"*" indicates required fields
HITRUST was initially formed in 2007 to champion programs that safeguard protected health information (PHI) and manage information risk for healthcare providers and their third-party service organizations. HITRUST certification has now expanded to other industries that need to provide assurances that sensitive data is protected. HITRUST has continuously developed a certifiable framework that is referred to as the HITRUST CSF®. The CSF is mapped to 60+ authoritative sources, including globally-developed regulatory and industry standards (e.g., HIPAA, ISO/IEC 27001:2022, NIST, PCI DSS, CMMC, etc.). HITRUST Certification is now widely adopted in the U.S. healthcare industry and beyond. Through a formal certification process that sets it apart from other frameworks, HITRUST certification validates that an organization is meeting or exceeding industry-defined and accepted information security requirements.
Linford & Company provides HITRUST CSF Framework assessments that are designed to demonstrate that an organization is taking the most proactive approach to data protection and information risk mitigation.
There are several forms of HITRUST assessment and certification:
With the surge in adoption of AI solutions in the industry, HITRUST has recently launched the AI Risk Management Assessment, which gives clear insights using 51 practical AI risk controls. Aligned with ISO 23894 and the NIST AI RMF, it offers one streamlined set of controls that helps organizations measure and report their performance using ISO and NIST standards.
In addition, the AI Security Assessment and Certification helps AI platform and service providers confidently adopt and secure AI technologies by offering clear, practical security controls and methods.
Additional information about the different forms of HITRUST assessments can be found here.
To begin the assessment process, our auditors assist the client with identifying areas of weakness and then support the client to remediate any identified gaps in order to move the client’s environment to an ideal state of operation. After this first phase is complete, the actual assessment takes place. This phase lasts approximately 60 days for an r2 assessment and approximately 30 days for an e1 or i1 assessment. During the final phase, our auditors submit the findings to HITRUST and assist the client with any questions HITRUST might have.
At Linford and Company, our goal is to help each HITRUST candidate receive their certification. The HITRUST certifications are valid for one year (e1 or i1 certification) or two years (r2 certification). Our auditors are available to assist the client with interim assessments and full assessments moving forward to maintain HITRUST certification.
An e1 or i1 assessment costs anywhere from $20k – $100k, annually; an r2 assessment costs anywhere from $75k – $250k, annually. These fees depend on a variety of factors that influence the fee associated with the audit. Additionally, if an organization decides to undergo a formal HITRUST assessment, they must pay one-time fees associated with certification as well as subscription fees to access MyCSF, a HITRUST-provided tool. We prioritize providing an accurate, specific, and reliable quote before beginning the audit engagement, thereby greatly reducing the risk of increasing fees later on.
A HITRUST certification is designed for use by organizations that create, access, store, or share sensitive data. Due to the complexity of the assessment and the amount of dedicated time needed, a HITRUST certification is generally pursued by mature organizations. We highly recommend starting with a SOC 2 audit prior to considering a HITRUST assessment.
A HITRUST CSF assessment requires extensive involvement from the organization. Organizations can expect to dedicate approximately 80-750 hours towards the assessment, depending on the scope and assessment type. It is not uncommon for this process to take a year or more to gain certification for an r2 assessment, while e1 and i1 can be considerably shorter.
Once we have completed the assessment, our auditors deliver their findings to HITRUST via the MyCSF tool for validation and certification. If HITRUST certifies the assessment, they provide a letter to the organization stating that the organization’s implemented system is certified for a period of one (e1/i1) or two (r2) years.
Our highly-experienced auditors simplify complex HITRUST compliance requirements while delivering professional HITRUST Audits in an efficient manner.
To maintain our authorization as an external assessor organization, we maintain a pool of experienced and qualified assessors who are vetted by HITRUST. Our HITRUST assessors complete annual training activities and hold industry certifications including the CCSFP, CHQP, CISA, CISSP, GSNA, and others.
The HITRUST certification process is considerable and can be quite daunting. At Linford & Company, our qualified auditors walk clients through the assessment process and are dedicated to a complete and thorough assessment.
We take pride in providing a high level of Partner involvement with each audit examination in an effort to further solidify our commitment to quality and efficiency.
Fill out the form and we’ll put you in touch with one of our experienced auditors. Your contact information stays with us and is only used to talk with you about your HITRUST assessment—we do not sell or share your contact information with anyone.
"*" indicates required fields
"*" indicates required fields
