Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Why private equity firms need to know what HITRUST is

Dec 14, 2020

Does your private equity fund have holdings in the healthcare industry? 

From physician practices to revenue cycle management companies, most types of healthcare organizations handle and store medical records and other types of protected health information (PHI). This makes them required to comply with the Health Insurance Portability and Accountability Act (HIPAA) — and it makes any data breach or violation a big deal.

When it comes to cyberattacks, healthcare is the most targeted industry globally. You want to make sure your healthcare investment holdings’ internal controls and cybersecurity practices are up to par. One comprehensive way to do so is by achieving HITRUST® CSF Certification. 

But if you’re like many private equity firms, you’ve never even heard of HITRUST.

What is HITRUST?

HITRUST is a company focused on security, privacy and risk management. Its HITRUST CSF® framework provides organizations with a comprehensive security and privacy program designed to manage data, compliance and risk, and it gives them the ability to achieve HITRUST CSF Certification by auditing against that program. 

Originally developed specific to healthcare, HITRUST is used by organizations across industries to strengthen controls, reduce risk and provide assurance to customers, patients and other parties that the organization is doing what it can to keep its information secure. 

HITRUST CSF has become the most widely adopted security and privacy framework across industries globally, and that’s partly because it has combined different frameworks and regulations — such as those laid out by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and HIPAA — into one central control repository. 

Essentially, by completing HITRUST CSF Certification, healthcare organizations can ensure compliance with not only HIPAA but also a number of robust security frameworks. It gives them peace of mind that their controls are strong, which translates into peace of mind for your private equity firm.

The benefits of HITRUST for private equity

As a private equity firm, you’re either buying and selling companies in the current fund or raising capital for your next fund. You know how much reputation and risk matter. If one of your holdings experiences a significant data breach, that’s going to shine a spotlight of bad press right on your firm and affect your ability to raise capital. 

HITRUST is such a comprehensive security framework that the journey of achieving certification means healthcare organizations are able to identify and mitigate risks, strengthen controls and stay strong through subsequent interim assessments and reassessments. By requiring your healthcare holdings to achieve HITRUST certification, your private equity firm can help reduce a significant amount of risk, especially the risk to your ability to raise capital in the future.

HITRUST can also help you buy and sell. When you go to sell a holding, if they’ve achieved HITRUST certification, that could not only make the due diligence process smoother but also increase the value of the holding. In fact, it could be a detriment to the deal value not to have HITRUST certification.

What else you should know about HITRUST

The validated assessment that is required for HITRUST CSF Certification must be conducted by a HITRUST Approved External Assessor. This assessor can provide your healthcare holdings with much-needed guidance as they undertake the journey to certification. Experienced assessors have seen it all, and they can help identify and mitigate risks before starting the validated assessment, further enabling your healthcare holdings to achieve certification. 

At Wipfli, we’re not just specialists in the private equity space. We also have a large healthcare practice and a team of HITRUST assessors who know the framework inside and out. Our combined experience and knowledge can improve the certification process’s overall efficiency and help your healthcare holdings confidently achieve HITRUST certification. To learn more, click here.

Related content:

What is HITRUST, and why does it matter?
Common misconceptions from a HITRUST Authorized External Assessor
Healthcare is cybercriminals’ most targeted sector — here’s what you can do


Michael L. Vaccarella
Partner, National Leader Private Equity & Transaction Advisory Services
View Profile