Is HITRUST the Best Option for my Company?

Sitting down with a healthcare compliance expert at Lurie will help determine the best compliance strategy for meeting HITRUST compliance. While HITRUST is the “Gold Standard” for healthcare compliance it’s usually not the only or best way to achieve compliance.

What are the alternatives to HITRUST?

 Below is a list of options that we have negotiated for clients as an alternative to HITRUST. 

  • SOC 2 Plus HITRUST 
    • A normal SOC 2 audit with the 75 required HITRUST controls needed for certification.  Lurie is a certified HITRUST assessor.
    • Data – Business re-engineering
      • Review the data elements in scope that triggered the HITRUST requirement and remove the triggering factors that require HITRUST. This is done on a case-by-case basis.  
      • SOC 2 
        • A SOC 2 has been used by healthcare companies to demonstrate healthcare compliance to its customers. 

        What are some of the factors (pro or con) that companies should consider when selecting a compliance framework?

        Most frameworks are designed for specific industries. HITRUST was designed to include HIPAA compliance as an option and is the most designed for healthcare. Other frameworks and standards used are ISO 27001, NIST, SOC 2.

        Can you provide a brief example of hypothetical companies and why they may choose one or the other compliance option?
        • A national Healthcare organization accepted a SOC 2 Plus HITRUST. This was deemed to be acceptable to their client’s requirements.   
        • Another small startup company that could not afford the cost of HITRUST compliance, Lurie negotiated with the client auditors and was able to remove and de-identify the PHI data elements to the point where the client could remove the requirement for HITRUST compliance. 

        Meet Your HITRUST CSF Certification Team

        Kate M. Siegrist, CPA, CISA, CRISC, HITRUST CCSFP

        Partner, Technology Consulting

        Kate Siegrist leads Lurie’s growing technology practice and consults with business owners to help improve their security, compliance, and technology controls posture. As a partner, she oversees the firm’s SOC 1, 2, and 3 practices, security assessments, IT strategic planning services, IT risk assessments, IT governance assessments, business and systems transformations, and controls audits. Kate has been a featured speaker on technology and controls topics relevant in this rapidly evolving arena.

        James R. Redman, CPA, CISA, CISSP, HITRUST, CCSFP

        Partner, Technology Consulting

        James is a Cybersecurity and IT compliance professional with over 12 years of security consulting experience in addition to other professional experience. He leads readiness consulting and assessments related to a variety of IT compliance standards including but not limited to NIST, SOC 1/2/3, HITRUST, PCI, HIPAA and Sarbanes-Oxley.

        Let's start a conversation.


        This article is for your general education, and does not create a client relationship or any service engagement between you and Lurie LLP. The content of this article is based on the best information available, but official guidance, rules, laws and/or updates may change and become out of date. Please contact your Lurie advisor before acting on any of the information contained in this article.

        We may provide links to third-party sources for your convenience, but we do not review, control, or monitor the materials on any other websites. Lurie LLP is not responsible for the performance of those websites or for your business dealings with them.

        Share Post: