As part of this month’s Continuing Privacy and Security Training (“CPST”), the Compliance Team wanted to describe for everyone what it means to obtain a HITRUST Certification – the process we are all currently working towards.

As you know, eHealth Technologies has implemented new Policies and Procedures in Qualio that have been assigned to you for training. As you train on these new Policies and Procedures, we hope that the below information may answer your questions about HITRUST and how this process relates to our core value of Integrity.

What is HITRUST?

HITRUST or Health Information Trust Alliance is an independent organization that partners with government and information security professionals working to create programs that safeguard sensitive information. HITRUST brings together and unifies the various aspects of regulatory compliance. This makes it easy for healthcare entities to adopt compliant practices and make sure they are using the right security controls to protect sensitive information and patient data. HITRUST Certification enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a Common Standardized Framework (“CSF”).

HITRUST CSF provides a way for organizations to demonstrate proof of compliance with HIPAA-mandated security controls. HITRUST takes and builds upon HIPAA requirements, incorporating a framework based on security and risk. According to the United States Health and Human Services, the HIPAA Privacy Rule requires that covered bodies apply appropriate administrative, technical, and physical safeguards to protect the confidentiality of protected health information (“PHI”) in any form. HITRUST provides measurable criteria and objectives for implementing appropriate administrative, technical and physical security measures. HITRUST does not replace HIPAA compliance or prove that an entity is HIPAA compliant, but is widely accepted as a good approach for ensuring Covered Information is safeguarded.


Healthcare organizations handle large amounts of data which is extremely sensitive in nature. As technology continues to improve in gathering and storing more data, challenges arise of keeping that data secure. Some of the challenges might include:

  • Increased public fear of data breaches or loss of sensitive information
  • Augmented scrutiny from business partners, clients, or external auditors
  • Inability to implement basic security controls largely in part due to rapidly changing security protocol environments
  • Redundant or unclear information security regulations for diverse healthcare organizations

What is a HITRUST Certification?

It’s a very specific and descriptive framework to help healthcare companies manage security needs required by HIPAA, ISO, NIST, and other industry standards. When all’s said and done, however, the primary goals of HITRUST Certification is to help ensure a company is HIPAA compliant.

There are five steps to the HITRUST CSF Certification process.

Step 1: Investigation

In this part of the process, it’s determined how many and which of the 19 total HITRUST domains, dozens of controls, and 700+ potential requirements apply to the company. Controls vary depending on the type of company and products being certified.

Step 2: Gap Assessment

The second undertaking is for the company to conduct a Gap Assessment and investigate what policies and procedures currently exist and where the company may be lacking from a requirement perspective.

Step 3: Remediation and Implementation

A sizeable amount of documentation is involved during the completion, including policies, risk assessments, as well as technical documentation and configurations. This can take 3-6 months the first year a company applies for HITRUST Certification, and around 2 months for subsequent audits. The amount of time this takes is highly dependent on the full scope of the audit, size of the company, and how many offices will be included in the HITRUST Certification.

Step 4: Control/Bake-in Period

This is a control period of 90 days where all of the policies, procedures, processes, and workflows are expected to operate as they are written and people are trained upon. If a workflow provides a step-by-step process, then each step of the process must take place without deviation. HITRUST is divided into 19 different domains that are tested in the Control/Bake-in Period:

  1. Information Protection Program
  2. Endpoint Protection
  3. Portable Media Security
  4. Mobile Device Security
  5. Wireless Protection
  6. Configuration Management
  7. Vulnerability Management
  8. Network Protection
  9. Transmission Protection
  10. Password Management
  11. Access Control
  12. Audit Logging & Monitoring
  13. Education, Training & Awareness
  14. Third Party Security
  15. Incident Management
  16. Business Continuity & Disaster Recovery
  17. Risk Management
  18. Physical & Environmental Security
  19. Data Protection & Privacy

Step 5: Validated Assessment and Certification

This is where certified auditors review each of the controls that are in place to confirm that the operating procedures have occurred as written during the Control/Bake-in Period. Scoring is submitted to HITRUST CSF Evaluators who then review the certified assessors scoring to confirm whether Certification is obtainable. Now that HITRUST Certification is becoming more standard across companies just like ours, the volume of requests going through HITRUST has increased from hundreds to thousands.

Each one of us is working towards HITRUST Certification. By training on the Qualio policies and procedures and ensuring they are followed each and every day, your efforts will directly impact our ability to obtain a HITRUST Certification.

eHealth Technologies’ Privacy and Security Compliance Team delivers monthly training – everyone should know – Think Before You Click!  As always, please let us know if you have any questions on the privacy and security of Covered Information, including PHI, ePHI, and other Confidential Information.