True or false? An authorized external assessor breaks down 9 common HITRUST certification myths

If your organization is considering pursuing HITRUST CSF certification, you may have heard conflicting information about the requirements, who the certification applies to and how long it takes to complete. As HITRUST authorized external assessors, we hear misconceptions about the certification process all the time. Let’s clear them up.

1. HITRUST is only for healthcare business associates

False. HITRUST CSF certification applies to multiple industries. In healthcare, it can be used by both business associates and covered entities.

Originally, HITRUST was designed for the entire healthcare industry and didn’t differentiate between business associates and covered entities. Over time, health plans began requiring business associates to be HITRUST certified, which narrowed the focus for a while.

However, with the release of HITRUST v11.5.0 in April 2025, the framework’s applicability expanded across many other regulated industries. HIPAA, which was once automatically included in assessments, is now treated as a separate regulatory requirement.

HITRUST v11.5.0 also adds new authoritative sources, like the Singapore Cybersecurity Act and the UK Guidelines for Secure AI System Development. These updates expand the framework’s relevance beyond the American healthcare system and address emerging risks like AI security.

2. You have to certify every system that contains protected health information (PHI)

False. HITRUST does not require you to certify your entire organization. In fact, trying to do so can make the HITRUST assessment more time-consuming and expensive than it needs to be. In practice, HITRUST assessments certify a defined environment.

That’s why a first step in HITRUST readiness is setting the scope. We help clients define a clear certification scope, focusing on their most critical system first. In healthcare, that may be an electronic medical record system or a practice management system. Businesses that work with payors may prioritize their payment systems or related services.

3. Process and procedure are the same thing

False. Procedures explain how you implement a policy. Process is the actual workflow that carries out procedures. For example:

• Your policy says only authorized users can access PHI.
• Your procedure outlines how you onboard and offboard users, including how you update access management when roles or responsibilities change.
• Your process is the series of actions you take to grant or remove access. For example, what triggers an offboarding notice?

If it helps, think of it visually. Processes can typically be captured in a workflow diagram.

4. Organizations need to be at 100% maturity for policy, process and implementation to become HITRUST certified

False. Organizations don’t have to be perfect to get certified. You can achieve HITRUST CSF certification with a minimum score of 3 in each domain and even if you have a corrective action plan in place.

HITRUST scores control requirements across five maturity levels:

1. Policy
2. Process
3. Implemented
4. Measured
5. Managed

While the goal is full maturity, HITRUST recognizes that reaching “measured” and “managed” levels can be difficult. You should aim for at least a Level 3 in all 19 HITRUST certification domains.

Recent HITRUST updates place stronger emphasis on measurable controls, like tracking the percentage of critical systems with failover protection and monitoring breach notification timelines. These quantifiable controls help organizations provide more evidence of control effectiveness.

5. You can develop and implement policies, procedures and processes right up to the start of the assessment

False. Your policies, procedures, processes and controls must be documented, approved and implemented for at least 90 days before your external assessor can start an audit. HITRUST does not consider them fully mature or testable until they have been operating for at least 90 days prior to the start of a validated assessment. This applies to both HITRUST assessments and recertifications.

Your workforce also needs to be aware of these policies and have acknowledged them.

6. HITRUST only applies to organizations that handle PHI

False. HITRUST can be applied to any organization that handles regulated or sensitive data.

Financial services, technology providers, government contractors and other companies use HITRUST CSF certification to protect information like client financial data, intellectual property and non-public information. For example, a financial services organization could apply HITRUST CSF to an environment that manages client financial information.

7. External assessors determine your scores

False. Your organization is responsible for self-scoring before the external assessor validates your results. You need to confirm that:

1. You have a current policy that addresses each HITRUST requirement.
2. You have procedures and defined processes that explain how the policy is implemented.
3. You can provide evidence that the process has been operating as expected for at least 90 days.

The external assessor validates your self-assessment against HITRUST scoring criteria. Organizations need to be brutally honest with themselves about their readiness to avoid receiving downgraded maturity scores that could jeopardize certification.

To help you self-evaluate, HITRUST provides many useful resources, including:

• A scoring rubric.
• The HITRUST Assessment Handbook.
• This white paper: “Evaluating Control Maturity Using the HITRUST Approach.”

8. You have until recertification to complete your corrective action plan

False. You can be certified with a corrective action plan in place, but you are expected to make progress on remediations before your one-year interim HITRUST assessment.

At the one-year interim assessment, your external assessor will evaluate whether you’ve made sufficient progress on corrective actions. If not, they’ll expect a logical business reason that explains why plans haven’t been resolved.

9. If you have HITRUST, you don’t need SOC 2 certification

False. The differences between HITRUST and SOC 2 can be confusing. While both have overlapping control areas — especially around security, availability and confidentiality — they are not interchangeable.

SOC 2 results in an attestation report issued by a CPA firm and is often required in technology and financial services firms. HITRUST CSF certification demonstrates broader compliance across multiple frameworks.

Many organizations need both certifications — SOC 2 to meet client requirements, and HITRUST to comply with industry-specific regulations or general data security standards. Our advisors can help you assess the benefits of pursuing HITRUST versus SOC 2 and determine the best certification approach for your organization.

How Wipfli can help

Wipfli was one of the first HITRUST authorized external assessors in the country. Put all that experience to work for you — whether you’re pursuing certification, a readiness assessment or using HITRUST for internal governance. Contact our risk advisory team to get started, or continue reading:

• HITRUST scoring methodology: What it is and how it works
• Signs you should switch HITRUST assessors
• Common misconceptions from a HITRUST assessor