HITRUST Certification Stages and Timeline

Once you have determined that your company wants to obtain a certification through HITRUST, you may be asking what level of effort is needed and the time it takes to obtain certification. In this article, we will cover the various steps in the HITRUST journey from readiness assessment to actual evaluations and obtaining certification, focusing on the e1, i1, and r2 certifications.

myCSF

The first step in HITRUST is to obtain access to myCSF. The myCSF platform provides areas for scoping, evidence upload and requirements for obtaining HITRUST certification. There are subscription options depending on the company’s needs. Also, during this stage, the company should determine the date of the final report from HITRUST, purchase any report credits, and use any naming conventions when uploading support.

Readiness Assessment

After obtaining access to myCSF, the readiness assessment process can begin. During this stage, an initial scoping is performed to determine the systems in scope and the requirements depending on the form of certification level (e1, i1 or r2). After reviewing the requirements, various gaps may be identified which would need to be remediated before the actual assessment period. This process can take between 2-3 months (60-90 days) to ensure all requirements can be fulfilled during the assessment. A HITRUST approved external assessor can be consulted to assist in determining whether these requirements can be met during the actual assessment. A settling period of an additional 2-3 months (60-90 days) after remediation is mentioned to ensure all controls are operating before the beginning of the period.

Assessment

The next step is the actual assessment. This assessment is performed by a HITRUST approved external assessor and involves a window of 3 months (90 days) for testing. The assessor will conduct interviews, examine evidence uploaded into the myCSF platform, select samples, and identify any gaps or corrective measures. Onsite visits may be required to cover any physical control requirements in the assessment.

Quality Assurance Review

After the assessment period is completed, a quality assurance review is performed by the external assessor and by HITRUST. This process can take approximately 1-2 months (30-60 days). During this stage, the QA teams will provide any questions based on the assessor’s results and evidence in my CSF. After all QA questions and comments have been addressed, the company will receive a validated or certified report based on the scoring achieved in the assessment.

Assessments are good for one year for the e1 and i1 and two years for the r2, and based on the timeline above, certification can be obtained around a year after beginning the HITRUST journey. Other organizational factors can impact this timeline and may require additional time depending on the complexity of the organization and any obstacles that may arise.

McKonly & Asbury is a HITRUST-approved assessor and can perform HITRUST readiness assessments and externally validated assessments. For more information on these services and more, be sure to visit our HITRUST and SOC services pages on our website, and please contact Dave Hammarberg, CPA, CISSP, CFE, MCSE, CISA.

About the Author