Skip to content

How Long Does It Take To Obtain HITRUST Certification?

Oct 13, 2022

HITRUST is a complicated framework to implement with many business impacts to consider. HITRUST requires allocating staffing, publishing detailed policies and procedures, and potentially changing logical configurations in your IT environment. Our team will guide you through this process at every stop.

We can conduct the validated assessment, but to get HITRUST certified it requires submitting the final report through the HITRUST quality assurance process.  Once the report passes the QA process then HITRUST will issue a letter of certification.

How long does it take to remediate gaps in order to achieve HITRUST Certification?

Following a readiness assessment, most companies spend 3 – 6 months to remediate gaps.  If your company is already subject to other forms of compliance and you are confident remediation/changes will be minimal, that time window can be much smaller. However, setting proper expectations with external parties is a prudent move and will allow for adequate time to adopt new practices.

How long does a HITRUST Validated Assessment take?

The assessment period and interaction with HITRUST during reporting can take between 6 and 12 months to complete a Validated Assessment and achieve HITRUST certification.

What are the key factors that affect the length of HITRUST certification?

  1. Current security maturity of the information security program
  2. Size and complexity of the systems needing to be certified
  3. Resources that are available to implement the required HITRUST controls
  4. Tone at the top and motivation by management to implement changes

Is there anything the potential client can do to speed up or be prepared for the process?

Assign dedicated resources with the right expertise to the HITRUST project. HITRUST has a lot of specific requirements that are difficult to understand and translate into operational procedures. As with most projects, an hour of additional planning can prevent 10-20 hours of headache once procedures are operational.

HITRUST scope is defined by where the relevant data is stored and processed. Prior to initiating a HITRUST Assessment, consider reviewing the infrastructure and data environment to see where endpoints or data transmission can be reduced or eliminated. Many entities develop logically separate environments specific to HITRUST data. This approach limits the breadth of the assessment considerably.

Once certified, how long is HITRUST certification valid for?

HITRUST Certifications will last for 2 years, considering the following conditions:

  1. Progress is being made on any corrective action plans that were discovered during the assessment
  2. An Interim assessment is conducted one year after the initial assessment
  3. Only minimum changes occurred on the certified system

What's on Your Mind?

a woman in a suit

Kate M. Siegrist

Kate Siegrist is a Partner with over 20 years of combined experience advising CEOs, CISOs and CIOs. She helps her clients navigate highly regulated industries to ensure business opportunities are not missed due to compliance burden.

Start a conversation with Kate

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.