Cybersecurity

Unveiling HITRUST’s New Combined Assessments: A Game Changer in Assurance Reporting

Nicole janko

Nicole Janko

Senior Director, Advisory Services, Coalfire

August 29, 2024

On August 27, 2024, HITRUST released its Assurance Advisory HAA 2024-004 where HITRUST introduced a significant enhancement to its Assessment Portfolio: the Combined Assessment option for e1 and i1 certifications. This evolution in HITRUST's offering will reshape the industry by enabling organizations to derive even greater value from their HITRUST certifications while maintaining the rigorous standards of reliability and trust that HITRUST embodies.

The Power of Combined Assessments

The new combined assessment feature allows organizations to seamlessly integrate authoritative sources, such as HIPAA or the NIST AI Risk Management Framework, into their e1 or i1 assessments. This integration enables the production of Insights Reports—detailed, authoritative-source-specific reports that provide clarity and confidence to both internal and external stakeholders. These reports go beyond the core HITRUST certification, offering a robust analysis of an organization’s compliance with additional regulatory requirements.

Why is this important? Because it aligns perfectly with HITRUST’s "Assess Once, Report Many™" philosophy. By completing a single assessment, organizations can now generate multiple reports that satisfy the compliance needs of various regulatory bodies, making the HITRUST certification more versatile and valuable than ever before.

Assessment Details

The combined e1 and i1 assessments will include:

  • Factors Page: Lists all compliance factors eligible for insights reporting, which currently includes HIPAA (Security, Privacy and Breach notification rules) and the NIST AI Risk Management Framework v1.0 and ISO/IEC 23894:2023 in a combined "AI Risk Management" Compliance Factor. HITRUST is considering more authoritative sources for release soon. 
  • Pre-QA Assessment Results Review: A new phase that displays preliminary results before final submission. This allows for a thorough review of the core and additional requirement statements.
  • Certification Criteria: The criteria for e1 and i1 certifications remain unchanged. The core requirement statements continue to drive the certification process, with additional factors providing supplementary insights.

Rapid Assessment Updates

In early 2025, HITRUST will update its rapid assessment offerings to support combined assessments. Organizations that complete a combined assessment can take advantage of a faster, more efficient assessment process in subsequent years, provided they meet certain criteria.

More Than Just a Certification

While traditional certifications provide a snapshot of compliance at a given time, the HITRUST combined assessment goes further. It offers a deeper level of insight into how an organization measures up against a broader set of requirements. For example, by combining HIPAA with an e1 or i1 assessment, organizations not only meet HITRUST standards but also get a clear, actionable report on how they conform to HIPAA’s specific requirements.

This level of detailed reporting can be invaluable for organizations in heavily regulated industries like healthcare or finance, where demonstrating compliance with multiple frameworks is critical. The Insights Reports offer a clear and concise format, making it easier to communicate compliance status to customers, partners, and regulators.

A Strategic Investment for Long-Term Value

Opting for a combined assessment represents a strategic investment. While it requires a modest additional cost, the value it delivers in terms of compliance transparency, risk management, and stakeholder confidence is significant. The ability to leverage a single assessment to produce multiple authoritative-source-specific reports can streamline compliance efforts, reduce redundancy, and ultimately accelerate time-to-value.

Moreover, with the upcoming availability of rapid assessment options in 2025, the value proposition becomes even more compelling. Organizations that have previously completed a combined assessment can opt for a rapid assessment in subsequent years, making the process more efficient while still maintaining the high standards required for certification.

Conclusion: The Future of Compliance is Here

HITRUST’s introduction of combined assessments is more than just an enhancement—it’s a transformative approach that could redefine how organizations manage and report on compliance. By offering the ability to assess once and report on multiple standards, HITRUST is setting a new benchmark for comprehensive, reliable, and efficient compliance reporting.

For organizations looking to stay ahead in an increasingly complex regulatory environment, embracing HITRUST’s combined assessments could be the key to unlocking greater assurance, transparency, and trust. 

Interested in learning how HITRUST’s combined assessments can benefit your organization? Contact Coalfire's HITRUST Advisory team today to explore ways to integrate this new offering into your compliance strategy.