TL;DR
- HITRUST CSF (Common Security Framework) is a prescriptive control framework maintained by the HITRUST Alliance, originally targeted at US healthcare but now used across regulated industries.
- It consolidates requirements from HIPAA, NIST SP 800-53, ISO 27001, PCI DSS, COBIT and others into a unified control catalogue with tiered maturity scoring.
- Three assessment tiers — e1 (essentials), i1 (implemented), r2 (risk-based) — with progressively deeper evidence requirements.
- Widely required by US healthcare payers and health-tech buyers as the bar to handle PHI at scale.
What HITRUST CSF Is#
The HITRUST Alliance is a private US non-profit that publishes the HITRUST Common Security Framework — a prescriptive control catalogue that maps to HIPAA, NIST SP 800-53, ISO 27001, PCI DSS, COBIT, GDPR, FedRAMP and a long list of other frameworks.
The pitch is straightforward: rather than mapping your controls to many frameworks independently, you implement HITRUST CSF once and inherit cross-framework coverage. The catch is that HITRUST is highly prescriptive — the controls and their evidence requirements are tightly specified.
The Assessment Tiers#
| Assessment | Scope | Typical use |
|---|---|---|
| e1 — Essentials | 44 foundational controls. | Lower-risk vendors; entry-level assurance. |
| i1 — Implemented | Around 180 controls focused on prevailing best-practice cybersecurity. | Mid-risk vendors; baseline assurance for US healthcare partners. |
| r2 — Risk-based | Tailored — control count depends on risk factors, often 300-500. | High-risk vendors handling large volumes of PHI; required by major payers. |
How HITRUST Differs From ISO 27001 and SOC 2#
HITRUST is more prescriptive than either ISO 27001 or SOC 2. It defines specific control implementations, evidence types, and scoring metrics, rather than letting the organisation pick its own. That makes assessment results highly comparable across organisations — a HITRUST r2 score of 90 means broadly the same thing regardless of who was assessed.
HITRUST inheritance is a meaningful benefit. If your cloud provider holds HITRUST r2 certification on the underlying platform, your assessment can inherit that scope rather than re-evidence the underlying controls. AWS, Azure and GCP all support some level of HITRUST inheritance — confirm scope with the platform team.
Maturity Scoring#
HITRUST scores each control on five maturity dimensions: Policy, Process, Implemented, Measured, Managed. Each is rated 0-100; the control's overall score is a weighted average. The assessment as a whole produces a score per control domain and an overall result.
Certification is granted at a defined threshold (currently 3+ across maturity dimensions per control, with no domain below the minimum). Below that, the assessment is reported but does not result in certification.
When To Pursue HITRUST#
- You sell to large US healthcare payers (UnitedHealth, Anthem, Cigna, etc.) — many require it.
- You are a health-tech SaaS handling PHI for hospital networks.
- Your customers struggle to reconcile your HIPAA, ISO 27001 and SOC 2 evidence — HITRUST consolidates the story.
- You can amortise the cost across multiple US healthcare contracts.
HITRUST is expensive and time-consuming. A first-time r2 certification typically costs in the multi-six-figures range with a 9-15-month timeline. Do not pursue it speculatively — make sure named customer requirements justify the spend.
Where Yobitel Sits#
Yobitel does not directly hold HITRUST certification. UK-headquartered providers selling into US healthcare via partner channels typically defer to the partner platform's HITRUST scope and certify only the SaaS layer separately if needed. MediQuery deployments for US customers are configured to inherit HITRUST controls from the underlying authorised platform.
References
- HITRUST Alliance · HITRUST Alliance
- HITRUST CSF · HITRUST Alliance
- HITRUST Assurance Programs · HITRUST Alliance