HITRUST scoring 101: How scoring works and how to self-score

If you’re feeling overwhelmed by the HITRUST scoring rubric, you’re not alone. It takes practice to master — but it’s worth the time investment.

Because organizations are responsible for self-assessing, it’s important to understand how HITRUST scoring works. Understanding the scoring rubric guides how you plan and prepare for your assessment — and helps ensure your self-assessment score is similar to how an external assessor would evaluate your controls.

As a HITRUST authorized external assessor, Wipfli has guided many clients through the HITRUST CSF certification process. Here’s what you need to know about scoring, including what’s new in the April 2025 release of HITRUST (version 11.5.0).

Whether you’re pursuing HITRUST certification for the first time or recertifying, this guide will help you prepare.

How to meet HITRUST requirement statements

Scoring starts with understanding how well your organization meets the HITRUST requirement statements. Broken up into 19 domains, all requirement statements are predefined by HITRUST and include illustrative procedures that explain what’s required and what a requirement looks like in practice.

For example, if you have a policy about employee security awareness training, to meet HITRUST standards, that policy must:

1. Clearly state management’s expectations using terms like “will” and “must.”
2. Be approved by the right level of management, such as your security officer or IT director, with signatures and dates of approval.
3. Be communicated to employees. 

Having the policy on paper isn’t enough. You must also be able to provide evidence of each step to achieve a “fully compliant” score.

New requirement statements in HITRUST version 11.5.0

HITRUST v11.5.0 refines and expands requirement language to clarify how to meet requirements. It also adds several new authoritative sources (and corresponding requirement statements), which means your organization can demonstrate compliance with a wider range of regulations through HITRUST CSF certification. Version 11.5.0 also supports combined e1 and i1 HITRUST assessments, allowing organizations to assess multiple authoritative sources at once.

Understanding the HITRUST scoring rubric and methodology

HITRUST scoring rubrics help organizations evaluate several domains: policy, process, implementation, measured and managed maturity levels. These rubrics are unchanged in HITRUST version 11.5.0.

Let’s take the policy scoring rubric as an example. Below, you can see that policy strength is measured on the y-axis and policy scope coverage is measured on the x-axis.

Per HITRUST, a strong policy:

• Has management approval.
• Has been communicated to stakeholders.
• Clearly communicates management’s expectations of the control.

Figure 1: HITRUST policy scoring rubric as of 2024

If your policy’s strength is Tier 2 but only covers 50% of evaluative elements, you would score in the yellow zone (aka, partially compliant or “PC”). If the policy covers 89% of evaluative elements, you’d score in the light green zone (aka, mostly compliant or “MC”). A fully compliant (FC) score requires the highest level of policy strength and 90%-100% coverage of evaluative elements.

When it comes to HITRUST scoring, implementation is key

Implementation is the most heavily weighted part of requirement statements because it focuses on control performance and evidence-based assurance. Here is how HITRUST weights the five maturity levels:

• Policy: 15%
• Process: 20%
• Implementation: 40%
• Measured: 10%
• Managed: 15%

HITRUST version 11.5.0 keeps these weightings but puts new emphasis on measurable controls and quantifiable performance metrics, requiring organizations to track and report on specific performance indicators.

Given the weighted focus on implementation, many clients choose not to score themselves on measured and managed maturity. Still, these levels are important to understand:

• Measured means independent audits of your controls are performed and documented on a periodic basis.
• Managed means the management team reviews audit results, performs risk analyses, creates remediation plans and adjusts your security program accordingly.

Understanding the HITRUST scoring rubric for implementation

Scope is especially important when scoring implementation.

Figure 2: HISTRUST implemented scoring rubric as of 2024

Let’s take encryption at rest as an example. If your in-scope environment includes your  database server, SFTP servers and workstations, you must test all three. If you have encryption fully implemented on the database and SFTP server, but not on workstations, you have only 66% scope coverage. 

Some requirement statements are binary — either implemented or not (e.g., configuration settings). Others require a weighted average if coverage is partial or varied across systems. In the encryption example, the 66% scope coverage average aligns with “Mostly Compliant” and 75% of points would be awarded (see Figure 3 below).

Figure 3: HISTRUST scoring legend

Four best practices to maximize your HITRUST scores

After you score yourself, a HITRUST external assessor will review your evidence in the MyCSF portal and validate or adjust your scores. In our experience as a HITRUST Authorized External Assessor, the most common pitfalls come from poor evidence collection.

These four best practices can help you avoid under-collecting evidence:

1. 1. Make sure policies and procedures are detailed enough to meet HITRUST’s illustrative procedures.
   Organizations often think they have strong policies and procedures but fall short of HITRUST’s expectations. Review your policies and procedures early in the assessment process so you have time to strengthen them before beginning your validated HITRUST assessment.
   
   Some HITRUST assessors offer policy templates or will coach you on how to revise existing policies and procedures to align with HITRUST requirements.
2. Communicate policy and procedure updates to stakeholders — and document the communication.
   We have had to stop assessments because a client said they told stakeholders about a policy change but couldn’t provide evidence they did so.
   
   Make sure your management team updates, reviews and approves policies and procedures annually. And make sure you document when and how you share these updates with stakeholders.
3. Collect and save evidence when performing key processes.
   Don’t assume you’ll be able to find evidence later. Many clients thought they had evidence of a control’s implementation, only to search and come up short.
   
   Collect and save evidence whenever you perform a control, such as changing approvals or conducting risk assessments.
4. Map your policies and procedures to HITRUST controls.
   How easily could you pinpoint the exact document(s) and page number(s) of relevant policy and procedure references?
   
   That’s what you’ll have to do during a HITRUST assessment. Mapping your policies and procedures to requirement statements before your validated assessment can make the assessment go faster and smoother.

How Wipfli can help

Wipfli was one of the first HITRUST authorized external assessors in the country. Whether you need help understanding HITRUST scoring rubrics or starting your validated assessment, our risk advisory team can help. We provide a full range of HITRUST certification services, from helping with your readiness to remediation activities.

Contact us, or read to learn more:

• What is HITRUST, and why does it matter?
• Common misconceptions from a HITRUST authorized external assessor
• HITRUST vs SOC 2: Leveraging the best path to assurance