How to obtain—and maintain—your HITRUST certification

Start adding items to your reading lists:
Save this item to:
This item has been saved to your reading list.


Organizations seeking to align their controls to the HITRUST framework can spend significant amounts of time and resources making it happen. And no wonder, when the potential benefits of HITRUST alignment and certification can be significant. Obtaining an independent, third-party assessment over the maturity of information security controls to safeguard protected health information (PHI) builds customer trust. 

Once a vendor’s initial efforts toward certification are complete, however, it’s not uncommon for them to become complacent, neglecting to implement ongoing measures to continuously monitor their compliance status.

Organizations’ governance must undertake a dynamic reassessment to mitigate risk and monitor controls

HITRUST certification is not a one-shot deal. Companies must continually track updates to the HITRUST framework to keep risk and compliance issues in check and avoid incurring high costs. This publication serves as a guide to the best practices for pre- and post-certification monitoring: 

  • Work with the right assessor
  • Centralize the ownership of HITRUST 
  • Regularly refresh scope 
  • Monitor certification requirements on an interim basis 
  • Implement a process for control effectiveness maintenance

Contact us

Todd Bialick

Todd Bialick

Digital Assurance and Transparency Leader, PwC US

Follow us