HITRUST Compliance

For any healthcare organization, protecting sensitive health information must be an absolute priority. But between ever-evolving security threats and increasingly complex government regulations, it’s difficult to stay on top of the necessary security measures to keep patients’ information safe while remaining compliant. HITRUST sets the standard for healthcare information security, so any entity that handles PHI or other sensitive data should be intimately familiar with it. KraftCPAs Nashville HITRUST Compliance Healthcare Team can help.


  • HITRUST is a private organization made up of providers (hospitals, physician practices, etc.) and payers (insurance companies) that created a certifiable framework for healthcare technology security: HITRUST CSF.
  • The HITRUST CSF is a detailed map of specific security measures to take in order to meet compliance requirements.
  • Its sophisticated, evolving set of control requirements protects against the various security, privacy and regulatory challenges facing healthcare entities in order to help them comply with healthcare (HIPAA, HITECH), government (NIST, FTC), and third-party (GDPR, PCI, COBIT) standards, regulations and business requirements.
  • It provides invaluable tools for governance and risk management.


  • Achieving HITRUST CSF Certification can make you a more attractive option for consumers because it displays a deep commitment to protecting patients’ sensitive data.
  • It safeguards against the government fines, criminal charges and reputational damages that can result from noncompliance.
  • Many of the large payers are requiring entities they contract with to become HITRUST-Certified.
  • If you implement the HITRUST CSF, you can leverage the testing results in your reporting for multiple compliance efforts.

Who Needs HITRUST?

  • Healthcare organizations that handle sensitive healthcare information (covered entities) looking to bolster security and improve risk management
  • The business associates of covered entities
    The HITECH ACT extended HIPAA requirements to organizations that conduct business with healthcare entities and handle sensitive health information. Health information exchanges, CPA firms and medical transcriptionists are a few examples.

Why Use KraftCPAs HITRUST Services?

KraftCPAs has earned the designation of HITRUST CSF Assessor. Our team of HITRUST-Certified CSF Practitioners (CCSFPs) has been extensively trained in HITRUST and the CSF requirements. To earn the certification, each professional was required to have two years of experience in both healthcare and information security prior to completing six to 10 hours of guided self-study and approximately 20 hours of face-to-face training in preparation for the two-hour exam.

They also participate in ongoing annual training and recertification every two years. Thus, we can efficiently and effectively perform services to address the multitude of security, privacy and regulatory challenges facing your organization.

KraftCPAs and affiliates work extensively with clients in the healthcare industry; healthcare is our largest industry concentration in terms of revenue and dedicated staff.

View our educational video:


HITRUST CSF Certification

The path to CSF certification is neither quick nor easy, but our CCSFPs are trained to help clients with every step along the way. The process to certification consists of three components:

Self-Assessment Consulting/Facilitation

After you purchase the HITRUST Self Assessment Report and/or a subscription to the CSF Tool, we can assist you in completing the information and questions in the Self Assessment. This process will allow us to identify your customized population of HITRUST requirements based on your individualized risk factors (e.g., volume, transactions, cloud services, etc.) and identify controls to meet those risk factors.

This process results in a report which can be provided to third parties to show that you’re committed to meeting the requirements of HITRUST. This report is not validated by HITRUST and does not result in certification, but it is a step in the right direction because it provides the starting point for us to test your HITRUST requirements, as explained in the next section.

Assessment for Validation/Certification

Once you’ve identified the HITRUST regulatory controls and implementation level, you will enter your controls for the related HITRUST requirements in the CSF tool. As your assessor, we will perform an independent assessment of those controls to determine compliance with HITRUST requirements. We will also submit the assessment to HITRUST on your behalf. HITRUST then reviews the assessment and determines if you’re in compliance with the HITRUST CSF. The process can result in:

HITRUST Validation (and CAP Report)
Once reviewed, you will receive a validated report. If some areas do not meet the compliance threshold, you will be required by HITRUST to prepare and submit a CAP (corrective action plan) report. We are able to assist with the remediation of the items noted in the CAP report.

HITRUST Certification (and CAP Report, if necessary)
If HITRUST deems that you are in compliance with the CSF requirements, you will receive a certification letter with your validated report. HITRUST certification is good for two years, as long as you complete an interim review and there’s no breach or drastic change in scope during that time. (Certified organizations can also be required to prepare and submit a CAP report.)

HITRUST Corrective Action Plan Reports

If the assessment results in low scores on particular areas of compliance, HITRUST requires that you prepare a Corrective Action Plan (CAP) report to address the control gaps. As the assessor, we will evaluate the effectiveness of the CAP and provide recommendations or feedback as needed. We will assist you with articulation and prioritization of your plan. If you achieve certification, we will continue to monitor your remediation progress in the interim review.

HITRUST RightStart Program™

Implementing a risk management and compliance program is challenging for start-up companies often due to costs and the strain on internal resources. Last year, HITRUST announced a program to help start-up companies begin using the HITRUST Common Security Framework so that they can build a solid foundation around privacy and security. The Program includes training and use of the MyCSF platform, making it easier and less costly to implement. We can help you determine if you qualify for the Program and we can assist you with the implementation.


As our HITRUST-Certified Practitioners are also CPAs, our team can satisfy both HITRUST and SOC 2 reporting needs for your organization. HITRUST and the American Institute of CPAs have collaborated to make HITRUST CSF and SOC 2 reporting complementary. The reports we are able to assist with include:

Readiness Review/Gap Analysis: We will review your current control environment in order to identify gaps between current controls and the minimum HITRUST requirements.

SOC 2 Only: A service auditor’s report detailing how an organization protects the security, availability and confidentiality of user data

SOC 2 + HITRUST CSF: A SOC 2 report that also expresses an opinion on whether your controls meet the HITRUST CSF requirements

SOC 2 + HITRUST CSF + CSF Certification: One combined report for organizations that have received a SOC 2 + HITRUST CSF report and also received the HITRUST CSF Certification

Search Site

Search Team

Search Articles