Home Standards Industries ✦ AI Assessment Get a Quote →
HomeStandards → HITRUST

HITRUST — Health Information Trust Alliance

The leading healthcare cybersecurity assurance framework in the United States. HITRUST CSF certification is increasingly required by US health systems, payers, and healthcare technology partners as a condition of business — combining HIPAA, NIST, ISO 27001, and other requirements into a single prescriptive framework.

HITRUST CSFHIPAA alignmentHealthcare securityUS healthcare

What is HITRUST?

The HITRUST Common Security Framework (CSF) is a certifiable framework developed specifically for the healthcare industry. It harmonises requirements from HIPAA, NIST, ISO 27001, PCI DSS, and other frameworks into a single control set — with three assessment types offering different levels of assurance: e1 (Essential), i1 (Implemented), and r2 (Risk-based).

HITRUST Assessment Types

  • e1 Assessment — Entry-level, 44 controls covering cybersecurity hygiene essentials. Validated by HITRUST. Suitable for lower-risk business relationships.
  • i1 Assessment — Implemented One-Year Certification, ~182 controls. Validated and certified by HITRUST. For organisations with moderate risk profiles requiring proven implementation.
  • r2 Assessment — Risk-based Two-Year Certification, 200+ controls. The most comprehensive HITRUST assessment. Required by major US health systems and payers.

Who Needs HITRUST?

  • Healthcare technology vendors and SaaS platforms serving US health systems
  • Health insurers and payers managing PHI
  • Business associates under HIPAA handling protected health information
  • Medical device companies with connected device data flows
  • Any vendor receiving a HITRUST requirement in a BAA or vendor questionnaire

BALTUM HITRUST Readiness

BALTUM provides HITRUST readiness assessment, gap analysis, and remediation support — working with your organisation to prepare for e1, i1, or r2 assessments conducted by a HITRUST-authorised external assessor. Our programme integrates HITRUST preparation with any existing ISO 27001 or SOC 2 controls your organisation already maintains.