HITRUST Assessments and Third-Party Risk Management in Michigan, Wisconsin, and Nevada: An Overview
Key Takeaways
- HITRUST Growth: A unified framework increasingly adopted for cybersecurity and compliance.
- Michigan Requirements: Law requires HITRUST (or equivalent) for health information exchanges by March 2025.
- Wisconsin Requirements: State group health insurance program contracts now reference HITRUST for contractors/providers.
- Nevada Guidance: New privacy laws push organizations toward HITRUST alignment, though not mandated.
- Growing Trend: States are driving HITRUST as a standard for compliance, risk management, and trust.
States such as Michigan, Wisconsin, and Nevada are adopting or strongly recommending HITRUST certification as a cybersecurity and third-party risk management standard for entities handling sensitive or regulated data. These updated requirements are reshaping compliance strategies for organizations in healthcare, government, and beyond, making HITRUST assessments a hot topic for both policymakers and businesses seeking trust and regulatory alignment.
What Is HITRUST Certification?
HITRUST is a leading common security framework for information security assurance, combining standards like HIPAA, NIST, ISO and PCI DSS into a unified assessment system that covers 19 security domains. These domains include topics such as access control, risk management, incident management, and business continuity & disaster recovery. Organizations can pursue three tiers of certification (e1, i1, r2), each tailored to business risk and complexity, with rigorous scoring and validation requirements. See “Understanding the HITRUST Certification Approach” for more details on HITRUST’s process and further comparison between another leading and commonly known information security framework, SOC 2.
State Requirements: Michigan
Source of Requirement
The State of Michigan has taken a formal step forward by referencing HITRUST certification in House Bill 5283. House Bill 5283 would amend the Michigan Public Health Code to require, by March 1, 2025, that regulated entities “maintain a high level of cybersecurity standards, including at least a certification from HITRUST Alliance or a similar certification.”
Who Does It Apply To?
House Bill 5283 specifically references this requirement over any health information exchange that operates a health data utility in Michigan. The bill defines a health information exchange as a “nonprofit entity that operates an inclusive health information technology infrastructure in Michigan that serves as a health data aggregator and is enabled to collect, normalize, and share disparate health data content from a diverse set of health data sources.” The bill further defines a health data utility as “a system operated by the health information exchange” that retains and distributes sensitive health data.
This legislation demonstrates Michigan’s official stance on robust cybersecurity hygiene by referencing state legislation, confirming HITRUST certification is a regulatory expectation for entities that handle protected and sensitive data.
State Requirements: Wisconsin
Source of Requirement
Wisconsin has taken a comparable stance to Michigan with the 2024 State of Wisconsin Group Health Insurance Program Agreement issued by the Wisconsin Department of Employee Trust Funds (ETF). The Agreement requires contractors serving the Group Health Insurance Program to comply with its cybersecurity standards, which now reference HITRUST certification as a means to satisfy their Information Systems Security Audit standards for contractors.
Who Does It Apply To?
This impacts contractors and providers participating in the State of Wisconsin’s Group Health Insurance Program managing eligibility, claims, and member data for state and local government health plans. Compliance may be conducted through contract terms linked to requirements under Wisconsin Statutes Chapter 40. The scope includes third-party administrators, healthcare payers, and relevant service providers handling sensitive health data. Wisconsin entities exploring a HITRUST certification regarding this requirement should review the latest contract amendment, program agreement, or Department notice published by the Wisconsin ETF, and reference Chapter 40 administrative rules for updates.
State Guidance: Nevada
Source of Requirement
Senate Bill 370 (SB 370), signed in June 2023 (effective March 2024) heightens consumer health data privacy requirements in Nevada. SB 370 restricts disclosure, use, and processing of consumer health data by regulated entities, with strong requirements for security controls and privacy protections. While SB 370 itself does not specify HITRUST, organizations looking to comply with its provisions often seek HITRUST CSF certification due to HITRUST’s comprehensive mapping to state and federal health data regulations.
Other Nevada statutes, such as the Nevada Revised Statutes (NRS) on data privacy, include encryption and security requirements for personal information. These requirements align with controls contained in HITRUST CSF, further incentivizing organizations to pursue HITRUST certification for their cybersecurity and compliance programs.
Who Does It Apply To?
Nevada regulatory language points directly to entities that oversee consumer health data. These can include, but are not limited to, service organizations like hospitals and health care facilities, managed care organizations, providers submitting data to Medicaid, childcare facilities, and other entities exchanging or managing electronic health records. Nevada does not currently mandate HITRUST certification statewide for all entities, but recent laws, official recommendations, and best practices set a clear expectation for HITRUST compliance in organizations that handle consumer health data and PHI.
Conclusion
For organizations in Michigan, Wisconsin, and sectors touched by Nevada’s health IT regulations, HITRUST certification has elevated to an industry standard. In a strategic response to escalating state-level cybersecurity mandates and third-party risk expectations, more in-depth means of attestation will be required. As more states sharpen their regulatory frameworks and align public policy with leading standards, HITRUST becomes essential for compliance, trust, and business growth in highly regulated industries.
McKonly & Asbury is a certified HITRUST external assessor. For more information on how a HITRUST assessment and certification can help your organization, visit our HITRUST and SOC services pages, and please contact Dave Hammarberg, CPA, CISSP, CFE, MCSE, CISA, CCSFP, CHQP, CCP, CCA with any questions.
About the Authors
Brian joined McKonly & Asbury in 2022 and is currently a Supervisor with the firm. He is a member of the SOC & Internal Audit Segment, auditing Service Organization clients in completion of SOC reports.
Josh joined McKonly & Asbury in 2006 and is currently a Director with the firm. He is a key member of the firm’s Audit & Assurance Segment, primarily working with clients in the firm’s Service Organization Controls (SOC) Practice.… Read more
