What HITRUST Reporting Methods are Available?


  • What it is: A mapping between the HITRUST CSF requirements and AICPA's Trust Services Categories and Criteria has been developed and made available to enable service organizations to provide information to users of their system about whether controls relevant to security, availability and confidentiality are suitably designed and operating effectively to meet the applicable trust services criteria (TSC) and HITRUST CSF requirements. This enables the service organization to communicate information about the processes and procedures it uses to meet the HITRUST CSF, in addition to the applicable TSC. This increases transparency and provides information for decision making.

  • Benefits: 

    • SOC 2 engagements are performed under the professional standards of the AICPA

    • It is substantially less expensive than obtaining a validated report and certification from HITRUST

    • It is often the preferred method of compliance reporting from organization's that perform third party risk assurance activities

  • Each organization's risk appetite is unique to them, so it's their decision to determine what level of third party assurance is necessary. If you're not sure whether your customers accept the SOC 2 + HITRUST CSF Report, ask your customers whether it will be sufficient to give them appropriate assurance of your controls.

HITRUST CSF Validated Report and Certification

  • This option is used when a service organization wants to provide its stakeholders with a HITRUST CSF certification report but does not choose to provide them with a SOC 2 report. This engagement is performed by an approved HITRUST CSF assessor based on the HITRUST CSF requirements. The engagement consists of an assessment that is submitted to HITRUST for evaluation. If the service organization’s controls meet the HITRUST CSF requirements based on a determination by HITRUST, the result is the issuance of a certification report by HITRUST.

  • Benefits: 

    • Validation is performed against all 135 control references

    • Assessment requirements are assessed based on the 5 PRISMA-based maturity levels (Non-Compliant, Somewhat Compliant, Partially Compliant, Mostly Compliant, Fully Compliant)

    • You receive a validated certification report, based on the assessor and HITRUST's evaluation and determination

SOC 2 + HITRUST CSF + CSF certification

  • What it is: This reporting option is used when a service organization wants to obtain both a SOC 2 + HITRUST CSF report in addition to a HITRUST CSF certification.


The following table provides an alternative view showing the HITRUST reporting options and certain attributes associated with each option.

HITRUST Service Chart

case studies

big problem:
Ransomware attack halted a global manufacturer's operations.
big thinking:
Recover and secure the system – fast – save $1 million in ransom.
big problem:
High tax burden for family-owned franchisor.
big thinking:
Comprehensive planning for a 15% tax reduction.

our thoughts on

SECURE Act: Modification of Required Minimum Distribution Rules for Designated Beneficiaries (Section 401)

Based on the new provisions of the SECURE Act, there are now much more restrictive rules surrounding a required minimum distribution (RMD) to designated

read more >

Part Five in a Series: Managing Risks of Technologies Emerging as Business Opportunities: Chatbots

What are chatbots? Chatbots are computer programs or artificial intelligence (AI) that conduct a conversation via audio or text. These programs are typically

read more >

I Want Mine - Social Security Simplified

I have this love/hate relationship with social media. In late April, when The 2019 Social Security and Medicare Trustees Reports were published, the key

read more >

Skilled Labor Shortage in the Manufacturing Industry

The Federal Reserve released its most recent Beige Book on June 5, 2019, which summarizes current economic conditions, including challenges, opportunities

read more >

Manufacturing's Workforce Crisis

According to the National Association of Manufacturers' latest Outlook Survey, 90% of manufacturers are optimistic about their company's future.

read more >

National Flood Insurance Program Extension

As I watched the pounding rain from my window for the third straight day, I could only imagine the damage this unpredictable spring weather was inflicting

read more >

Proposed Accounting Standard Update Would Delay Private Company Effective Dates for Leases, Current Expected Credit Losses (CECL) and Hedging Updates by One Year

On July 17, 2019, the Financial Accounting Standards Board (FASB) voted unanimously to move forward with delaying the effective start date for recent accounting

read more >

Have a question? Ask us!

We'd love to hear from you. Drop us a note, and we'll respond to you as quickly as possible.

Ask us

One PPG Place, Suite 1700
Pittsburgh, PA 15222

p:412.261.3644     f:412.261.4876


65 East State Street, Suite 2000
Columbus, OH 43215

p:614.621.4060     f:614.621.4062

Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102