HITRUST has two types: self-assessment and validated assessment. Choosing what type of HITRUST assessment to do can be a daunting task, especially when an organization is doing this audit for the first time. HITRUST assessment options include:

SOC 2 Type II with HITRUST Mapping – A SOC 2 Type II with HITRUST CSF mapping is an assessment that came from a collaboration between the AICPA and HITRUST. This assessment culminates in a SOC 2 report that includes a table that maps the selected Trust Services Criteria to HITRUST controls.

SOC 2 Type II with HITRUST Criteria – A SOC 2 Type II audit can be performed using the HITRUST controls and criteria instead of the Trust Services Criteria. In this case, the organization still receives a SOC 2 report, not HITRUST certification.

SOC 2 Type II and HITRUST Certification – When a SOC 2 Type II report and HITRUST certification is required, organizations have the ability to combine these two audits into one effort. At the end of the audit process, the organization receives both a SOC 2 Type II audit report and HITRUST validated report.

HITRUST Self-Assessment – A HITRUST self-assessment is a great way to begin your HITRUST compliance. This option is your own evaluation and attestation of your organization’s compliance, completed in 90 days, and culminating in a report.

HITRUST Validated Assessment (Certification) – A HITRUST validated assessment is performed by an approved Assessor, like KirkpatrickPrice. Validated assessments include a HITRUST self-assessment in which you answer questions and attest to your compliance, followed by an Assessor validating your controls against what you have said is in place, and HITRUST granting certification.

Pricing for HITRUST assessments depends on scoping factors, including the number of applicable HITRUST requirement statements, applicable regulatory factors, complexity and size of the physical and technical environment, previous HITRUST history, the assessment type, third parties, number of records held, and if the assessment is combined with any other audits. Pricing will also vary based on the assessment and report type you choose, inclusion of a gap analysis, or inclusion of additional remediation time.

The average HITRUST engagement can take anywhere from weeks to months, depending on your level of preparedness and staff’s availability for interviews and control demonstration. To satisfy the requirements for a HITRUST engagement, the auditor must validate scope, perform testing procedures, and document conclusions. These steps require time from the service organization’s management, which can be compressed or extended to meet your timeline needs. You can save time by leveraging the Online Audit Manager to maintain the audit evidence you need for compliance.

A HITRUST validated report is valid for two years, but what sets the HITRUST apart from other frameworks is that the audit process isn’t a one-time engagement. It’s a continuous work-in-progress to maintain compliance. Recognizing this, part of the HITRUST certification process includes an interim assessment, a review that takes place exactly a year after the initial HITRUST validated assessment takes place.