What is the difference between a HITRUST validated report and a HITRUST certification?
The HITRUST Validated report and HITRUST Certification both begin with an organization engaging a CSF Assessor firm to audit against the in-scope CSF controls for the system. Contained within the in-scope CSF controls, which are derived from the details entered in the risk based questionnaire section (Factors tab) of the myCSF tool, HITRUST has designated 64 specific controls that are required for HITRUST Certification which are covered under 19 different assessment domains . In order to obtain the HITRUST certification any control that scores less than a 3+ requires a corrective action plan.
Also all 19 assessment domains must have an average score of at least a 3 maturity rating in order for certification. Should any of those assessment domains have a score below a 3 maturity rating, a “validated report” would be issued. A validated report is essentially a noncompliant report which can show clients that the organization is working through the HITRUST process and may only have one or two areas of noncompliance. If all 19 assessment domains have the necessary maturity rating of 3 or higher a “certified report” would be issued by HITRUST which would make the organization HITRUST certified.