HITRUST Framework and HITRUST Compliance

COSO Regulations handled by ZenGRC

Focused on the specific needs of the health services industry, the HITRUST CSF established a shared methodology to address HIPAA compliance with a risk-based approach. The HITRUST self-assessment process helps organizations formally document a baseline status for policies, processes, and controls. CSF focuses on an individual company’s organizational, system-level, and regulatory risk factors. The framework’s controls are based on past breach data in conjunction with HIPAA compliance standards. Although being CSF compliant does not equate to HIPAA compliance, it can help a company organize the necessary controls.


This unique positioning creates concerns that are specific to healthcare compliance. While auditors close the gap between the prescriptive HITRUST language and HIPAA language to determine the compliance posture, CISOs and their limited staff need to document according to the detailed CSF specifications. CSF integrates several standards, and the ability for the same asset to be protected by multiple controls can lead to gaps or inconsistencies. It is cumbersome to communicate this environment with the Directors. It may seem efficient—in terms of both time and finances—to use spreadsheets, but the need to communicate between many different stakeholders becomes costly in terms of time. This is when HITRUST compliance automation comes with a cost as well as a benefit.


Why manage HITRUST with ZenGRC?

HITRUST compliance is all about keeping the company’s internal house in order.

Because of constant changes in the regulatory and IT landscapes, handling a HITRUST audit correctly has become infinitely more important to customers managing their own compliance and that of their suppliers. For companies that have already traded publicly or are looking to go public, HITRUST compliance increases marketability and investor confidence. Without fast access to proofs of compliance and demonstrated risk management processes, it is more difficult to close big deals. Your company will lose to any competition that passes close inspection by customers.