HITRUST Assessment & Certification Services
As a HITRUST external assessor organization, we focus on reducing the complexity and uncertainty of HITRUST assessments while leveraging our customized approach to efficiently deliver quality assessments
"*" indicates required fields
What is a HITRUST assessment?
HITRUST was initially formed in 2007 to champion programs that safeguard protected health information (PHI) and manage information risk for healthcare providers and their third-party service organizations. HITRUST certification has now expanded to other industries that need to provide assurances that sensitive data is protected. HITRUST has continuously developed a certifiable framework that is referred to as the HITRUST CSF. The CSF is mapped to 40+ authoritative sources, including regulatory and industry standards (e.g., HIPAA, ISO 27001, NIST, PCI DSS, CMMC, etc.). HITRUST Certification is now widely adopted in the U.S. healthcare industry and beyond. Through a formal certification process that sets it apart from other frameworks, HITRUST certification validates that an organization is meeting or exceeding industry-defined and accepted information security requirements.
Linford & Company provides HITRUST CSF Framework assessments that are designed to demonstrate that an organization is taking the most proactive approach to data protection and information risk mitigation.
There are two forms of HITRUST certifications: the Implemented, 1-Year (i1) Validated Assessment + Certification, and the Risk-based, 2-Year (r2) Validated Assessment + Certification. The HITRUST i1 provides a moderate level of assurance and includes controls selected to address emerging cyber threats active today and will be updated regularly to address new threats in the future. The r2 assessment provides the highest level of assurance due to its detailed and comprehensive approach to risk-based controls. There is also a third assessment, bC, or Basic, Current-State Assessment; the HITRUST bC is a verified, automated self-assessment for organizations that need a lower level of assurance that offers better consistency, improved accuracy, and more flexibility than other types of self-assessments. Additional information about the different forms of HITRUST assessments can be found here.
What is the HITRUST assessment process?
To begin the assessment process, our auditors assist the client with identifying areas of weakness and then support the client to remediate any identified gaps in order to move the client’s environment to an ideal state of operation. After this first phase is complete, the actual assessment takes place. This phase lasts approximately 60 days for an r2 assessment and approximately 30 days for an i1 assessment. During the final phase, our auditors submit the findings to HITRUST and assist the client with any questions HITRUST might have.
At Linford and Company, our goal is to help each HITRUST candidate receive their certification. The HITRUST certifications are valid for one year (i1 certification) or two years (r2 certification). Our auditors are available to assist the client with interim assessments and full assessments moving forward to maintain HITRUST certification.
What is the cost of a HITRUST assessment?
An i1 assessment costs anywhere from $40k – $100k, annually; an r2 assessment costs anywhere from $75k – $250k, annually. These fees depend on a variety of factors that influence the fee associated with the audit. Additionally, if an organization decides to undergo a formal HITRUST assessment, they must pay a one-time fee or an annual subscription to MyCSF, a HITRUST-provided tool. We prioritize providing an accurate, specific, and reliable quote before beginning the audit engagement, thereby greatly reducing the risk of increasing fees later on.
Who needs a HITRUST assessment?
A HITRUST certification is designed for use by organizations that create, access, store, or share sensitive data. Due to the complexity of the assessment and the amount of dedicated time needed, a HITRUST certification is generally pursued by mature organizations. We highly recommend starting with a SOC 2 audit prior to considering a HITRUST assessment. Linford & Company auditors can help determine the necessity of a HITRUST certification.
HITRUST Assessment Q&A
How much time will my organization need to dedicate to the assessment process?
A HITRUST CSF assessment requires extensive involvement from the organization. Organizations can expect to dedicate approximately 250-750 hours towards the assessment, depending on the scope. It is not uncommon for this process to take a year or more to gain certification.
What are the deliverables?
Once we have completed the assessment, our auditors deliver their findings to HITRUST via the MyCSF tool for validation and certification. If HITRUST certifies the assessment, they provide a letter to the organization stating that the organization’s implemented system is certified for a period of one (i1) or two (r2) years.
Big 4 IT Auditors
Our highly-experienced auditors simplify complex HITRUST compliance requirements while delivering professional HITRUST Audits in an efficient manner.
Why Choose Linford & Company LLP?
To maintain our authorization as an external assessor organization, we maintain a pool of experienced and qualified assessors who are vetted by HITRUST. Our HITRUST assessors complete annual training activities and hold industry certifications including the CCSFP, CHQP, CISA, CISSP, GSNA, and others.
The HITRUST certification process is considerable and can be quite daunting. At Linford & Company, our qualified auditors walk clients through the assessment process and are dedicated to a complete and thorough assessment.
We take pride in providing a high level of Partner involvement with each audit examination in an effort to further solidify our commitment to quality and efficiency.
Ready for a HITRUST Assessment?
Fill out the form and we’ll put you in touch with one of our experienced auditors. Your contact information stays with us and is only used to talk with you about your HITRUST assessment—we do not sell or share your contact information with anyone.
"*" indicates required fields