If the first question when first considering HITRUST Certification is how much will this cost, the second question is how long will it take? It's a valid question. Any project you take on should always be prepared to quickly and concisely answer how much and how long?
The important thing to remember when it comes to timeline is this: decide you are going to do it and do it. I was discussing with a fairly accomplished healthcare CIO the other day and he said in two separate operations, "we started the certification but couldn't get it finished." This kind of surprised me, but it is a good reminder whether it is HITRUST or other projects, accomplishing complicated projects requires commitment and focus. If you don't have that in this project (or any project), you might as well not start.
Similar to how much, how long will depend on where your organization finds itself. Everyone's experience will vary, but this article aims to give you an idea of a good baseline. Start to finish, the first time I did HITRUST it took 18 months. There were three parts:
The first 6 months are just research and fact finding. You could greatly expedite that process by reading this blog series. This stage also was a bit longer due budget year expense timing. Honestly, this phase could take as little as 1 month. The important thing that must happen in this phase is finding the right HITRUST External Assessor. To be clear, that is not us. We are not a certified assessor. Like security testing, we don't desire to become one. It isn't what we do. We build highly secure systems. We don't certify them. Technically you could do this yourself. But also, like security testing, you shouldn't. It will go smoother, and probably be cheaper, to go the route of an external assessor. Use the link above, find a few, interview them, decide on a scope and timeline with them, and pick one.
This is the section where the most amount of work and time is spent. Think of this as 7 months. Less if you have a robust IT Policy. More if you don't have any controls in place. Assuming you are committed and focused. This is the stage where the men and women are separated from the boys and girls.
As we stated before, we had no real formal IT Policy but we were set up pretty well by our guiding Pillars of HIPAA. Your mileage may vary. The execution phase will include a few sub-steps
- Submission of Information Request List to External Assessor (all the details of your operation)
- Field Work by External Assessor (think of it like an preliminary Audit)
- Answer MyCSF Questionnaire (similar to a Risk Assessment)
- Fill in the Gaps from MyCSF Results
- External Assessor performs Field Work (like a final audit)
- Submit Final Report to HITRUST
By far the most amount of time is spent in task #4. All other tasks are usually just about a week's worth of work give or take. But #4 takes a lot of time. This is where your "starting" point matters. You have to get any identified gaps corrected. If you have no controls in place and a lot of gaps, it will take a lot of time. If you have a fairly robust IT Policy and good controls in place, this will be a lot easier.
If you do not have a robust IT Policy, it is step #4 where you will develop your new IT Policy. If you have questions about that, be sure to check out our article on writing a good IT Policy.
You may be told that you will receive a response by HITRUST within 6 weeks. At this point you become HITRUST Certified. The problem? This stage in actuality takes many months. The first time I went through this it took 5 months and that was only after applying some pressure on getting a response.
There you have it. Your mileage may vary, but that is a good estimate. If you are committed and HITRUST isn't backed up you could probably do it in 6 to 9 months. Likely it will take more like a year to 18 months. But again, only if one is committed.
As we have said before, if the time comes to go through HITRUST it helps to go through it with a platform that has gone through it before. We'd love to talk to you about that and other Healthcare software needs.