HITRUST Certification and CSF Services

Aprio Can Help Your Organization Get HITRUST Certified

HITRUST Certification is rapidly becoming the leading standard for healthcare information assurance reporting in the United States. Aprio helps business associates achieve the level of information security and assurance their covered entities require by leveraging the HiTRUST Common Security Framework (CSF) and other widely accepted frameworks such as SOC2+HiTRUST.

Aprio begins the HITRUST consulting process with a readiness assessment. This assessment against HITRUST CSF requirements identifies compliance gaps and outlines what your organization will need to do to achieve readiness. Once you have addressed all identified compliance gaps, the next step to certification is to undergo a CSF validated assessment. Aprio acts as your third-party CSF assessor during the validated assessment process. Our CCSFPs (Certified Common Security Framework Practitioners) use the HITRUST myCSF tool and the full criteria of the HITRUST CSF to assess your organization against HITRUST CSF requirements.

Once the validated assessment process is complete and your organization has demonstrated they meet the minimum maturity requirements for all controls mandated by HITRUST, the results of your organization’s assessment are forwarded to the HITRUST Alliance for final certification.

Read More


The HITRUST Common Security Framework (CSF) is a certifiable framework that provides healthcare organizations with a flexible, comprehensive and efficient approach to risk management and regulatory compliance. It was developed by the HiTRUST Alliance, a consortium of information security leaders, healthcare providers, payment processors and other third-party healthcare service organizations. Their goal was to unify all relevant healthcare information security standards and regulations into one comprehensive framework.

This overarching framework includes compliance for:

  • ISO
  • NIST
  • PCI

In addition, the CSF is regularly updated with the latest federal and state regulations. Therefore, HITRUST compliance ensures compliance with all relevant healthcare standards and regulations.

HITRUST Degrees of Assurance

HITRUST offers three Degrees of Assurance, based on the level of effort, amount of time, cost, and rigor. Each level builds on the one below it.

The first degree is HITRUST CSF self assessment. As the name suggests, this level involves an organization completing the CSF internally. Doing so can be valuable for internal auditing, as HITRUST is a standardized framework. When completed, organizations receive a CSF Self Assessment Report.

The second degree is CSF Validated. This means a third party CSF Assessor has verified the information in the completed Self Assessment Report after an on-site visit. The end result of this level is a HITRUST Issued Validated Report.

The top degree is CSF Certified. Similar to CSF Validated, an on-site visit third party Assessor is necessary. Organizations who are CSF Certified meet all requirements of the CSF. This HITRUST Certification may take a bit longer to receive than the other two degrees, but it’s valid for two years.

Why Organizations Benefit from HITRUST Certification

Getting HiTRUST certified, is perhaps one of the most widely accepted methods of providing assurance that an organization is adhering to all required safeguards to protect electronic patient health information (ePHI). For an increasing number of Covered Entities HiTRUST Certification represents the most comprehensive method of demonstrating compliance to management, boards, customers, prospects and regulators.

A HITRUST Certification shows that your organization takes information security seriously.  Certification can improve the operational integrity of your organization while advancing the overall risk management and security posture of your business. This can provide a competitive edge with prospective customers enabling you to grow your business and increase revenue.

Many business associates find they can demonstrate compliance to their covered entities through SOC2+HiTRUST assurance reporting and attestation performed by a qualified CPA firm. Like any unified compliance framework, the HITRUST CSF can enable the generation of multiple compliance reports from a single assessment. Achieving HITRUST Certification represents an initial investment in time, but once achieved, can greatly simplify compliance and assurance reporting..

Let Aprio Help You Get HITRUST Certified

As a premier provider of information assurance services, Aprio has a proven track record with numerous healthcare tech service providers subject to regulation as business associates. Our deep experience SOC2, HiTRUST and SOC2+HiTRUST allow our experts to make your organization’s certification process easier to achieve.

We live in an era in which regulators, clients, patients and plaintiffs’ lawyers are all scrutinizing your organization’s management of ePHI privacy and security risks. A checklist approach to compliance will not provide the assurance that these stakeholders expect and the defense that your business needs.

To learn more about how the information assurance experts at Aprio can help you get HITRUST certified today Contact Dan Schroeder

Read Less