An all-in-one integrated framework covering compliance, trust, and cybersecurity

Hitrust CSF

HITRUST Alliance

The HITRUST Alliance (HITRUST) was formed by a consortium of healthcare organizations in 2007 to advocate programs that safeguard protected health information (PHI) and manage information risk for healthcare providers and their third-party service organizations.  The HITRUST Common Security Framework (CSF) is a certifiable framework that combines HIPAA, HITECH, PCI, COBIT, NIST, and FTC, among others.

HITRUST Framework & Compliance

In collaboration with information security leaders, HITRUST develops – and constantly updates – a single overarching security framework as a solution to compliance and risk management within healthcare and other industries.

An all-in-one integrated HITRUST framework that covers Compliance, Trust, and CyberSecurity.  Developed in collaboration with information security professionals, the HITRUST CSF justifies relevant regulations and standards into a single security framework.  Because the HITRUST CSF is both risk- and compliance-based, organizations can tailor the security control baselines based on a variety of factors including organization type, size, systems, and, regulatory HITRUST requirements.

HITRUST CSF can be used in the Healthcare, Finance, and Manufacturing industries and is continuing to evolve into other industries.  HITRUST CSF provides the needed structure, clarity, functionality and cross-reference to authoritative sources.

What is HITRUST CSF Certification?

Copeland Buhl’s HITRUST CSF assessors can assist your company with its HITRUST certification. HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework. 

Organizations that create, access, store, or exchange sensitive information can use the HITRUST Common Security Framework (CSF) assessment as a roadmap to data security and compliance. The CSF is a certifiable standard and was designed as a risk-based approach to organizational security–as opposed to a compliance-based approach. The HITRUST CSF Assurance program combines aspects from common security frameworks like ISO, NIST, PCI, and HIPAA.

HITRUST Certification Process

Before starting the Certification process, we recommend the following assessments:

Hitrust CSF

Self-Assessment – Perform a HITRUST CSF Self-Assessment only, with no intention of performing a CSF Validated Assessment or seek CSF Certification

Readiness Assessment – HITRUST strongly recommends organizations conduct readiness assessments against all 135 CSF controls, rather than only those controls needed for certification.  This will help ensure both the approved HITRUST CSF Assessor and the assessed organization are always aware of the status of the information protection program and can readily support a CSF controls assessment, regardless of type (e.g., a security assessment used for certification or a comprehensive security assessment used to generate a regulatory scorecard).

Once you are ready for HITRUST Certification you can then choose from the following reports:

HITRUST Validated Report / MyCSF Portal – This report comes out of the HITRUST MyCSF tool and is validated by HITRUST

HITRUST Validated Report and Certification – organizations can obtain a HITRUST CSF certification report through an assessment by Copeland Buhl assessors and issuance of the certification report by HITRUST

Security by the HITRUST Alliance

When you need an all-in-one integrated framework to cover compliance, trust, and cybersecurity, choose HITRUST. Since 2007, healthcare providers and their respective third-party organizations have relied on the HITRUST Alliance to protect and manage health information. 

What makes HITRUST different from other security frameworks?

The HITRUST Alliance was formed by healthcare organizations for healthcare organizations. They understand the importance of safeguarding health information and managing the risk of storing it. 


The founders of HITRUST worked dutifully with some of the best information security professionals in the industry to develop the HITRUST CSF, which stands for Common Security Framework. This certifiable framework offers a combination of:

  • PCI
  • NIST
  • FTC

The HITRUST framework provides structure to businesses that need to cross-reference relevant regulations with authoritative sources. It also delivers clarity and functionality as you can modify each security control baseline based on your organization. The size, type, systems, and regulations of your organization are just a few of the factors that can influence this security framework.

Industries Using HITRUST CSF

Despite being created with the intent of protecting health information, HITRUST framework isn’t limited to one industry. As it continues to be used and evolved, the security framework has been used in:

  • Healthcare
  • Finance
  • Manufacturing
  • And More!

HITRUST Compliance

The healthcare industry often runs into situations where HITRUST compliance is a requirement. In fact, some organizations may deny doing business with you until you have the framework and certification.

What makes HITRUST compliance so important?

Unlike other security frameworks, HITRUST justifies all critical regulations and keeps them within one security framework. The framework bases its security functions on both risk and compliance. Therefore, you can ensure that it’s going above and beyond to safeguard your data. In order to achieve compliance with HITRUST, you must commit your efforts to meeting all of the certification requirements.

HITRUST Requirements

Using HITRUST framework as your IT security is not a decision to be made lightly. There are several requirements you must meet to qualify for certification, but the following are some examples:

  • Organization-Wide Commitment: Even beyond the work required by the IT security team, you must be dedicated to supporting the efforts. This may require changes and resources across your entire organization.
  • Clear Policies: Your policies need to be based on either NIST or ISO requirements. They must be clearly documented and communicated.
  • Detailed Procedures: You must support all of your policies with detailed procedures of how, when, and who is performing the procedure.

What is HITRUST Certification?

When you choose to use HITRUST CSF as your security framework, you don’t have to go through the certification process alone. Copeland Buhl is here to guide you through every step of the way. We ensure that you meet all of the requirements to prove that you are one of the many HITRUST Certified companies

What does that mean? What is HITRUST Certification

It is proof that your organization complies with all of the HIPAA requirements of the standardized framework. This gives your clients confidence in the safety of their private information. Not to mention, it provides you with a roadmap to data security and compliance.

What is HITRUST Certification Like?

If you want to become one of the HITRUST Certified companies, then you should follow these simple steps:

    1. Take a Self-Assessment: If you want to gauge your level of preparedness, we suggest that you start with this step. It is a self-assessment, so you don’t have to approach it with any intent to perform a validated assessment or to obtain certification. You do it completely on your own as a valuable tool to evaluate your regulatory requirements and risk. 
    2. Complete a Readiness Assessment: We believe you should go beyond the bare minimum to make sure that your protection program is readily supported by the CSF. When you take the readiness assessment, it checks your readiness against all 135 HITRUST requirements and controls—not just those needed for certification.
  • Choose Your Reports: To become one of the HITRUST certified companies, you need to choose between a validated report from HITRUST MyCSF or an assessment by Copeland Buhl. The HITRUST MyCSF report is validated directly by HITRUST.

Get a HITRUST Certification with Copeland Buhl’s Assistance

Whether you want to learn more about HITRUST requirements or the HITRUST MyCSF Portal, we are ready to provide you with more information. Copeland Buhl has several assessors prepared to help you achieve certification.

You can also reach out to our helpful representatives to learn more about how your Twin Cities organization can benefit from the HITRUST framework. Feel free to contact us by phone, or you can submit your contact information through our online form to request a consultation.