Is HITRUST Right For My Company?

HITRUST is a prescriptive framework designed for the Healthcare industry.  If you provide services or technology to insurance payers, healthcare providers, or other players in the healthcare market, HITRUST may be a requirement you’ll encounter during the contracting and proposal process.  

Why do companies typically need HITRUST?

Companies that handle HIPAA protected healthcare data are required to be compliant with the HIPAA Security Rule and oftentimes are required by their customers to be HITRUST certified. Some companies voluntarily undergo HITRUST as it is a competitive advantage in the marketplace.  When selecting vendors, organizations with HITRUST certification go to the top of the list as cybersecurity-conscious entities. 

Why is HITRUST a requirement for some companies?

Healthcare organizations look to HITRUST Certification to provide risk mitigation for thirdparty relationships. The base set of controls HITRUST requires to a long way towards achieving HIPAA and other regulatory compliance standards. In some cases, the requirement simply may be a pass down from other relationships the company has. 

If my company does not need HITRUST now, could we need it in the future?

Healthcare is the primary industry that requires HITRUST. HITRUST is often a contractual requirement to do business with built payers and providers. Usually, they give a timetable of 18 to 24 months to achieve certification. They may accept an alternative standard such as SOC 2 until HITRUST Certification can be achieved.

If your organization has sensitive health or personal data as part of its data processing services, we can discuss what is the best strategy to prepare for a HITRUST assessment Alternatively, if HITRUST is not the right answer, there may be other options. Lurie is an expert at designing customized compliance strategies designed to grow with organizations.  We can explain the various compliance solutions and help you to identify the one that best suits your customers’ demands. 

Meet Your HITRUST CSF Certification Team


Partner, Technology Consulting

Kate Siegrist leads Lurie’s growing technology practice and consults with business owners to help improve their security, compliance, and technology controls posture. As a partner, she oversees the firm’s SOC 1, 2, and 3 practices, security assessments, IT strategic planning services, IT risk assessments, IT governance assessments, business and systems transformations, and controls audits. Kate has been a featured speaker on technology and controls topics relevant in this rapidly evolving arena.


Partner, Technology Consulting

James is a Cybersecurity and IT compliance professional with over 12 years of security consulting experience in addition to other professional experience. He leads readiness consulting and assessments related to a variety of IT compliance standards including but not limited to NIST, SOC 1/2/3, HITRUST, PCI, HIPAA and Sarbanes-Oxley.

Let's start a conversation.


This article is for your general education, and does not create a client relationship or any service engagement between you and Lurie LLP. The content of this article is based on the best information available, but official guidance, rules, laws and/or updates may change and become out of date. Please contact your Lurie advisor before acting on any of the information contained in this article.

We may provide links to third-party sources for your convenience, but we do not review, control, or monitor the materials on any other websites. Lurie LLP is not responsible for the performance of those websites or for your business dealings with them.

Share Post: