Top Three Factors to Consider for Implementing HITRUST CSF Certification

HITRUST® was founded more than a decade ago to help organizations safeguard sensitive information and to better manage risk associated with patient information. HITRUST developed a framework called the HITRUST CSF, which addresses security controls, privacy issues and regulatory concerns; incorporates federal and state regulations; and is scalable to meet the needs of entities across a number of industries.

When organizations are pursuing implementation of HITRUST’s principles and frameworks, they may encounter a number of challenges due to the scope of these projects, reporting considerations and lack of planning and education about the resources involved. DHG has helped many organizations with their HITRUST CSF Certification; throughout this process, we have observed three key focus areas to help foster a smooth and efficient HITRUST implementation.

1. Education on Framework, Tools and Requirements

As with many compliance frameworks, understanding the framework and associated reporting mechanisms is imperative. HITRUST requires careful consideration and understanding before initiating implementation, validation and reporting. Education is a critical component in a HITRUST certification, and obtaining a thorough understanding of HITRUST’s MyCSF tool provides a foundation for success. The HITRUST MyCSF is the proprietary solution developed by HITRUST to document an organization’s compliance with the CSF. The HITRUST MyCSF allows for efficiencies in implementation and reporting, as well as management of the corrective action plan (CAP). The HITRUST MyCSF is also utilized by the CSF Assessor to validate requirements and submit the assessment for certification. When an organization is implementing HITRUST, a comprehensive understanding of the tool’s features gives stakeholders the opportunity to scope to the HITRUST MyCSF effectively.

After completing the scoping exercise, stakeholders should understand how to interpret the HITRUST requirements and analyze the illustrative procedures. Organizations selecting a HITRUST assessor should warrant that stakeholders are educated on how to respond to requirements and select the appropriate maturity levels. For a successful implementation, validation and ultimate certification of HITRUST, organizations may need to educate stakeholders on the HITRUST framework, the HITRUST MyCSF’s functionality and accurate documentation of the controls and maturity levels.

2. Effective Project Management

HITRUST implementations and certifications have a defined beginning and end. Establishing a comprehensive project plan facilitates a successful HITRUST journey. An implementation project plan should be divided into three critical phases: readiness, implementation and reporting. By dividing the project into manageable phases, stakeholders are able to address the task at hand while also maintaining daily operations. These touchpoints keep stakeholders on track toward their goals throughout the project, while giving a CSF assessor the opportunity to provide insights along the way. HITRUST implementation and certification can be a challenging project; but with a comprehensive project plan, organizations can efficiently and effectively meet their compliance objectives.

3. Timely and Well-Planned Reporting

Oftentimes, contractual obligations, senior management directives or other time-sensitive factors force organizations to expedite HITRUST reporting. Whether performing a HITRUST self-assessment or a HITRUST validated assessment, the reporting process can present challenges to organizations large and small. Educating stakeholders on the reporting process well in advance allows for expectations to be managed and a timeline to be maintained.

HITRUST introduces unique challenges in reporting compliance as three organizations are involved: the assessed organization, the assessor and HITRUST. Utilizing the project plan to establish milestones and meet deadlines helps reduce the likelihood of an unrealistic reporting timeline.

HITRUST is an established and scalable compliance framework and reporting tool. Unique challenges with HITRUST may require an experienced assessor to educate organizations on the keys to success and the functionality of the MyCSF tool. A comprehensive project plan establishes expectations from an organization’s stakeholders, assessor and, ultimately, HITRUST.

About DHG IT Advisory

DHG IT Advisory works with companies to manage technology risk while maintaining data integrity, protecting privacy and complying with regulations. From project management and regulatory compliance assistance to digital forensics and incident response, DHG is equipped to meet your IT advisory needs that drive your business. To learn more about DHG’s IT Advisory services, visit

About DHG Healthcare

DHG Healthcare, the national healthcare practice of DHG, is ranked by Modern Healthcare as the tenth largest, privately-held consulting practice in the nation. Spanning the broader healthcare ecosystem, our clients share the common challenge of successfully navigating the unparalleled amount of federal, state, and marketdriven reform underway in the U.S. Our services in the consulting, assurance and tax domains are purposefully designed to assist our clients in their journey to risk capability. Creating institutional value is a critical focus as our clients define their strategic approach, execute on transformational plans, and manage the financial health and sustainability of their organizations. Learn more about the services and people of DHG Healthcare at


Senior Manager, DHG IT Advisory

Ben Owings, CCSFP
Manager, DHG IT Advisory

© Dixon Hughes Goodman LLP. All rights reserved.
DHG is registered in the U.S. Patent and Trademark Office to Dixon Hughes Goodman LLP.