Difference Between a HITRUST Validated Report and a HITRUST Certification
What is the difference between a HITRUST validated report and a HITRUST certification?
The HITRUST Validated report and HITRUST Certification both begin with an organization engaging a CSF Assessor firm to audit against the in-scope CSF controls for the system. Contained within the in-scope CSF controls, which are derived from the details entered in the risk based questionnaire section (Factors tab) of the myCSF tool, HITRUST has designated 64 specific controls that are required for HITRUST Certification which are covered under 19 different assessment domains . In order to obtain the HITRUST certification any control that scores less than a 3+ requires a corrective action plan.
Also all 19 assessment domains must have an average score of at least a 3 maturity rating in order for certification. Should any of those assessment domains have a score below a 3 maturity rating, a “validated report” would be issued. A validated report is essentially a noncompliant report which can show clients that the organization is working through the HITRUST process and may only have one or two areas of noncompliance. If all 19 assessment domains have the necessary maturity rating of 3 or higher a “certified report” would be issued by HITRUST which would make the organization HITRUST certified.
About GARY NELSON
Gary Nelson is a Principal based in Atlanta, Georgia. In addition to being a leader in AICPA attestation services in information security and privacy, Gary also helps lead Schellman’s HITRUST, HIPAA, DEA EPCS, and IoT compliance practices. Gary’s information security and privacy career spans over 20 years, with CPA licensure in multiple states, along with his other certifications and designations listed here. Prior to joining Schellman in 2006, Gary has previously served on the HITRUST Assessor Council and now actively participates in multiple industry organizations, such as the AICPA, ISACA, IAPP, CSA, and EHNAC.