Overview
  • We offer comprehensive consulting support to help you obtain HITRUST certification.
  • There are three certification categories: e1, i1, and r2. The e1 and i1 categories are for small and medium businesses, while the r2 category is for organizations with a higher exposure to electronic protected health information (epHI). Our team of experienced consultants will assist you throughout the process, offering expert guidance every step of the way.
  • Our HITRUST Compliance Consulting services will enhance your security maturity and ensure flawless HITRUST certification. Please call or contact us to begin the process.

Start your HITRUST Journey Now!

HITRUST Consulting Engagement Phases
Here is a brief overview of al the phases involves in implementing HITRUST certification.

Phase I - Scoping

Scoping involves the identification of:

  • Business entities
  • Identification of epHI and its flow including lifecycle
  • Information systems in scope
  • Business locations
  • Data Center and Cloud Services Providers
  • Users

Phase II - Gap Analysis and Risk Assessment

Based on the outcome of phase I, a combination of approaches is applied by Coral HITRUST consultants to conduct the gap analysis.

  • A session with each organization team to asses their current scope of work and their controls
  • Determination of applicable, not applicable and inherited controls, the latter applies when a cloud service provider is involved.
  • A status of each control requirement in red, orange and green - determining their current status.

Coral consultants will provide detailed recommendations for each identified gap with their recommendations.

Phase III - Control - Design, Documentation, Implementation, Measurement, and Risk Management

Based on the gaps and maturity status from phase II, the implementation journey begins:

  • Implementation journey takes the longest period of time depending on the gaps
  • Implementation involves discussing each gap with the team and advising changes in the short and long-term
  • Writing policies and procedures - that align with each applicable requirement

Phase IV - Training & Brainstorming Sessions

  • Training of staff involved in HITRUST operations is a key factor in successful HITRUST implementation.
  • Coral consultants will deliver a combination of training including awareness, risk management and standard interpretation.
  • Each policy documentation or risk undergoes brainstorming with staff to derive at a ‘best-fit’ solution for the organization.

Phase V - Measurement of Controls including Internal Audit

Upon the completion of the implementation phase, Coral performs monthly tests of controls to ensure that designed controls are operating effectively.

  • These tests are conducted across all applicable 19 domains of HITRUST.
  • A formal report is published for the management team for the overall program effectiveness, especially the newly developed and implemented security controls and practices.

Summary

At this stage:

  • As a result of undergoing these phases, Coral has successfully implemented a HITRUST governance program that includes people, processes, technology and ongoing measurements.
  • Each of the HITRUST certification requirements has been completed by a combination of one or more of policy, procedures, responsibilities, reports, records, technology, and automation.
  • At this stage, the organization is ready to initiate the external HITRUST assessment.

Phase VI - HITRUST External Assessment support

We facilitate the external HITRUST assessment by providing all the support clients need to achieve successful compliance.

What are 19 Domains of HITRUST®?
  • Information Protection Program
  • Endpoint Protection
  • Portable Media Security
  • Mobile Device Security
  • Wireless Security
  • Configuration Management
  • Vulnerability Management
  • Network Protection
  • Transmission Protection
  • Password Management
  • Access Control
  • Audit Logging and Monitoring
  • Education, Training, and Awareness
  • Third-Party Assurance
  • Incident Management
  • Business Continuity and Disaster Recovery
  • Risk Management
  • Physical and Environmental Security
  • Data Protection and Privacy
What is HITRUST® Maturity?
With Hitrust you receive a score of 0-100% based on how well you have demonstrated alignment with the 5 points, namely:
Policy, Procedure, Implemented, Measured, and Managed
  • Policy – this is achieved when you have a documented policy in line with HITRUST®individual control requirement
  • Procedure – This is when you describe how you achieve the policy objectives. This involves documenting people, processes and technology references. This is also the place where you describe - who, what, how - associated with each control.
  • Procedure – This is when you describe how you achieve the policy objectives. This involves documenting people, process and technology references.
  • Measured – This is when you ‘quantitatively’ demonstrate the effectiveness of a control in place. This can be a minimum period of say 3 months, which provides a reasonable assurance of control measurement.
  • Managed – This is when you show how to identify risks, deviations, and opportunities for improvements, and show evidence of successful closure.
Coral consultants will assist you in defining and implementing all 5 points resulting in the client achieving optimal score for each control.

HITRUST® Consulting FAQs

Recent Case Studies
HITRUST for a SAAS platform provider in LA, CA
  • When Coral started the journey, the client was already SOC 2 and HIPPA compliant
  • The journey started by understanding the business and ePHI/PII lifecycle.
  • Coral consultants conducted a 3-dimensional gap analysis on the applicable controls.
  • The gaps came up in the architecture, tool deployments, and security processes. Coral provided recommendations for treating all the gaps.
  • Coral helped discuss each of the gaps and assist in defining and documenting policies and procedures.
  • Additionally, Coral consultants tracked every piece of evidence, resulting in the completion of all hitrust controls one by one. This involved key stakeholders including CTO, developers and the infrastructure team.
  • Finally, the client went through the hitrust assessment and was found to be compliant in all HITRUST requirements, resulting in successful HITRUST certification.
HITRUST for a leading actuarial and consulting firm in Seattle, WA

Coral came to the assignment as a result of the development partner who was responsible for the development of the application and maintenance in Azure.
For Coral, the engagement was to ensure the application and the underlying infrastructure using Azure reached successful HITRUST certification.

  • Coral HITRUST consultants were involved in the process of performing a detailed application and infrastructure gap analysis of the infrastructure as well as on all the applicable HITRUST requirements.
  • Coral recommended gaps were implemented by the development team and the end customers.
  • Coral consultants conducted a 3-dimensional gap analysis on the applicable controls.
  • A part of this client data center infrastructure was already certified, so Coral designed, drafted and facilitated the newly implemented policies and procedures that related to the cloud environments.
  • Based on Coral’s recommendations, several configuration changes were made by the client, which further improved their security posture.

In the end, Coral assisted the client in implementing all the requirements, which resulted in achieving a successful HITRUST certification.

Call or write to us at :
for proposal / roadmap / information
Would You Like To Speak To Our HITRUST® Certification Consultant?
Contact Us Now !