Compliance Standards Library

HITRUST CSF

  • Updated
For more information about the HITRUST Assessment, please visit the official HITRUST Assessment Handbook

HITRUST Certification

To achieve the HITRUST certification, your organization must undergo a validated assessment (r2, i1, or e1). There are four parties involved in the HITRUST certification process:

  • Assessed Entity: The organization seeking the HITRUST certification.
  • Vanta: Vanta provides the platform that customers can use to prepare for their assessment. 
  • External Assessor: An authorized HITRUST assessor who reviews and validates the assessed entity’s readiness. You can learn more about External Assessors here. You can purchase a validated assessment directly from Vanta, utilizing our network of trusted auditors.
  • HITRUST: Conducts a quality assurance review of the external assessor’s evaluation, prepares and reviews draft reports

Below is a simplified view of the Validated Assessment process.:

  1. Pre-Assessment: The Assessed Entity enters preliminary information into the MyCSF system. (Organization Information, Assessment Options, and Scope of the Assessment.)
  2. Readiness: The Assessed Entity uses Vanta to complete the necessary steps to prepare its systems and processes for the assessment. 
  3. Performing Validation: The External Assessor validates the information provided by the Assessed Entity, approves pre-assessment content, links documentation, and addresses any potential quality issues (PQIs).
  4. Quality Assurance: The assessment is assigned to a HITRUST QA Analyst who begins the QA process during the reserved QA block.
  5. Preparing and Reviewing Deliverables: HITRUST prepares and reviews draft reports, creating additional tasks if questions arise.
  6. Reviewing Draft Deliverables: The Assessed Entity reviews the draft reports, and either approves them or requests revisions within 30 days.
  7. Complete: The final reports are uploaded in MyCSF, marking the assessment complete.

 

Implementing HITRUST CSF with Vanta

You will use Vanta to ensure their systems and processes are ready for their assessment, and your external assessor will inform you when you’re prepared to be assessed. You do not have to upload evidence and documents directly into MyCSF. 

Vanta will facilitate the provision of your MyCSF account when you purchase the HITRUST CSF framework. Getting access to MyCSF will require a few additional steps:

  • For New Customers, you'll receive an onboarding email with account set-up instructions (more below).
  • For Existing Customers: Once your purchase is complete, you'll automatically receive access to HITRUST CSF in MyCSF.

MyCSF Account Setup 

  • After completing your purchase from Vanta, you will need to sign a MyCSF license agreement. You will receive the agreement in the same email inbox as your Vanta contract
  • Once signed, HITRUST will send your login details within 48 hours
  • The first admin in Vanta will receive the MyCSF login details and will be set as the primary administrator
  • Based on the type of MyCSF account that you purchased, you will have access to the following features:
    • HITRUST Lite Bundle, 4 users, 1 assessment object*, 1 report credit, 12 months of access
    • HITRUST MyCSF Professional, 5 users, 2 assessment objects*, 12 months access - the report credit will need to be purchased separately

*Assessment object: The scope of the assessment, a defined scope of the review. For example, business units with their networks and segmentation. Each business unit processes different data types with different configurations and control requirements. Each business unit would require its own certification and, thus, assessment object.

 

Key Terms

HITRUST CSF The HITRUST CSF is an overarching security and privacy framework that incorporates and harmonizes information protection requirements, including federal, state, and international legislation.
Assessment Types The HITRUST assessment portfolio offers three certification options based on your organization’s size, needs, and risk profile. The three types of certifications are r1, i1, and r2 validated assessments.
HITRUST e1 HITRUST e1 - 1-year Validated Assessment: Entry-level validated assessment and certification based on 44 foundational security controls suited for companies with low-risk profiles, establishing foundational cybersecurity.
MyCSF The MyCSF Assessment Platform is HITRUST’s audit platform. Its use is required by HITRUST in order to complete the assessment validation.

HITRUST i1


1-year Validated Assessment: Suitable for mid-level organizations and offers a more comprehensive level of assurance than the e1, with 187 controls in scope.
HITRUST r2

 

HITRUST r2 - 2-year Validated Assessment: Best suited for organizations that need to demonstrate regulatory compliance with authoritative sources like HIPAA, the NIST Cybersecurity Framework, and dozens of others or require expanded control tailoring based on other identified risk factors. It is the most comprehensive and robust HITRUST certification. Provides the highest level of information protection and compliance assurance with up to 400 controls.