What is the recommended approach to budgeting for HITRUST certification, and what strategies can be employed to optimize the related costs?
Imagine you’re planning to renovate an old historic building. At a high level, it seems straightforward, just update the façade, modernize the interior, and ensure everything is up to code. You budget based on visible needs. However, as demo day begins, unforeseen challenges emerge with structural surprises including outdated wiring requiring complete overhauls; new code regulations that necessitate unanticipated modifications; specialty consultations to address specific issues; and extended timelines due to the complexity of the work, increasing labor expenses.
Similarly, pursuing HITRUST certification often reveals complexities beyond the initial scope. What starts as a plan to meet the compliance requirements evolves into a full overhaul of your organization’s security and privacy program and the systems that are used to support it.
Previously, we broke down the economic value of obtaining a HITRUST certification. Here, we break down the fees associated with the preparation, remediation, assessment, reporting, and optimization of the continuous certification process, so that you don’t have to deal with unexpected issues right before moving day.
What Are Standard HITRUST Contractor Fees?
Engaging a HITRUST-certified external assessor firm is an essential component of the certification process. In fact, it’s ultimately required to obtain a certification and validated assessment report. In our professional opinion, it should be the first course of action for an organization considering HITRUST.
Your external assessor should be your partner throughout your HITRUST journey, guiding you through the building remodel and beyond. They have the answers to the test that you ultimately have to take and will give you the answers to prepare for that test!
External Assessors are a professional service/consulting arrangement, so fees are based on the time and effort they expend. Fees can vary based on the assessment type, organizational size, and complexity of the systems in review.
-
- e1 (Entry-level): Readiness Assessment ($15,000–$25,000), Certification and Validated Assessment ($25,000–$45,000)
- i1 (Intermediate): Readiness Assessment ($20,000–$30,000), Certification and Validated Assessment ($40,000–$80,000)
- r2 (Comprehensive): Readiness Assessment ($25,000–$45,000+), Certification and Validated Assessment ($60,000–$150,000+)
These figures are starting points; actual costs may be higher depending on complexity and scope.
Pro Tip: Firms that are transparent about their fees should be able to help you realize discounts as you integrate automation into your control environment and mature your evidence collection and testing processes.
Zoning Fees
Access to the MyCSF platform is required for managing the certification process and submitting the validated assessment to HITRUST for QA validation and reporting. You will ultimately need to purchase both a professional subscription (annual) as well as a validated report agreement credit to access the platform.
-
- Professional Subscription: $15,000–$30,000+, depending on the number of licenses and any add-on features you include
- Validated Assessment Credit: $4,000–$8,000+ (per submission)
The subscription level should align with your organization’s needs and the assessment type pursued.
Please note: Pricing estimates are for illustrative purposes only and subject to change. Official fees must be obtained directly from HITRUST.
Internal Resource Allocation
Internal costs include staff time for preparation, remediation, and coordination:
-
- Readiness Assessment and Remediation Efforts: Variable, based on identified gaps
- Ongoing Maintenance: Continuous investment to uphold standards
Using a 100-person healthcare technology organization as an example, the internal effort required is a critical factor in achieving a successful certification outcome. On average, first-time certifications demand approximately the following internal FTE or contracted vendor hours:
-
- e1: 150–300 hours
- i1: 250–500 hours
- r2: 300–600+ hours
Assuming the certification scope remains consistent, the internal effort typically decreases in year two and beyond as efficiencies are realized.
Key Strategies to Optimize HITRUST Certification Costs
With the help of an experienced contractor, savings can be found and, as always, planning is key!
1. Phased Readiness Approach
Implementing a phased approach allows organizations to tackle the certification process in manageable segments:
-
- Phase 1: Conduct a readiness assessment to identify gaps
- Phase 2: Address remediation efforts systematically
- Phase 3: Undergo the validated assessment
This structured method can lead to more efficient resource utilization and cost savings.
2. Leverage Automation Tools
Work with your contractor to reduce manual control testing and develop custom automated control techniques. Additionally, consider utilizing compliance automation platforms, which can streamline evidence collection, control mapping, and reducing manual efforts and associated costs.
3. Align Scope with Business Needs
Clearly defining the scope of the assessment to include only necessary systems and processes can prevent unnecessary expenditures and focus efforts where they are most impactful.
Securing Leadership and Financial Buy-In
Project costs add up fast, and it’s important to prepare stakeholders upfront.
1. Present a Clear Business Case
Articulate the value of HITRUST certification in terms of risk mitigation, market competitiveness, and regulatory compliance to garner executive support.
2. Develop a Detailed Budget and Timeline
Providing a comprehensive plan with projected costs and timelines can build confidence among stakeholders and facilitate resource allocation.
3. Highlight Long-Term Benefits
Emphasize how certification can lead to long-term savings by reducing the likelihood of data breaches and associated penalties.
Building Better with Partnership
Projects can be unpredictable, costly, and time-intensive. When working on new projects, that is even more so the case and, for that reason, it’s important to have a partner who has been there before. A partner that is open, honest, and upfront with everything will best prepare your project to proceed.
How Can Schneider Downs Help?
As an Authorized HITRUST External Assessor Firm, Schneider Downs has a strong track record with HITRUST protocols, providing trusted guidance and support throughout the certification process. For more information, contact our HITRUST team at: [email protected].
About IT Risk Advisory
Schneider Downs’ team of experienced risk advisory professionals focuses on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
To learn more, visit our dedicated IT Risk Advisory page.
