Skip to content Skip to footer

Loading Results

HITRUST Services: Not just a health industry requirement

Meet your compliance obligations with one assessment

In the ever changing world of information security, compliance with regulatory and contractual obligations has become an onerous and monotonous task.  Whether you are looking to obtain an industry recognized security certification or you are looking to establish alignment and governance over your information security program, the HITRUST CSF may be an option worth considering. 

Born out of the regulatory imperative to secure Protected Health Information (PHI), the HITRUST CSF offers a certifiable framework covering many different security and privacy related imperatives.  We observe in the marketplace many organizations adopting and or leveraging the CSF to govern their information security programs regardless of whether their primary business involves PHI.

At PwC we have taken an innovative approach to working with the HITRUST Alliance and the HITRUST CSF.  We combine the diverse skillsets of our people to bring technical security experts, controls and process professionals, and governance experts into one team to enable a truly sustainable security governance model.

HITRUST certification is an industry recognized credential that helps to differentiate you in the marketplace.

PwC: Your Certified HITRUST assessor

Regardless of whether your organization’s goal is to achieve HITRUST certification or use the CSF as a governance framework, PwC’s security , controls and governance professionals will help you evaluate the best solution for your organization. PwC can assist you with the adoption of the HITRUST CSF as the foundation of your security and privacy compliance program.

As a Certified HITRUST assessor, PwC is authorized by the HITRUST Alliance to perform readiness, remediation, and certification assessment work using the HITRUST CSF.  Additionally, we are on the AICPA task force aligned with the responsibility of mapping the HITRUST CSF into the SOC 2 framework to enable SOC 2+HITRUST reporting.

HITRUST: Adoption Benefits

  • A competitive advantage. Many of the largest organizations involved in the processing and handling of PHI have announced that they will require all of their business associates to adopt the HITRUST CSF and become HITRUST certified. Companies that go into contract negotiations already certified will have a distinct advantage over those that don’t. Having a HITRUST certification allows organizations to market their strong security posture.
  • Risk management. HITRUST implementation facilitates internal and external measurement, and incorporates the necessary and relevant existing healthcare compliance requirements, increasing trust and transparency among business partners and consumers.  Adopting the framework will also ensure a greater chance of success in passing regulatory audits from standard setting bodies, such as the OCR.
  • Efficiency. HITRUST’s unified approach to compliance allows third-party service organizations to assess once, and report to many customers and other stakeholders, which may significantly reduce the number and breadth of site visits and questionnaires and vastly reduce the resources needed to provide assurance.
  • Security Governance: HITRUST has mapped the CSF to over 18 different authoritative sources to make the CSF applicable to a wide variety of organizations that are subject to governance demands across industry.  Whether you use the CSF for certification or for broad governance purposes, linkages to other frameworks has already been built in.
  • Third party assurance. The HITRUST Alliance requires organizations to undergo an independent, third party assessment and uses those results to issue certifications to vendors that implement the HITRUST CSF and adhere to its control requirements.
  • Benchmarking capability. The HITRUST standard reflects industry consensus and best practices on information security controls. The HITRUST standard security report helps companies see where they stand on risk and compliance issues versus the industry as a whole, and provides companies of all sizes with actionable implementation requirements.
  • Flexibility and Scalability. HITRUST has worked closely with the AICPA to add an optional SOC reporting mechanism that can serve as a complement to, or even as an alternate reporting mechanism to the HITRUST validated report.  The framework is also designed to allow for scalability so organizations of all types and sizes can adopt the controls at an applicable level.


Contact us

Todd Bialick

Todd Bialick

Digital Assurance and Transparency Leader, PwC US

Follow us