HITRUST is Rigorous.
We Make It Achievable.
Identify gaps, define scope, and prepare for certification using a professional HITRUST Gap Assessment.
Achieving HITRUST certification is the pinnacle of healthcare information security—but it is also one of the most difficult undertakings in compliance. With hundreds of controls and rigorous scoring requirements, going straight to a Validated Assessment is a recipe for failure. Our HITRUST Gap Assessment services simulate the certification process, score your controls using the HITRUST methodology, and provide a clear remediation roadmap to ensure you pass when it counts.
Schedule a HITRUST Gap!
What is a HITRUST Gap Assessment?
Scoring your environment against the HITRUST CSF to define scope, identify weak or missing controls, and predict how you’ll do on a Validated Assessment.
A HITRUST Gap Assessment (often called a Readiness Assessment) is a preliminary evaluation of your organization’s security and privacy controls against the HITRUST CSF (Common Security Framework).
Unlike other frameworks, HITRUST uses a unique scoring model (Policy, Process, Implemented, Measured, and Managed). During a Gap Assessment, we apply this rigorous scoring logic to your environment to:
- Define the Scope: Determine exactly which systems and facilities must be included.
- Identify Weaknesses: Find controls that are non-existent or failing.
- Predict the Outcome: Give you a realistic view of whether you would pass or fail a formal Validated Assessment today.
What Requires a HITRUST Gap Assessment?
HITRUST is rarely pursued voluntarily; it is almost always a mandate. You need a Gap Assessment if:
Payer / Provider Mandates
Major healthcare payers (like UnitedHealthcare, Humana) require downstream vendors to be HITRUST certified to retain contracts.
Audit Preparation
You are planning to undergo a HITRUST r2 or i1 Validated Assessment within the next 6-12 months and need to ensure you are ready.
Competitive Advantage
You want to demonstrate to hospitals and enterprise healthcare clients that your security maturity is in the top 1% of the industry.
Multiple Frameworks
You want to use the HITRUST CSF to satisfy HIPAA, NIST, ISO, and PCI requirements in a single consolidated audit framework.
Types of HITRUST Gap Assessments We Perform
The HITRUST CSF has evolved. We provide readiness assessments for all three major certification portfolios:
| Assessment Type | Description |
| HITRUST e1 (Essentials) Gap Assessment | Lower-risk organizations needing basic assurance. We check ~44 controls focused on foundational cybersecurity. |
| HITRUST i1 (Implemented) Gap Assessment | Moderate-risk organizations. We assess a static set of controls to prove your security program is implemented and operating effectively. |
| HITRUST r2 (Risk-based) Gap Assessment | High-risk organizations and those working with major payers. We assess hundreds of controls tailored specifically to your risk factors. |
What Our HITRUST Gap Service Includes
We guide you through the complexities of the MyCSF platform and the CSF framework.
Deliverables for Your HITRUST Roadmap
We provide the artifacts necessary to budget for and execute your remediation.
Readiness Scorecard
A detailed report predicting your scores across the 19 assessment domains. We tell you exactly where you are “Red” and where you are “Green.”
Remediation Roadmap
A prioritized project plan listing every missing policy, unconfigured tool, and process gap that must be fixed before the External Assessor arrives.
Scope Definition Document
A formalized document defining your organizational bounds, ensuring full alignment with the rigorous HITRUST requirements.
Budget & Timeline Estimate
An accurate projection of the time and resources required to achieve full certification based on your current security program maturity.
Why Choose Us for HITRUST Readiness?
We save you time by maximizing control inheritance and using the same methodology as external assessors, so there are no surprises on audit day.
We Speak MyCSF
Navigating the HITRUST portal is half the battle. Our experts are fluent in the tool and the framework.
Inheritance Experts
We know how to save you time by maximizing inheritance from AWS, Azure, and Google Cloud.
Healthcare Knowledge
We understand the intersection of HITRUST and HIPAA. Our certification efforts keep you compliant.
Our Certifications
Our team holds industry-recognized certifications that reflect hands-on expertise across offensive security, cloud, incident response, and compliance.
Offensive Security Certified Professional (OSCP)
Certified Information Systems Security Professional (CISSP)
GIAC Penetration Tester (GPEN)
GIAC Cloud Penetration Tester (GCPN)
GIAC Cloud Penetration Tester (GCPN)
CompTIA Security+, Network+, A+, Pentest+
GIAC Certified Incident Handler (GCIH)
AWS Certified Cloud Practitioner (CCP)
Microsoft AZ-900, SC-900
Certified Cloud Security Professional (CCSP)
Certified Ethical Hacker (CEH)
Burp Suite Certified Practitioner (Apprentice)
eLearnSecurity Junior (eJPT)
Web App Penetration Tester (eWPT)
Systems Security Certified Practitioner (SSCP)
Palo Alto PSE Certifications
HITRUST Gap Service: FAQs
Learn more information about the most frequently asked questions
Gap Assessment vs. Validated Assessment?
A Gap Assessment (Readiness) is an internal “practice run.” It finds the problems so you can fix them. The results are private. A Validated Assessment is the formal audit conducted by an External Assessor Organization (AO) that is submitted to HITRUST for certification. You should always do a Gap Assessment first.
How long does a HITRUST Gap Assessment take?
Depending on the size of the organization and the assessment type (e1 vs r2), a Gap Assessment typically takes 3 to 6 weeks. However, the remediation following the gap analysis can take 6-12 months before you are ready for certification.
Which assessment do I need: e1, i1, or r2?
This depends on your client’s requirements. Most major payers (United, Humana, etc.) require the r2 (Risk-based) assessment for vendors handling high volumes of sensitive data. Smaller vendors may qualify for the i1 or e1. We help you determine the right path during scoping.
Do you help us fix the gaps?
Yes. We offer HITRUST Remediation Services. We can help write the hundreds of required policies, implement technical controls (like MFA and Encryption), and manage the project until you are certification-ready.
Can we use a SOC 2 report instead of HITRUST?
That is up to your client. However, HITRUST is significantly more rigorous than SOC 2. While SOC 2 allows you to define your own controls, HITRUST dictates exactly what controls you must have. In healthcare, HITRUST is the superior standard.
What is "Inheritance" in HITRUST?
Inheritance allows you to take credit for security controls managed by your vendors. For example, if you host on AWS, you can “inherit” their physical security scores, automatically passing those sections of the assessment. We maximize this to reduce your workload.