HITRUST Implementation Roadmap

HITRUST Implementation Roadmap

Implementing HITRUST requirements can be a complex process, given its comprehensive requirements for protecting patient health information. 

Here's a step-by-step guide to help organizations comply with Hitrust requirements

  1. Determination of Scope and Certification
  • Scope defines the boundary of an organization seeking HITRUST.
  • The scope should define the systems, the network, office locations, ePHI records, and number of users accessing patient records.
  • HITRUST e1 has 44 controls, i1 has 182 and r2 has more than 250 controls.
  • The scoping information can then help determine the applicable HITRUST certifications - e1, i1 or r2.

  1. Conduct an integrated Risk Analysis and gap assessment
  • Perform a thorough risk analysis to identify where e-PHI is stored, received, maintained, or transmitted.
  • Assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI.
  • Assessing each of the applicable e1, i1 or r2 requirements. Each requirement has its requirements, that need to be assessed.
  • The integrated gap analysis and risk assessment will provide a list of actionable for the organization seeking HITRUST certification.
  • HITRUST has a provision for declaring requirements as ‘inheritance’ – when controls are implemented by third parties. For instance, if your SAAS application is with a cloud service provider, and the provider is HITRUST certified, several controls can be leveraged.

  1. Develop and Implement Policies and Procedures
  • HITRUST requires extensive documentation of applicable controls.
  • For each control, the optimum approach is to consider the 5Ws and 1H approach for documentation.
  • Based on the risk analysis, develop and implement policies and procedures to reduce identified risks to an acceptable level.
  • In our experience, HITRUST requires three layers of documentation that include, policies, procedures, and additional documents/record/reports that support the policy implementation.

  1. Train Your Workforce
  • Provide training to all employees on company-specific policies and procedures.
  • Make sure employees understand the importance of protecting patient information and their role in compliance.
  • Functional leaders should take ownership of policies and procedures.

  1. Technical Evidence Collection
  • Depending on the complexity of the infrastructure, be prepared to collect evidence supporting each of the applicable requirements.
  • Most of the controls have references to technical implementations, which need to be provided.

  1. Perform Regular Measurement, Audits and Assessments
  • HITRUST provides measurement guidelines for all applicable controls
  • Conduct periodic audits and assessments to ensure compliance with HITRUST policies and procedures.
  • Address any identified gaps or areas of non-compliance promptly.



HITRUST compliance is an ongoing process that requires regular review and updates to policies, procedures, and training in response to changes in technology, threats, and regulations. By following these steps, organizations can better ensure the protection of patient health information and comply with HIPAA requirements.