Video Blog

HITRUST + SOC 2 Video Series Part 1: What is the HITRUST certification process?

In this video, Chris Morrison, Manager of Security and IT at Springbuk, discusses the four steps in the HITRUST assessment process.

Q: What is the certification process? How long does it take, and how often is it done?
A: There are four steps in the validated assessment process: 

  • The first step is completing a readiness assessment (if you haven't been certified before or if there have been significant changes in the scope of the controls).
  • Second, you score your organization on the controls in the 19 different domain areas. Then you have to enter supporting evidence and narratives into the assessment tool.
  • From there, you have to evaluate your compliance with each of the controls against the maturity levels included in HITRUST, which are the process procedure, implementation, measurement, and management of those controls. Your HITRUST-approved external assessor then performs validation testing on all the scoring and evidence you put in the tool - if their assessment agrees with your self-assessment, then you move on. If they disagree with your ratings, they will send back controls for further consideration with comments or ask for scoring adjustments. 

Lastly, your auditors submit the finalized assessment to HITRUST for review. And they perform several phases of reviews. Sometimes if there are any gaps, an organization may need to do some corrective action plans at that point. And then finally, after that comes the certification.