What is the HITRUST Risk-based 2-Year (r2) Certification Process?

If your organization needs HITRUST Certification, you’re probably wondering how to start, what the requirements are, and how to choose the right assessor. The HITRUST CSF (Common Security Framework) is a 600+ page document, which can seem overwhelming at first, but breaking it down step by step makes it more manageable. Doug Kanney, Managing Principal of Schellman's HITRUST Services, shares insight on what to expect in the certification process. 

The HITRUST Certification Process

HITRUST certification differs from many other compliance frameworks in that every organization has a different scope with regards to what requirements must be adhered to for certification and your organization’s specific certification requirements are determined through the MyCSF portal.

After deciding whether to pursue a security or privacy assessment (for which most organizations choose security), you input details about your environment, such as the number of records you hold or daily transactions processed. Based on these various assessment factors, the portal generates a tailored set of implementation requirements that apply specifically to your organization. While you can access all of the requirements in the CSF, you won't know your scope or individual requirements until you begin this process. 

Working with a trusted assessor is critical at this stage. Misinterpreting assessment factors can unnecessarily expand the scope of your certification. For example, overestimating the number of records held could add hundreds of additional implementation requirements to your certification. Once your scope is finalized, you'll work with the assessor to create your object in MyCSF, which shows all requirements.

From there, you perform a self-evaluation using five scoring areas: policy, procedure, implemented, measured, and managed. The latter two are rarely scored against and most first-time organizations focus on policy, procedure, and implemented, which are sufficient to achieve certification. After you have your timeline and planning set with your assessor, the assessment then moves into a more traditional, standard audit process, similar to SOC or PCI audits.

You provide evidence, such as screenshots or documentation, to the assessor, who reviews and validates your submission. A unique aspect of HITRUST is that you don’t need to be 100% on every single requirement. For instance, if your scope includes 290 implementation requirements spread across 19 domains, you only need to achieve an average score of 3 or higher in each domain. This allows organizations to prioritize and address requirements strategically during the planning phase.

After the initial assessment, the assessor submits your evidence through the MyCSF portal to HITRUST for a quality assurance (QA) review, typically completed within two to three weeks. HITRUST evaluates both the assessor’s work and your compliance to ensure standards are met. The QA process may involve a few follow-up questions typically with the external assessor, but once complete, HITRUST issues a draft report for your review. After feedback, the final certification report is issued, marking your initial certification.

The HITRUST Certification Timeline

HITRUST follows a two-year certification cycle. After the initial HITRSUT certification, organizations undergo an annual interim assessment, which tests one implementation requirement from each of the 19 domains and evaluates progress on any corrective action plans for any of the implementation requirements that scored less than a 3 plus. During year 2, full remediation is not required at this stage as demonstrated progress is sufficient, but inactivity can lead to revocation of certification.

Unlike frameworks such as ISO 27001, where annual surveillance reviews and a re-certification occur, HITRUST requires a full reassessment every two years, which may involve a new version of the CSF.

Moving Forward With HITRUST Certification

While the scoring and assessment process can seem complex, understanding these high-level steps—defining your scope in MyCSF, self-assessing with your assessor, submitting evidence, and navigating QA and interim reviews—provides a clear roadmap. Partnering with an experienced assessor ensures a smoother certification journey and helps organizations avoid common pitfalls.

For organizations ready to pursue HITRUST certification, scheduling a discussion with an experienced assessor can provide clarity on scoring, requirements, and timelines, ensuring the process is efficient and sustainable. Contact us today to learn more.