How to Prepare Your Service Providers for HITRUST Certification

If you know the game of football, you know that the quarterback runs the show. He calls the plays, reads the defense, and leads the team—that position is often considered the primary factor in a team’s success. You won’t win the game if the QB doesn’t perform.

But football is eleven-a-side, and the quarterback—even as central as he is—can’t be successful in his role without contributions from the other relevant players. Namely, his offensive linemen need to block for him, his receivers need to catch the ball, and his running backs need to not fumble.

You are the quarterback of your HITRUST certification. Your job is the most complex since you’re the one trying to get certified—you have to prepare, update process documents, train employees, and harden your security configurations.

Despite all that hard work, your “as a Service” providers also need to do their part for you to be successful in getting HITRUST certified.

How do you ensure that’s the case?

In football, a quarterback works with his offensive line to help them understand their job in blocking tacklers. In compliance, we can help you do something similar when it comes to these third parties.

As HITRUST assessors that have gone through this process with other organizations, we don’t want to see you caught out. Think of us as a coach in this scenario—we’re going to provide the gameplan you’ll work out with your “teammates.”

In this article, we will detail the role service providers play in HITRUST assessments as well as a four-step process that will help you solidify this aspect of your certification.

That way, when the time comes for everyone to be evaluated, as “quarterback,” you’ll be less likely to get flattened since you’ll have prepared your team to do their part.

The Importance of Your Third Parties During HITRUST Certification

Before we get into the “how,” we want to further impart “why” you need to check that you’re fully covered with your service providers.

It’s because the days when compliance was siloed between entities are gone. Increasingly, security practices by your vendors are an extension of your own and subject to the same regulatory requirements. And, as more IT functions are outsourced, the scrutiny of controls managed by services providers has never been greater.

Consequently, a key factor in evaluating your readiness for a HITRUST Validated Assessment is the coverage of controls performed by your service providers.

While the i1 Validated Assessment does allow service providers to be carved out, during the r2 Validated Assessment, the onus is on those undergoing certification—you—to ensure that relevant aspects of your IT environment, regardless of outsourcing, are in compliance.

How to Prepare Your Third Parties for Your HITRUST Assessment: 4 Steps

To that end, let’s now go over the preemptive steps you can take to determine if your “as a service” providers are ready for your HITRUST assessment.

1. Establish If Your Providers are Audited By an Independent Third Party.

Independent audits provide a basis for reliance on the implementation and proper functioning of controls. In their own attempts to provide assurances to customers, your service providers have probably completed a compliance project themselves. Depending on the services they offer, they could have gone in a couple of different directions:

It’s important to confirm that they’ve been assessed against something because if they haven’t, direct testing of the controls managed by these service providers must be performed. (Fair warning: this can be tedious and requires agreement by all parties involved.)

2. Determine If Their Audit Can Be Relied Upon.

But hopefully, they have been evaluated. And while we mentioned that audits can take many forms and vary significantly based on the type, size, and objectives of the entity being evaluated, not all third-party assessments will be accepted by HITRUST.

Assessments that will not qualify for HITRUST include:

  • SOC 1 examinations
    • Specific use audits, like SOC 1, are not acceptable. These reports are issued with a use restriction specific to financial reporting—as HITRUST is not related to that, SOC 1 audits cannot be used.
  • Type 1 SOC examinations
    • Though your third party can’t use a SOC 1 in HITRUST, they can use a SOC 2, which has a much broader use case. It just can’t be a Type 1 report, as Type 1 audits only control design effectiveness and not control operating effectiveness. 

For an assessment to be acceptable, the depth and rigor of testing performed by your third-party’s auditor must reasonably align with the testing expectations placed upon external assessors by HITRUST.

Taking into account what we’ve already said about what’s not acceptable, your third party’s audit can be relied upon if it included tests of control design, operation, implementation, and effectiveness.



Type 1 SOC 2

Type 2 SOC 2

ISO 27001


HITRUST Accepted?







3. Evaluate if the Results of the Audit Are Sufficiently Documented.

If the terms of your service provider’s audit are acceptable to HITRUST, you then need to validate the reporting. For third-party assessments to satisfy HITRUST reporting requirements, a formal report documenting the results of the assessment must be available at the start of fieldwork.

The report should contain:

  • A description of the audit’s scope;
  • The time frame or issues date of the report;
  • The audit procedures performed;
  • Conclusions reached for each item tested; and
  • Any testing exceptions noted.

The end of the review period should not be older than one year in age and the report use should not be restricted as both HITRUST and your external assessor must be authorized users.

4. Identify Gaps Between HITRUST and Third-Party Controls.

Alright, you’ve established that your provider’s audit is usable within the context of your HITRUST certification. Now, you can use it.

To satisfy the requirements of your HITRUST assessment, you’ll need to map each HITRUST control requirement performed by a service provider to one or more corresponding controls within their assessment report.

Yes, this mapping is ultimately performed as part of the external assessment, but it can be helpful to do a cursory review to avoid major surprises. Because to the extent that a corresponding control cannot be identified or does not fully cover the HITRUST requirement, a scoring adjustment will be noted. Not only that but if a discovered gap spans across an entire domain—not just a few controls—it could jeopardize your overall assessment (and certification).

But if you’ve done the work ahead of time, you’ll be able to discuss any mapping gaps with your external assessor. They can then help you determine if, in fact, your certification is at risk, and if it is, they’ll help you devise a testing approach that will give you enough time to coordinate and execute everything you need to do ahead of your submission date.

For a full list of reliance requirements, refer to the HITRUST CSF Assurance Program Requirements or contact a Schellman HITRUST Professional.

Moving Forward With Your HITRUST Certification

The last thing any quarterback wants is to be tackled from his blindside after his blocker slips up on his assignment.

This is your HITRUST certification, and while you’re in charge, you need to make sure that everything and everyone involved has their ducks in a row. That includes your “as a service” providers, though now you understand how you need to go about ensuring the controls they’re responsible for will pass your HITRUST assessment.

That will make all the difference for a smoother experience, as will checking out our other HITRUST content that will further prepare you for this compliance endeavor:

About the Author

Eli Karaboutis is a Senior Associate with Schellman. He is a self-starting and quality-minded professional with experience working with Fortune 500 to Fortune 1000 companies conducting financial and IT audits, compliance consulting and efficiency reviews; detail-oriented, organized and experienced in process analysis, improvement and automation.

More Content by Eli Karaboutis
Previous Article
HITRUST: The Effect of TEFCA
HITRUST: The Effect of TEFCA

The emerging TEFCA will change how things work regarding data shared within health information exchanges. L...

Next Flipbook
HIPAA Risk Analysis and Risk Management Program Considerations: Common Pitfalls
HIPAA Risk Analysis and Risk Management Program Considerations: Common Pitfalls