New HITRUST Reporting Options Aim to Fill Major Gaps in the Market

January 10, 2022

At a glance

  • The main takeaway: The Health Information Trust (HITRUST) Alliance updated reporting options for assessments and certifications to provide a broader range while maintaining the gold standard of quality of reporting.
  • Impact on your business: Any organization that stores or processes healthcare data may be required to complete a HITRUST assessment to meet customer contractual obligations.
  • Next steps: Aprio’s Information Assurance team can simplify the new HITRUST reporting options and help ensure that your organization remains in compliance.

Schedule a consultation today with one of Aprio’s Information Assurance experts.

The full story:

The Health Information Trust (HITRUST) Alliance will release new reporting options on January 1, 2022, to address issues within the market revolving around the complexity of obtaining a full HITRUST certification.

The HITRUST Common Security Framework (CSF) and the related certifications provide organizations with a comprehensive approach to risk management and regulatory compliance by simplifying multiple reporting, such as ISO 27001, PCI, DSS, NIST, HIPAA/HITECH and GDRP. The current HITRUST certification offers the highest level of assurance, yet it is extremely time consuming, and every organization may not require that level of control.

The HITRUST alliance set out to develop a broader range of options to address varying assurance needs. The new reporting options will greatly benefit organizations by providing much more flexibility to meet their HITRUST requirements.

Current state of the HITRUST assessment portfolio

Current Assurance Protfolio
 Source: HITRUST Alliance,

As of today, the HITRUST assessment portfolio includes three options, however, entities are only offered one certification at the highest level of assurance.

  • HITRUST CSF Rapid Assessment is a self-assessed, security questionnaire that offers low-level of assurance reporting.
  • HITRUST CSF Readiness Assessment is a low-level of assurance reporting option that is performed in preparation for a validated assessment.
  • HITRUST CSF Validated Assessment is an assessment leading to HITRUST CSF certification and offers a high-level of assurance reporting.

Expanded HITRUST reporting options

Expanded HITRUST Assurance Portfolio
 Source: HITRUST Alliance,

The new HITRUST assessment and certification will require less effort than the current assessments while retaining the same gold standard of quality. Below is a closer look at the expanded HITRUST assessments:

  • Basic, Current-state (bC) Assessment focuses on “good hygiene” security controls to deliver a low-level assessment by utilizing the HITRUST Assurance Intelligence Engine™ to identify errors, omissions and deceit. The bC assessment considers implementation only, meets 71 HITRUST CSF requirements and provides coverage against NISTRI 7621. This type of assessment is suitable for SMB organizations or those that need a rapid turnaround.
  • Implemented, One-year (i1) Assessment focuses on leading security practices to deliver a more rigorous approach when there is a baseline risk or for a moderate-level assessment. The i1 provides higher levels of transparency, integrity and reliability while meeting approximately 200 HITRUST CSF requirements. In addition, i1 provides complete coverage of NIST 800-171, the FTC/GLBA safeguard rules, much of the HIPAA security rule and portions of AICPA TSC.
  • Risk-based, Two-year (r2) Assessment renames the current “validated assessment” and delivers the strongest level of assurance requirements. The unchanged assessment is a highly rigorous, comprehensive and tailorable assessment that provides the highest level of assurance when there is a greater risk of exposure due to volume of data, regulatory compliance and other risk factors. The r2 assessment also provides various coverage of 198 to 2,000 requirements.

The bottom line

Until now, most low-to-moderate risk assessments were performed as a self-assessment and are unsuitable to effectively manage data and information risk. In the ever-changing climate of information security, organizations, specifically the healthcare industry, need to be able to rely on an effective information assurance program. This assurance is what the newly expanded HITRUST assessment portfolio aims to accomplish. The broader range of HITRUST assessments now fills in the sizable gap within the market and allows organizations to choose an assurance program that fits their needs. Aprio’s Information Assurance team can advise you on which HITRUST assessment is the right program for your organization.

Schedule a free consultation today!

Stay informed with Aprio.
Get industry news and leading insights delivered straight to your inbox.

Recent Articles

About the Author

Powell Jones

Powell Jones, CISA, CCSFP, is a partner on Aprio’s Information Assurance Services team. Powell works with clients of all sizes, from startups to multinational companies. His experience in ISO certifications, SOC reporting, HITRUST CSF and third-party risk management helps clients select the right reporting options and gain efficiencies in managing multiple compliance frameworks and requirements. He uses his technical expertise and strong understanding of business processes, IT controls, and data security to help clients safeguard and grow their businesses.

(770) 353-3157