HITRUST®

DirectTrust is an Authorized HITRUST Assessor specializing in accreditation and certification for healthcare organizations

Use Our Healthcare Accreditation Expertise For Your HITRUST® Assessment

HITRUST certification demonstrates your commitment to the highest standards of data privacy and security. The HITRUST Framework contains controls spanning different privacy and security regulations and requirements, as well as international, federal, and state legislation. 

Within the HITRUST Framework are three certification levels, and an additional AI Security certification, offered based on organizational needs, business objectives, and risk profiles:

HITRUST Essentials (e1)


Read More

HITRUST Essentials (e1)

The e1 certification is ideal for companies with limited risk profiles or less complexity. It allows for an entry-level validated assessment and certification based on 44 foundational security controls. Organizations can also build upon these controls as a step toward attaining the more comprehensive i1 or r2 certifications. The base criteria does not completely cover HIPAA, however, this scoping factor can be added for an additional cost.

HITRUST Implemented (i1)


Read More

HITRUST Implemented (i1)

The i1 certification is a fit for organizations with robust information security programs already in place that are ready to demonstrate leading security practices. The i1 offers a more thorough assessment, with more controls included. Work done to attain an active i1 certification can be applied toward attaining an r2 certification. This certification covers a broader set of controls. Although the base criteria does not completely cover HIPAA, this scoping factor can be added for an additional cost.

HITRUST Risk-based, 2 Year (r2)


Read More

HITRUST Risk-based, 2 Year (r2)

r2 is recognized by various industry outlets as a high standard in demonstrating protection and compliance of handling sensitive health information. For instance, the Trusted Exchange Framework and Common Agreement (TEFCA) specifies HITRUST r2 Certification for potential QHINs.

HITRUST AI Security


Read More

HITRUST AI Security

This certification provides AI platform and service providers with relevant, prescriptive, practical security controls and methodology to confidently adopt and secure AI technologies.  It supports shared responsibility inheritance and when paired with an e1, i1, or r2, enables organizations to address multiple compliance needs within a streamlined solution.

HITRUST AI Risk Management


Read More

HITRUST AI Risk Management

This certification offers detailed insights, based on 51 relevant and practical AI risk management controls. Harmonized with ISO 23894 and NIST AI RMF, this assessment provides a single, efficient control specification that allows organizations to understand and report on their performance in ISO and NIST terms.

HITRUST authorizes external assessors to perform assessments and services associated with the HITRUST Assurance Program and the HITRUST Framework. DirectTrust is a proud authorized HITRUST assessor, with the unique quality of also being a non-profit accreditation body ourselves.

DirectTrust provides 20+ specific healthcare accreditation programs governed by EHNAC which include but are not limited to HIE’s, ePrescribers, clearinghouses and billing organizations. Each program contains many stakeholder specific requirements unique to each program and their data handling responsibilities. While programs are unique, the inclusion of privacy, security, and other healthcare-specific safeguards is consistent.

Our Assessors average 28 years of healthcare experience, and are experts in healthcare accreditation. If you’re looking for a HITRUST Assessor with healthcare accreditation expertise to guide you through the process, look no further than DirectTrust.

Apply for HITRUST®

Partner with the healthcare experts at DirectTrust for your HITRUST Assessment

Apply Now

Access the HITRUST Assessment Tailoring Calculator

Scope an assessment and get a count of requirement statements for a tailored assessment based on the results of your customized selections. Please provide the results to your DirectTrust representative to receive a cost proposal.

Access the Calculator

What Our Clients Say

“Because the healthcare industry is continuously faced with data and security issues involving PHI, it is important to us at Alpha II to not only provide credibility, but to also add strength to our technology solutions. The HITRUST Framework certification of our solutions proves our commitment to maintaining the integrity of healthcare data for our partners and clients by providing a stamp of approval from a recognized independent source. DirectTrust’s HITRUST Assessor has been instrumental in helping Alpha II complete our HITRUST Certification and HITRUST Interim Review in a timely manner.”

-Stuart Newsome, CPCO, VP, Corporate & Client Experience, Alpha II

“MedAllies decided to pursue HITRUST certification to achieve security maturity levels meeting both industry best practices and regulatory requirements. Based on excellent past experiences with DirectTrust, MedAllies chose to partner with them again as its HITRUST third party assessor. While the HITRUST process can be rigorous from attestation to validation with its breadth of domains and controls, DirectTrust has made the experience as efficient as could be with utmost professionalism and deep knowledge of the framework.”

-Ethan Yehud, Chief Information Security Officer, MedAllies

Why choose DirectTrust as your HITRUST Assessor?

By selecting DirectTrust as your organization’s HITRUST Assessor, you’ll have a healthcare accreditation expert as your partner. 

DirectTrust Assessors are also HITRUST Practitioners, meaning that, in many cases, the review process to obtain HITRUST CSF certification and DirectTrust accreditation governed by EHNAC is likely to be streamlined and may reduce costs.

Benefits include:

  • DirectTrust is a non-profit with extensive experience in healthcare accreditation and certification
  • Organizations achieving HITRUST certification have 100% of their privacy and security credited to their DirectTrust accreditation
  • Organizations with existing DirectTrust accreditation have the majority of their HIPAA-related privacy and security controls developed to apply to HITRUST CSF
  • DirectTrust Assessors are also HITRUST Practitioners, making it easier for organizations to undergo audits
  • Obtaining both HITRUST Framework certification and DirectTrust accreditation at the same time significantly reduces the time, expense, and redundancy needed to prepare documentation and undergo required site visits.
  • DirectTrust participates in key HITRUST workgroups, influencing the privacy and security requirements in future versions.

Are you looking for hands-on support to help you through the pre-assessment steps, readiness planning process and more? Learn about our Consulting and Advisory Services which have been designed to support HITRUST Certification.

Learn Why DirectTrust Should be Your Assessor

Apply for HITRUST Assessment

DirectTrust is proud to be an Authorized External Assessor for HITRUST Assessment.  Our experience in health tech accreditation and certification, as well as our non-profit status, makes us an experienced and standout HITRUST Assessor choice. 

To move forward with DirectTrust as your HITRUST Assessor, follow the steps in the following tabs. 

Complete your DirectTrust Accreditation Application

Begin the process of selecting DirectTrust as your HITRUST Assessor by completing the DirectTrust Accreditation Application, available here.

Purchase “MyCSF Subscription and Report” from HITRUST

Purchased at least the Professional license level of MyCSF by filling out the form on this HITRUST page or calling HITRUST at 855-448-7878.

Learn about the HITRUST Process and MyCSF Tool

More information about the HITRUST MyCSF tool is available in these tutorial videos from HITRUST. 

Complete Administrative and Scoping Information

Once a subscription to MyCSF has been obtained, enter your organization’s Administrative and Scoping Information (also known as “Risk Factors”) into MyCSF (go to 4:25 in the MyCSF video).  Within that section, ensure the following:

  • Select one of the following as the Assessment Option:
    • CSF Security Assessment,
       CSF Security & Privacy Assessment,
       CSF Comprehensive Security Assessment, or
       CSF Comprehensive Security & Privacy Assessment
  • Select “Validated Assessment” as the Assessment Type
    • By selecting Validated Assessment as the Assessment Type, you will in the end either receive a Validated Report or a Validated Report with Certification, depending on your score.
  • Select DirectTrust as the Assessor Organization

After completing the Factors section, press the “Preview Assessment Count” (not shown in the video, but found at the bottom of the Factors screen) to see the number of Requirement Statements (also known as “Implementation Requirements”) that will be assessed. This number must be reported to DirectTrust for scoping and pricing purposes.

Statement of Work (SOW) 

DirectTrust will create and send candidates a Statement of Work, which will review pricing and review the scope of work to be completed. A call will be scheduled to review the SOW and determine any adjustments necessary to finalize, approve and execute the SOW and commence the assessment with the agreed upon timeline.

Complete Validated Assessment and Participation Agreement Forms

Within the MYCSF tool complete theses forms to demonstrate the relationship between the Candidate and the Assessor:

  • HITRUST Validated Assessment Form
  • 3rd Party Participation Agreement

Identity FAQs

Learn More about DirectTrust Identity

Trust Frameworks

Learn More about Trust Frameworks