HITRUST Audit [Easy Step by Step Guide]



Mar 12, 2024


A research by Ponemon Institute reveals that the healthcare industry has faced the most expensive breaches for 12 years in a row. This highlights the need to address the security gaps in an effective way. The HITRUST framework aims to address the challenges of managing healthcare services in a secure way. But how can you conduct HITRUST audits? Let’s find out.

What are HITRUST Audits?

HITRUST audits are an assessment of your organization’s controls and risks based on the selected version (e1, i1, or r2). The audit is conducted by a HITRUST-approved assessment body. Alternatively, you can self-assess using HITRUST’s MyCSF tool. 

Who requires a HITRUST Audit?

HITRUST is not mandatory for all healthcare organizations by default, unlike HIPAA. However, due to its broad nature and comprehensive scope that harmonizes elements from other frameworks, HITRUST is implemented, accepted, and adopted.

All major hospitals and healthcare providers in the United States have adopted some or all parts of HITRUST, even though the federal government does not officially mandate its adoption.

In 2016, five major healthcare players issued a notice to their business associates, asking them to be certified in two years. Today, that number of healthcare providers and services has reached roughly a hundred.

The healthcare industry continues to be the prime target for security attacks. HITRUST offers a robust structure that addresses security, privacy, and regulations related to healthcare helps to manage security risks by streamlining operational processes.

HITRUST is an extensive framework that combines practices and regulations from a number of popular cybersecurity frameworks like HIPAA, SOC 2, ISO 27001, and NIST. Therefore, it is the gold standard of security frameworks.

Breeze through your HITRUST audit

Easy steps to perform HITRUST audits

You can implement the security requirements of the HITRUST compliance program in four easy steps. These include scoping, implementation, evaluation, and final review by the certification partner. So let’s deep dive into these steps:


Crucial to all audit projects, you should thoroughly assess IT requirements, security gaps, regulatory obligations, and budget allocation plan to avoid confusion and miscommunications.

First, create an inventory of your IT assets. This includes medical systems, IoT devices, endpoint devices, and networks.

Second, conduct a risk assessment to gain insight into the existing security gaps.

Finally, figure out which HITRUST CSF assessment level is right for you. As previously outlined, there are three levels – e1, i1, and r2. 

  • e1 covers basic cybersecurity practices and provides entry-level assurance. Fit for low-risk organizations, it helps to design the foundation and build maturity of security controls.
  • i1 provides a moderate level of assurance and covers a broader range of current or emerging threats compared to e1. Its HITRUST CSF curated controls are more rigorous than the foundational level covered in e1. Use the i1 certification as a stepping stone to start your r2 program.
  • r2 provides a high level of compliance assurance and is the gold standard for information protection. It is apt for organizations with a high level of risk exposure and processes large volumes of data. It meets stringent compliance requirements by offering the flexibility and customizability of control selection.

Also check:How Much Does HiTrust Certification Cost in 2024?


Once you are through with the scoping and have determined the assessment level, you want to understand the control requirements.

Note that not all controls won’t necessarily apply to your organization – it pretty much depends on the assessment level.

Nevertheless, we have listed all 14 categories and the number of objectives and references.

Control categoryObjectivesReferences
0.0 – Information Security Management Program11
01.0 – Access Control715
02.0 – Human Resources49
03.0 – Risk Management14
04.0 – Security Policy12
05.0 – Organization of Information Security211
06.0 – Compliance310
07.0 – Asset Management25
08.0 – Physical and Environmental Security213
09.0 – Communications and Operations Management1032
10.0 – Information Systems Acquisition, Development, and Maintenance613
11.0 – Information Security Incident Management25
12.0 – Business Continuity Management15
13.0 – Privacy Practices722

You will also find hardware and software references to implement each control based on the level and framework.


As we already mentioned, the number of controls depends on the assessment level. 

HITRUST’s control implementation model is based on that of PRISMA (Program Review of Information Security Management Assistance).

It outlines five maturity levels to test your risk profile based on the stage of progress – policies, procedures, implementation, testing, and integration.


The initial maturity level evaluates if the current policy is updated and addresses the strategies and if it establishes a risk assessment and effectiveness monitoring program.

The policies should comprehensively cover the scope and identity repercussions due to non-compliance. Assign security roles and responsibilities and implement a system to track progress. Get your policy approved by key stakeholders.


Procedures answer the where to, how to, who will, when to, and what to factors for performing the procedures.

Clearly establish the asset owners, expectations from each role, stakeholders for guidance, and rigor of implemented controls. 

Ensure that all stakeholders are aware of the procedures and have adequate clarity.


The third level requires you to assess if you have actually implemented the control specifications as per the procedures. Implement the control objectives on an organizational level rather than an individual basis and continuously test the processes to ensure that the controls are functioning as you intended them to.


As the name suggests, measured evaluates the effectiveness of the implemented controls. You may conduct independent audits and continuously re-evaluate threats.

Leverage the historical database of security incidents and risks as measurements to identify vulnerabilities and gain insight into new threats.

Additionally, measure costs, benefits, security program status, and individual investment performance using precise metrics.


In the final and highest maturity level, you take corrective actions against the security gaps identified in the previous stage. Continuously review and improve the policies or procedures.

Configure controls to adapt to continuously evolving threats, make decisions based on risk, and identify cost effective security alternatives.

Review, report, and certification

If you are undergoing the audit via an external assessor firm, send the assessment for quality assurance review.

Using the scoring module we mentioned before, your assessor will score each maturity level to calculate the total score. Based on the total, they calculate an average figure to determine the final result and upload it on the HITRUST myCSF portal for your review. The process of creating a certification report takes four to eight weeks.

For any non-conformities, you can upload evidence in the portal after the gap assessment. During the assessment, you cannot upload evidence for a certain number of days, depending on the type of non-conformity.

Get a wingman for your HITRUST audit

How Sprinto Can Help?

While HITRUST’s controls are comprehensive, it can be confusing as it contains bits and pieces of compliance from a number of security frameworks and privacy standards. Sorting the control requirements and implementing it manually is chaotic and prone to error, which can delay your HITRUST CSF certification process. 

Sprinto provides you with a centralized console to manage all components of your assessment process and regulatory requirements. 

Sprinto does all the heavy lifting of your compliance efforts by automating all compliance efforts. It continuously monitors your IT assets, highlights the risk factors, and collects evidence against each control.  You get a complete view of your progress from a single dashboard to manage audits with ease and get certified in months. 

Still unsure? We can help you. Talk to our HITRUST experts today!


What is the validity of HITRUST r2 certification?

The HITRUST r2 security certification is valid for two years after you have completed the interim assessment in the first year. This can be supported with the help of a readiness assessment. 

How long does it take to get a HITRUST certification letter?

The timeline to HITRUST certified depends on the assessment types as shown below: 

  • e1 (basic) takes 44 5-6 months
  • i1 (moderate) takes 182 5-6 months
  • r2 (high) 250-1800 (depends on scoping exercise) takes 6-9 months.

How much does a HITRUST audit cost?

The cost of your HITRUST audit depends on the assessment level. Refer to the pricing structure below to understand: 

  • e1 (basic) – USD $10k
  • i1 (moderate) – USD $25.2k 
  • r2 (high) Up to 250 controls – USD $25k and From 251st control onwards – 50$ per control


Anwita is a cybersecurity enthusiast and veteran blogger all rolled into one. Her love for everything cybersecurity started her journey into the world compliance. With multiple certifications on cybersecurity under her belt, she aims to simplify complex security related topics for all audiences. She loves to read nonfiction, listen to progressive rock, and watches sitcoms on the weekends.

How useful was this post?

0/5 - (0 votes)

Found this interesting?
Share it with your friends

Get a wingman for
your next audit.

Schedule a personalized demo and scale business

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.