST CSF certification process enables health systems and other providers to become compliant in ways that best align with the needs of their organizations. Nevertheless, verifying that their organizations have met all of the HITRUST certification requirements can be challenging. 

There are two types of assessment/audits that organizations can use to ensure HITRUST compliance: a self-assessment and a validated assessment.


In a self-assessment, organizations assess themselves using the standard methodology, requirements, and tools that HITRUST provides under the CSF Assurance Program. External auditors don’t verify any aspects of this type of assessment, although HITRUST performs limited validation on the outcome of the self-assessment. 

A high-level review of control objectives, the self-assessment lets organizations compare their programs against the required security controls. Companies use the results of the self-assessment to rectify gaps in their security controls using recommendations from the HITRUST framework and the MyCSF assessment tool that streamlines the compliance and risk management process. This self-assessment helps healthcare companies determine if they’re ready for HITRUST certification.

Validated assessment

A validated assessment is conducted by an external HITRUST-approved CSF assessor. The assessor uses the assessment methodology of the CSF Assurance Program. The controls are scored using HITRUST’s maturity approach to control implementation. The assessments that meet or exceed the current CSF Assurance Program requirements receive a HITRUST validated report indicating they are HITRUST CSF Certified.