Articles & E-Books


Using HITRUST outside of healthcare

Mar 16, 2021

Security and compliance experts recognize HITRUST as a powerful name in compliance and risk management. Originally designed for healthcare, HITRUST is becoming the framework of choice across multiple industries.

Blue-chip companies like Amazon, Google, Microsoft and Salesforce now use the HITRUST framework. Organizations value HITRUST for its flexibility, its rigor and its ability to streamline risk assessment and compliance reporting.

Read more: What is HITRUST, and why does it matter?

How HITRUST expanded to cover more industries

HITRUST has been solidly legitimized as a framework for the healthcare industry. But now the conversation has expanded to how it can help other fields. Considering healthcare handles a high level of sensitive information, organizations that might have equally sensitive data are seeing benefits in adopting this framework. 

Over the years, HITRUST has been developed to have broad applicability for organizations with local, state and international regulatory requirements. In 2018, for example, HITRUST update 9.1 included both EU General Data Protection Regulation (GDPR) and New York state cybersecurity requirements.  

In January 2019, HITRUST update 9.2 created an option for users who did not have protected healthcare information (PHI) or other healthcare-specific requirements. In June 2020, update 9.4 added Department of Defense CMMC requirements. 

The bottom line: They keep tabs on what’s needed to do business here at home and around the world. Ongoing enhancements are planned to incorporate emerging rules and industry-specific controls. 

Read more: HITRUST vs. HIPAA: What is the difference?

Why more industries are adopting HITRUST

Overall, HITRUST is versatile and comprehensive. Organizations can use it as the foundation to attain a wide range of certifications and reports — all in one unified tool. Here’s more about why HITRUST is gaining traction in industries beyond healthcare: 

A competitive advantage. Among Wipfli clients, we see organizations adopting HITRUST as a competitive advantage to enter markets where there are heavier sets of regulations. HITRUST provides that extra step that brings an organization in line with some of the world’s largest, most security-focused firms. 

Eliminates overlaps in compliance reporting. One of the biggest reasons people are choosing HITRUST is because it covers the entirety of an organization’s security controls under one framework. You don’t have to manage multiple tools. This helps organizations regulated by multiple standards avoid costly overlaps in the reporting process. 

HITRUST is the core framework, and you can expand from there. If you have additional requirements, those requirements map right into the framework, without separate workstreams or duplication. It’s what HITRUST calls Assess Once, Report Many™.

Add-on regulatory requirements can include:

  • Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) Framework
  • PCI
  • FTC Red Flags Rule
  • MARS-E
  • CMS Minimum Security Requirements (High) – Medicare and Medicaid

Outside of the United States:

  • Personal Data Protection Act (Singapore)
  • European Union GDPR

State-specific requirements:

  • State of Massachusetts Data Protection Act
  • State of Nevada Security of Personal Information Requirements
  • Texas Health and Safety Code
  • CA Civil Code § 1798.81.5
  • 23 NYCRR 500

Inheritance is huge

Another big factor is HITRUST inheritance. This allows you to rely on the assurance of HITRUST assessments performed on certain business partners (e.g., colocations and cloud providers) to validate your own assessment. Essentially you can “inherit” their testing, supporting the HITRUST Test Once, Report Many™ approach to compliance. 

For example, if you use Amazon Web Services and you have a control that says you need visitor logs, you can take the HITRUST testing that’s been performed at Amazon and use that in your own assessments. 

Read more: What is HITRUST inheritance and what are its benefits


In addition to the benefits above, organizations value HITRUST for its scalability. You can be a small organization and work with HITRUST. As you become bigger, it adapts with you. That makes HITRUST a great starting point, but also a great tool for growth. 

What we see in the marketplace right now is a lot of organizations are acknowledging, “We don’t know what we don’t know.” That’s a healthy place to be, and that’s where HITRUST becomes very effective. It lays out the roadmap. 

If you already have certain assessments in place, HITRUST folds those into a unified, efficient tool. It maps all your current controls in one framework so you can eliminate duplication and see places to improve your governance, compliance and risk programs.

How Wipfli can help

Wipfli was one of the first HITRUST Authorized External Assessors in the country. Our deep experience means we know the HITRUST framework inside and out. We can help you evaluate HITRUST as an option for your industry and walk you through the planning process.

Learn more about our HITRUST certification assessment services.

Sign up to receive additional security and risk mitigation information in your inbox, or continue reading on: