How to Maintain HITRUST Certification

Key Takeaways

• Certification Is Ongoing, Not One-Time: Achieving HITRUST certification is a major accomplishment, but maintaining it requires continuous compliance, monitoring, and communication with HITRUST and assessors.
• Stay Ahead of Re-Certification Requirements: Each certification type (e1, i1, r2) has specific expiration timelines and re-certification paths – some with streamlined options, like rapid or bridge assessments.
• Implement Proactive Internal Practices: Sustaining certification depends on consistent change management, employee training, and internal assessments to catch issues early and ensure readiness for renewal.

After a company system receives HITRUST certification via a validated assessment, the next step is maintaining the certification. This is a crucial step that will allow for ongoing compliance of the certified system and ensure user confidence. Steps to maintaining compliance for HITRUST will be discussed in the following article.

As noted in the article “HITRUST Certification Stages and Timeline,” HITRUST certification can include several stages including readiness, assessment period and quality assurance. For e1, i1, or r2 validated assessments, certification is obtained if the scoring is within the acceptable range for the HITRUST assessment. Achieving certification is a notable accomplishment, but maintaining certification encompasses much more.

HITRUST Requirements

Maintaining certification requires opening communication with HITRUST and the third-party assessor. When it comes to impacts to current certification status, there are several items that can impact a company’s certification.

1. Security Events and Issues

• Depending on a security event or breach, a company’s HITRUST certifications can be suspended or revoked. HITRUST will perform an investigation and determine if the certification should be suspended or revoked.

2. Interim Assessment

• For an entity to maintain its r2 certification, an interim assessment must be completed and submitted to HITRUST in the 90-day window leading up to the one-year anniversary of the certification issuance date.

3. Lapse in Certification

• Organizations that receive an e1 certification will expire after one year and must recertify at an e1 level or choose to transition to an i1 or r2.
• Organizations that receive an i1 certification will expire after one year.
• Organizations that receive an r2 certification will expire after two years.

Regarding re-certification, HITRUST provides several options to achieve a streamlined re-certification. Depending on timing of the next scheduled assessment, organizations have a couple options to maintain certification:

1. e1 Certification – Since there are only 44 requirement statements, a streamlined recertification process is not available.
2. i1 Certification – HITRUST provides the HITRUST i1 rapid recertification to eligible organizations that extend certification for one year. This rapid recertification includes scoring a sample of 60 requirement statements, as opposed to the typical 182 requirement statements.
3. r2 Certification – HITRUST also provides a HITRUST Bridge Assessment to eligible organizations that extends certification status for additional 90 days. The bridge assessment includes scoring a sample of 19 requirement statements and can be useful if the certification expires prior to obtaining re-certification.

Internal Assessment and Requirements

As part of the company’s continuing efforts to maintain HITRUST certification, the items that companies can do to maintain certification and ensure re-certification is achievable can be grouped into the following categories:

1. Continuous Monitoring & Documentation

• The HITRUST validated assessment is performed during a specified window where evidence is tested by an external assessment. These certifications last one year for the e1 and i1, and two years for the r2. Maintaining the controls, processes, and documentation noted during the audit is crucial to maintaining certification.

2. Change Management

• As with any system, changes may exist after the system has been certified. It is important to identify any of these changes and note whether it will impact any processes or procedures related to HITRUST validated assessment processes.
• In certain cases, if a change is deemed significant to the HITRUST certified system, the organization may be required to engaged with the external assessor to re-test any impacted requirements up to and including a new assessment depending on the change.

3. Employee Training

• During the assessment, several employees may be pulled into the process for the HITRUST certification. It is important to educate employees that although HITRUST certification is a point in time and certification is for a period of time, the process is continuous and should be considered in day-to-day operations.

4. Internal Assessment and Updates

• Certified organizations should perform internal assessments to determine if the organization’s system is still deemed to be in compliance. If the organization can identify any gaps prior to the assessment, this will assist the organization in obtaining re-certification when the certification expires.

HITRUST certification is a significant undertaking for many organizations. With the momentum achieved through certification, it is important to not let any of the processes and controls lapse in an effort to ensure a smoother recertification process.

McKonly & Asbury is a HITRUST-approved assessor and can perform HITRUST readiness assessments and externally validated assessments. For more information on these services and more, be sure to visit our HITRUST and SOC services pages, and please contact Dave Hammarberg, CPA, CISSP, CFE, MCSE, CISA.

About the Author

Related Services