HITRUST CSF Certification — The Credential That Ends Repetitive Healthcare Security Questionnaires
Norvex Assurance is an authorised HITRUST External Assessor organisation. We manage your entire HITRUST journey — from assessment type selection through MyCSF completion, validated assessment, and HITRUST QA — so you receive the healthcare industry's most trusted security certification.
HITRUST CSF Certification
End-to-end managed service
The HITRUST Common Security Framework (CSF) is a prescriptive, risk-based framework that harmonises the requirements of HIPAA, NIST SP 800-53, ISO 27001, PCI-DSS, COBIT, and other healthcare-relevant standards into a single, independently validated certification. It was created specifically because healthcare organisations grew tired of sending and receiving dozens of different security questionnaires — HITRUST replaces them all. For healthcare IT vendors, payers, and business associates, HITRUST r2 certification is the gold standard signal of security maturity. Major US health plans — including United, Cigna, Aetna, and Humana — accept a current HITRUST r2 certification in lieu of their own security assessments. Without it, selling into enterprise healthcare means answering the same questions, hundreds of times, to every prospective client.
Not sure if you need HITRUST?
Talk to one of our experts — free, no obligation.
Most companies start with Type I to establish a baseline, then graduate to Type II within 6–12 months.
44 Critical Cybersecurity Controls
What it covers
Evaluates the most critical cybersecurity practices aligned to the NIST Cybersecurity Framework. Focuses on foundational controls like access management, malware protection, and vulnerability management.
Timeline
3–5 months with Norvex Assurance
Best for
Organizations new to HITRUST, those responding to specific payer requests for a baseline assessment, or companies building toward i1 or r2.
Business impact
Establishes a validated security baseline and demonstrates commitment to the HITRUST framework. Accepted by some payers as an entry-level credential.
~182 Implemented Controls
What it covers
Assesses implementation of approximately 182 controls across all HITRUST CSF control categories. Tests whether controls are implemented and functioning, not just documented.
Timeline
6–9 months with Norvex Assurance
Best for
Organizations with a moderate risk profile that need to demonstrate implemented security controls to healthcare partners but aren't yet ready for the full r2 assessment.
Business impact
Broader recognition than e1. Accepted by a growing number of payers and health systems as evidence of a mature security programme.
200 – 2,000+ Risk-Scaled Controls
What it covers
The most comprehensive HITRUST assessment. Control count is determined by risk factors including regulatory environment, organizational complexity, and data volume. Tests both implementation and operating effectiveness.
Timeline
12–18 months with Norvex Assurance
Best for
Healthcare IT vendors, payers, and business associates that need maximum market coverage — accepted by all major US health plans as a replacement for proprietary assessments.
Business impact
The HITRUST r2 is the healthcare industry's gold standard. It eliminates repetitive questionnaires from enterprise buyers and positions your organization as a trusted, security-mature partner.
Not sure which type you need?
We evaluate your customer requirements, risk profile, and organizational complexity to determine the right HITRUST assessment type. We then define your scope — systems, applications, and data flows — to keep the assessment focused and cost-effective.
Our authorised HITRUST assessors evaluate your current control environment against HITRUST requirements. We deliver a control-level gap report with risk-ranked remediation priorities.
Hands-on remediation support across your engineering, security, and compliance teams. We draft policies, configure tools, build evidence libraries, and train staff — until every gap is closed.
We guide you through completing the HITRUST MyCSF self-assessment — entering control scores, uploading evidence, and documenting implementation narratives for every applicable control.
As an authorised HITRUST External Assessor, Norvex Assurance conducts the validated assessment — reviewing your self-assessment responses, testing a sample of controls, and submitting your assessment to HITRUST.
HITRUST's internal quality assurance team reviews your submission. We manage all communication, respond to HITRUST queries, and work through any QA findings on your behalf.
Receive your HITRUST CSF Certification Letter. Norvex Assurance provides interim year review preparation and ongoing monitoring to keep your certification current through the full two-year cycle.
A current HITRUST r2 certification replaces security questionnaires from all major US health plans and most enterprise healthcare buyers — permanently.
HITRUST maps to HIPAA, NIST, ISO 27001, PCI-DSS, and other frameworks simultaneously. One certification addresses multiple regulatory obligations.
Norvex Assurance is an authorised HITRUST External Assessor. You don't need a separate assessor — we handle readiness, validated assessment, and QA management in a single engagement.
Unlike annual SOC 2 renewals, HITRUST r2 certification is valid for two years with a single interim review, reducing ongoing compliance overhead.
Leading cyber insurers recognize HITRUST r2 certification as evidence of mature security controls, often translating to premium reductions.
HITRUST certification is recognized by healthcare boards and C-suites as the definitive benchmark for information security maturity in the sector.
Our fixed-scope engagement covers every deliverable needed to achieve and maintain your HITRUST certification — no hidden extras.
We believe you deserve to know what SOC 2 costs before you commit. All engagements begin with a free scoping call — no obligation.
e1 Assessment
USD + HITRUST Fees · 3–5 months
Ideal forOrganizations new to HITRUST building a validated security baseline, or those responding to a specific payer request for an entry-level HITRUST credential.
r2 Assessment
USD + HITRUST Fees · 12–18 months
Ideal forHealthcare IT vendors, payers, and business associates that need maximum market coverage and acceptance by all major US health plans.
Enterprise
USD · Custom
Ideal forLarge healthcare organizations or vendors pursuing HITRUST r2 alongside HIPAA programme build, SOC 2, or ISO 27001 in an integrated engagement.
Serving global clients in the US, India, UAE, Singapore, and beyond. All pricing quoted in USD.
"We were losing deals with major payers because they required HITRUST r2 and we only had SOC 2. Norvex Assurance managed the entire r2 assessment — 14 months, end to end. We now close healthcare enterprise deals in weeks instead of quarters."
Chief Information Security Officer
Healthcare Data Analytics Company — Series C
"The MyCSF platform is complex and the control evidence requirements are enormous. Having Norvex Assurance as our External Assessor meant we always knew exactly what evidence was needed and in what format. The QA process was virtually frictionless."
VP of Compliance
Revenue Cycle Management Platform
"We started with an i1 to establish our HITRUST credentials quickly, then moved to r2 18 months later. Norvex Assurance structured both engagements so the i1 work built directly into r2 — no duplication, no wasted effort. Brilliant approach."
Head of Product Security
Population Health Management SaaS