Zero to HITRUST (e1) Certified in 100 Days

Fast track to HITRUST e1 certification

Any time we make “first contact” with someone who needs a HITRUST assessment there are always 3 overarching questions, “What is this going to cost?”, “How hard is this going to be?”, and the question I will be covering in this article – “How long is this going to take?

In the past, before the advent of the HITRUST e1 certification, the answer was “12 months best case, 18 months typically.” Since the e1 assessment became available in early 2023 and we’ve done a pile of them, our new answer is “Best case, we can do it in 100 days.”

No, not every organization can do that, but for the right organization in the right situation, it can be done. We can say that because we and our clients have done it. Start-to-finish, zero-to-e1-certified in 100 days. Clients that have needed the certification to finalize a contract, retain a customer, or were pursuing a funding round have been able to meet their deadlines.

How Does the HITRUST e1 Assessment Make this Possible?

HItrust’s stated goal of the e1 was to create an entry-level validated assessment ideal for startups and companies with low-risk profiles or less complexity. They made some key changes from their more robust i1 and r2 certifications.

The HITRUST e1 Utilizes a Smaller Control Set

The HITRUST e1 certification has 44 controls. Reviewing, gathering data, and assessing isn’t the time commitment of the more-involved HITRUST assessments which can run from over a hundred controls to nearly 1000.

The Primarily “Implementation” Nature of Those Controls

The majority of the HITRUST e1 controls are implementation-based in nature, that is assessing if the entity is doing the security things, such as the following measures.

  • Endpoint controls
  • Change management
  • Pre-hire screening
  • System and application logs

This limits reliance on policy and procedure (limits, not removes – they are assessed in a limited capacity.) In most cases, an organization that has adopted a security-first mindset will have many of the requirements in place.

 

The process for HITRUST e1 certification

What an External Assessor Can Do to Make This Possible

It’s not a fast assessment, it’s an efficient assessment.  And an efficient assessment can happen pretty quickly when all the right pieces are in place.

Experience, Tools, & Process

We have done a lot of e1 assessments since they became an option in early 2023. We have the tools, processes, and experience to guide an organization efficiently and quickly through the HITRUST certification process. The tooling allows both synchronous and asynchronous collaboration and we focus on limiting meeting time, allowing an organization to both continue their work function and provide evidence and feedback when time allows, even for smaller organizations where the security and technical team are already spread thin.

Responsiveness

Our assessors are responsive. Questions that “wait for a meeting” or calls that go unanswered are delays, we don’t like delays. We work to limit delays as much as we can.

Can An e1 Always Be Done in 100 Days?

No. Absolutely not. Some assessments are going to take longer, largely depending on the complexity of the environment, the ability to inherit controls, the existing security posture, and the client’s responsiveness. 100 days is the best case, but it’s an exciting possibility for an organization that has a contractual or business need to be certified in a hurry. If it takes longer, we’re with you for that too, and that’s okay.

 

HITRUST e1 timeline

What Does the HITRUST e1 Timeline Look Like in a Best Case?

You can’t speed up an assessment by skipping steps, so let’s look at the timeline that includes all the pieces that must be done.

Pre-Assessment: Before Day 0

These are the things that need to be done before we kick off the engagement.

  • Establish your relationship with HITRUST – This relationship exists outside of your relationship with your external HITRUST assessor and we can’t do much about HITRUST’s timelines.
  • Contracts – Your assessor cannot start work without the proper paperwork, and this can take some time.
  • Internal Support – Identify and prepare internal stakeholders.

Readiness: Days 1-21

We can typically launch a readiness exercise within a week or two and can review evidence as it comes in. Aggressive communication will take place at this phase, allowing identified deficiencies to be addressed quickly. Readiness is essential for a first-time HITRUST assessment as certain deficiencies can preclude certifiability.

Assessment: Days 22-90

Assuming few and minor deficiencies are identified, the formal assessment can begin quite soon after the HITRUST readiness assessment. More robust and thorough evidence is likely to be collected in a more formal manner than the readiness assessment, but it’ll be the same thing.  Your assessor will work with you on the HITRUST pieces, too. This will involve securing a QA reservation, required documentation, etc. Once evidence is gathered and reviewed, interviews are conducted, assertions are obtained, etc. the entire assessment can be submitted to HITRUST.

HITRUST Tasks: Days 90-100?

Obviously, an external assessor can’t commit to timelines in regards to HITRUST. Once HITRUST gets the assessment they’ll validate the assessment, run it through QA, work with the assessors on any items that may need to be adjusted, and then generate draft reports. 10 days is the best case, but we’ve seen it happen. We’ve also seen it take longer. When HITRUST is satisfied everything looks good, and the client has approved the draft, HITRUST will issue the final certification.

 

Potential issues for HITRUST e1 certification

Does the e1 Usually Work This Way? What if it Takes Longer?

Honestly, no, this is a rare timeline. 100 days is the best case and requires a lot of things to work perfectly. Odds are it will take longer, and that’s okay. They don’t usually take MUCH longer, but it’s not a problem if they do. Doing an assessment RIGHT is more important than doing it QUICKLY. That said, some things will usually cause a delay.

Significant Deficiencies in Operating Controls.

HITRUST requires assessors to validate that technical controls are in place and functioning for 90 days. If the readiness assessment identifies non-existent or non-functional controls, even if they’re implemented immediately, the submission date cannot be until they’ve been in place for 90 days. Major deficiencies like not logging or not retaining logs, employees who can’t show evidence of proper training, or inaccuracies in change control are things that will need a 90-day record of being done correctly to meet HITRUST requirements.

Significant Deficiencies in Policy and Procedure.

HITRUST requires policies and procedures to have been in place for 60 days.  Similar to technical controls, though less often, this can delay submission. Missing risk assessments, non-existent policies, and incomplete procedures will need to be addressed and be in place for those 60 days.

Delays in Evidence, Interviews, or Key Personnel.

Any delay in providing evidence or access to personnel or information will have an impact on the end date.  Simply, an assessor can’t assess what they can’t see. Delays in providing evidence, inability to interview key resources, or, if relevant, inability to access relevant facilities can all impact the timeline negatively.

HITRUST Delays

Like the rest of us, HITRUST’s workload fluctuates and while they’re as eager to have you certified as you are to be certified, the HITRUST side of the process can take longer than anticipated.

If Your HITRUST e1 Does Take Longer…

Again, that’s okay with us. You’ll still be certified, there’s no prize for being done early. Your assessor can work with you on schedules; Your business needs and contractual obligations will drive the timeline, not us. We’re with you for the journey.

So, How Long DOES it Take to Complete a HITRUST e1 Assessment?

“At least 100 days.” If all the pieces work right, a little over 3 months can be done.  Honestly, 4-6 months is a more reasonable timeline, but for a certified HITRUST engagement, that’s not too bad. A focused and efficient internal team, a qualified external assessor, and some diligent attention can make the HITRUST e1 a much quicker process than many people think.

Please contact us with any HITRUST-related questions. Our team of audit professionals will be happy to consult with your organization on a HITRUST assessment.

Want to Know More About HITRUST?