Workstreet now supports ISO 42001 compliance → Learn more
January 17, 2024

Questions Every Startup Should Answer Before Starting HITRUST

While HITRUST has value and ROI because it builds trust in the market, it is not for everybody and should not be pursued unless there is good reason. Before venturing down the HITRUST path, there are key questions your startup should be answering.
Written by:
Travis Good
Header image

The below bullets summarize the optimal for startups considering HITRUST.

  • HITRUST is not for the feint of heart.
  • It's important to have a clear understanding of the HITRUST framework and its requirements.
  • Startups should create a roadmap outlining the steps necessary to achieve HITRUST certification.
  • Startups should be thoughtful before they start down the HITRUST path and ensure it is worth the effort, time, and money.
  • It's important for startups to allocate sufficient time and resources towards achieving HITRUST certification.

HITRUST is a meta-compliance framework that grew out of the need of large enterprises, especially health insurance companies, to have a standardized certification for the handling of sensitive data. Anchored on NIST, HITRUST has built in mappings to many reporting frameworks and data regulations such as HIPAA, SOC 2, GDPR, and more.

HITRUST is not of the feint of heart. It is an opinionated, prescriptive framework that, in our experience, requires more work than other certifications such as SOC 2 and ISO 27001. HITRUST requires more resources to meet its requirements as well to go through the actual audit (Validation and Certification) process. Many startups underestimate the resources required to get through HITRUST.

While HITRUST has value and ROI because it builds trust in the market, it is not for everybody and should not be pursued unless there is good reason. Before venturing down the HITRUST path, there are key questions your startup should be answering. If we were your vCISO and you asked us about HITRUST, these are questions we would want to answer before making a determination on IF HITRUST is a good fit and WHEN to actually pursue a HITRUST assessment.

What is HITRUST?

HITRUST is a comprehensive and standardized framework that helps organizations comply with various regulations, standards, and frameworks related to data privacy and security. It was created in response to the complex regulatory landscape faced by large enterprises, particularly those in the healthcare industry.

The HITRUST framework incorporates a range of requirements from other frameworks like HIPAA, SOC 2, GDPR, PCI DSS, and more. This means that organizations can use HITRUST to demonstrate compliance with multiple regulations at once.

One of the unique features of HITRUST is its risk-based approach to compliance. Rather than providing a one-size-fits-all checklist of controls, HITRUST requires organizations to assess their own risks and implement controls accordingly. This makes it a flexible framework that can be tailored to the specific needs of each organization.

HITRUST is an important certification for any organization handling sensitive data. It provides assurance to stakeholders that an organization has taken appropriate measures to protect their data and comply with relevant regulations.

The Process of Becoming HITRUST Certified

The process of becoming HITRUST certified is a rigorous one that involves several steps. Here's an overview of what to expect:

Step 1: Readiness Assessment

Before beginning the certification process, organizations are encouraged to conduct a readiness assessment. This involves evaluating your organization's current security and privacy posture against the HITRUST requirements. The readiness assessment can help identify any gaps or weaknesses that need to be addressed before proceeding with the certification.

Step 2: Remediation

Once you have identified any gaps in your security and privacy controls, you will need to remediate them. This may involve implementing new controls, updating existing policies and procedures, or making changes to your systems or infrastructure.

Step 3: Self-Assessment

After completing remediation, you will need to perform a self-assessment using the HITRUST CSF Assurance Program Workbook. This workbook is designed to help you assess your compliance with the HITRUST requirements and identify any remaining gaps.

Step 4: External Assessment

Once you have completed the self-assessment, it's time for an external assessment by a HITRUST-approved assessor. The assessor will evaluate your organization's compliance with the HITRUST requirements and provide a report on their findings.

Step 5: Corrective Action Plan

If any issues are identified during the external assessment, you will need to develop and implement a corrective action plan. This plan should address any deficiencies found during the assessment and outline how they will be remediated.

Step 6: Validation

After completing all required corrective actions, you will undergo a validation assessment by the same assessor who performed the initial external assessment. The validation assessment ensures that all identified issues have been resolved and that your organization is fully compliant with the HITRUST requirements.

Step 7: Certification

Finally, if your organization passes the validation assessment, you will be awarded HITRUST certification. This certification demonstrates to stakeholders that your organization has implemented appropriate security and privacy controls and is compliant with relevant regulations and standards.

HITRUST Certification Options

HITRUST offers a variety of certification programs for organizations of all sizes and types. While beyond the scope of this post, some of the certifications available include:

  • HITRUST CSF Validated Assessment + Certification (i1 and r2): This is the flagship certification program that covers a wide range of security and privacy controls. It is designed for healthcare organizations, but can be used by any organization that handles sensitive data. There are a few tiers of this option.
  • HITRUST CSF Validated Assessment Only (e1) : This option allows organizations to undergo a HITRUST assessment without pursuing full certification. It can be useful for organizations that want to assess their compliance with HITRUST requirements before committing to full certification.
  • HITRUST CSF Bridge Certification: This program is designed for organizations that have already achieved certification under other frameworks like ISO 27001 or SOC 2. It allows these organizations to map their existing controls to the HITRUST CSF and achieve HITRUST certification more quickly.

Questions You Should Ask and Answer Before doing HITRUST

Before embarking on the HITRUST certification journey, it is important to ask some key questions to determine if your startup is ready. The answers to these questions can help you make a smart decision about whether or not HITRUST is a good fit for your startup and when you should pursue the certification.

By answering the questions below honestly and thoroughly, you can make an informed decision about whether or not pursuing HITRUST is right for your startup right now.

What type of HITRUST assessment do you plan to do?

If you can't answer this, it's a red flag that you don't know enough about HITRUST to have made an informed decision about doing it or not. If you are just starting out with HITRUST but want to do the Implemented or Risk-based HITRUST Certification, this is also a red flag because it is a heavy lift to start with.

For companies new to HITRUST, especially startups, we recommend starting with HITRUST Essentials, which is a trimmed down HITRUST assessment with only 44 HITRUST controls to which you need to comply. Once this has been completed, startups can roll that work into a more involved HITRUST assessment like Implemented or Risk-based.

Why do you think you should do HITRUST?

What's driving your decision to pursue HITRUST? Did a board member or mentor tell you that you should consider HITRUST? Did you see a competitor get it? Did you see an ad on LinkedIn about it? Or do you have a backlog of customers that want you to have a HITRUST Certification before they'll work with you?

As we wrote above, HITRUST is not for every company and not for most startups. It's a multi-year commitment to achieve it for the fist time. And, once you have HITRUST Certification, it's hard to not pursue it because it looks bad to the market and your customers to have it and then "lose" it.

For a startup, the only compelling reason to pursue HITRUST Certification is if it will unblock significant revenue for your business. This means real dollars, not theoretical target customers or unlikely to close pipeline deals. HITRUST is going to cost you time and money, a good chunk of it, so only do it if it is going to generate a return. It's usually cheaper and faster to do SOC2 or ISO 27001 and sometimes those should be done to see if they unblock revenue before doing HITRUST.

How would you rate your security and privacy program?

If you have a hard time answering this question, you probably should not go down the HITRUST path. If you know there are gaps in your security program or feel like your program is not mature, you should not do HITRUST. If you answered less than 8 out of 10, you should probably not bother with HITRUST right now.

When thinking about the maturity of your security and compliance program, there are multiple areas to consider.

  • Is your security and compliance program consolidated? Is it easy to find the evidence you need?
  • Do you have automation as a part of your security procedures and workflows?
  • Is your security and compliance program efficient? Are you constantly spinning your wheels on security and compliance workflows?

Who are your Customers?

Certain market segments are more aware and put more value in HITRUST Certification. We have found that HITRUST is not worth the investment if you need to educate your market and customers about what HITRUST is and why they should value it.

While there are companies in pretty much every market that know and use HITRUST, we find that HITRUST is most valuable for startups in healthcare, specifically startups that work with large enterprises, especially health insurance companies.

Do you have dedicated resources for security and compliance?

HITRUST is hard. You need people to manage the process end-to-end. This means project management resources well as a lot of engineering resources for evidence. Platforms like Vanta or Drata (see below) can help with this up front work. And HITRUST requires more resources than other audits so just because you go through SOC2 does not mean you have the people you need for HITRUST.

HITRUST is also not a one-and-done thing. One value companies get from doing HITRUST is a level of security rigor that other frameworks do not require. This is a positive thing if you have the resources to do the work (be more rigorous with security and reporting).

Are you using a modern compliance platform?

At Workstreet, we are fans of compliance platforms. Vanta and Drata consolidate security and compliance while automating security and compliance workflows. Using Vanta or Drata is the equivalent of using software, which is repeatable and has clear rules for how to do its job, to run your compliance program. Better yet, it gives you real-time objective measures, in the form of gap assessments, into the maturity of your security and compliance program.

Doing HITRUST on a compliance platform means creating a custom framework, which a vCISO like Workstreet can help you do, and then mapping.evidence to HITRUST controls. Using Vanta or Drata for HITRUST will save you time and money. It will also help tell you if you are ready for HITRUST.

HITRUST isn’t a software company. And using the HITRUST CSF has a steep learning curve. Vanta and Drata are software companies that makes it easier for you to build and run your own security and compliance program. You don’t want to run your compliance program on the HITRUST CSF, trust us, we’ve tried.

What is your timeline for HITRUST?

We typically tell startups to budget 18-24 months to complete a HITRUST assessment. This can be accelerated. Some startups with mature compliance programs, dedicated compliance resources, and compliance platforms like Vanta or Drata can get it done in 12 months. But this is the exception, not the rule.

Plan for 24 months and be pleasantly surprised if you beat that timeline.

Where did you get your security policies and procedures?

Many startups today use templates for policies and procedures. There are lots of good options. At Workstreet, we wrote and open sourced some of the first available policies and procedures way back in 2015. Today, a compliance platform like Vanta or Drata has you covered with complete libraries of security policies and procedures.

While these are a great starting point, HITRUST controls usually mandate customization and extension of template policies and procedures. This is not hard, but is more work. And you need to follow what you put in your policies and procedures.

Is this your first security audit?

We discourage companies from doing HITRUST if they have not done an external audit of any kind. If the startup is in healthcare, which is the most common vertical we see doing HITRUST, we encourage companies to do a full HIPAA audit first. HIPAA is easy compared to HITRUST but it ensures you

One of the benefits of platforms like Vanta or Drata is the ease of expanding compliance coverage to new frameworks like HITRUST. When it comes to HITRUST, start with an audit on a compliance platform for something else and then grow into HITRUST using a custom framework on Vanta or Drata.

How Startups Should Start with HITRUST

The first thing we do with startups that want to do HITRUST is build a timeline for HITRUST and incorporate it into the company's security and compliance roadmap. As we wrote above, this usually takes 18-24 months and often HITRUST is not the only audit or compliance framework the company is working on.

If you are new to HITRUST, you will spin your wheels coming up to speed on it. There is an entire language of HITRUST. Find somebody that knows HITRUST first-hand to lead from your side. If you want help, Workstreet has extensive experience with HITRUST for modern startups. We can guide you through the entire process efficiently.