How Long Does It Take To Obtain HITRUST Certification?

HITRUST is a complicated framework to implement with many business impacts to consider. HITRUST requires allocating staffing, publishing detailed policies and procedures, and potentially changing logical configurations in your IT environment.  Lurie LLP will guide you through this process at every stop.

Lurie can conduct the validated assessment, but to get HITRUST certified it requires submitting the final report through the HITRUST quality assurance process.  Once the report passes the QA process then HITRUST will issue a letter of certification. 

How long does it take to remediate gaps in order to achieve HITRUST Certification?

Following a readiness assessment, most companies spend 3 – 6 months to remediate gaps.  If your company is already subject to other forms of compliance and you are confident remediation/changes will be minimal, that time window can be much smaller. However, setting proper expectations with external parties is a prudent move and will allow for adequate time to adopt new practices.  

How long does a HITRUST Validated Assessment take?

The assessment period and interaction with HITRUST during reporting can take between 6 and 12 months to complete a Validated Assessment and achieve HITRUST certification.   

What are the key factors that affect the length of HITRUST certification?

  1. Current security maturity of the information security program 
  2. Size and complexity of the systems needing to be certified 
  3. Resources that are available to implement the required HITRUST controls 
  4. Tone at the top and motivation by management to implement changes 

      Is there anything the potential client can do to speed up or be prepared for the process?

      Assign dedicated resources with the right expertise to the HITRUST project. HITRUST has a lot of specific requirements that are difficult to understand and translate into operational procedures. As with most projects, an hour of additional planning can prevent 10-20 hours of headache once procedures are operational.

      HITRUST scope is defined by where the relevant data is stored and processed. Prior to initiating a HITRUST Assessment, consider reviewing the infrastructure and data environment to see where endpoints or data transmission can be reduced or eliminated. Many entities develop logically separate environments specific to HITRUST data. This approach limits the breadth of the assessment considerably.

          Once certified, how long is HITRUST certification valid for?

          HITRUST Certifications will last for 2 years, considering the following conditions: 

          1. Progress is being made on any corrective action plans that were discovered during the assessment 
          2. An Interim assessment is conducted one year after the initial assessment 
          3. Only minimum changes occurred on the certified system 

              Meet Your HITRUST CSF Certification Team

              Kate M. Siegrist, CPA, CISA, CRISC, HITRUST CCSFP

              Partner, Technology Consulting

              Kate Siegrist leads Lurie’s growing technology practice and consults with business owners to help improve their security, compliance, and technology controls posture. As a partner, she oversees the firm’s SOC 1, 2, and 3 practices, security assessments, IT strategic planning services, IT risk assessments, IT governance assessments, business and systems transformations, and controls audits. Kate has been a featured speaker on technology and controls topics relevant in this rapidly evolving arena.

              James R. Redman, CPA, CISA, CISSP, HITRUST, CCSFP

              Partner, Technology Consulting

              James is a Cybersecurity and IT compliance professional with over 12 years of security consulting experience in addition to other professional experience. He leads readiness consulting and assessments related to a variety of IT compliance standards including but not limited to NIST, SOC 1/2/3, HITRUST, PCI, HIPAA and Sarbanes-Oxley.

              Let's start a conversation.


              This article is for your general education, and does not create a client relationship or any service engagement between you and Lurie LLP. The content of this article is based on the best information available, but official guidance, rules, laws and/or updates may change and become out of date. Please contact your Lurie advisor before acting on any of the information contained in this article.

              We may provide links to third-party sources for your convenience, but we do not review, control, or monitor the materials on any other websites. Lurie LLP is not responsible for the performance of those websites or for your business dealings with them.

              Share Post: