The HITRUST Compliance Readiness Checklist

Photo: Unsplash

Key takeaways

• Understand the core concepts and terminology behind The HITRUST Compliance Readiness Checklist.
• Learn practical steps to apply the guidance and stay audit-ready.
• See where SecureSlate can help centralize evidence, ownership, and ongoing compliance workflows.

---

The HITRUST compliance readiness checklist

This checklist is designed for teams working with Workstreet and SecureSlate to pursue HITRUST certification. If you’re looking for a general HITRUST readiness guide without a specific partner context, see our HITRUST compliance readiness checklist.

---

Getting HITRUST certified is a significant investment. Compared to many security frameworks, HITRUST is more expensive, time-consuming, and resource-intensive—but the assurance level it provides is hard to replicate with lighter approaches.

It can take 6–18 months, with deep documentation, detailed assessments, and ongoing coordination across teams.

HITRUST holds weight because it’s thorough. In regulated industries—especially healthcare—it can be a competitive differentiator and a clear signal of security maturity.

This readiness checklist lays out the five phases that Workstreet uses to guide teams through HITRUST preparation, paired with SecureSlate for evidence automation. By aligning controls, documentation, and stakeholders early, you’ll be in a stronger position when you engage an assessor and submit through HITRUST MyCSF.

GIF via GIPHY

---

Choosing the right HITRUST assessment type (e1, i1, r2)

HITRUST offers three types of assessments to meet organizations at different maturity and assurance needs.

Many teams build a high-level HITRUST roadmap to progress through maturity levels over time.

HITRUST e1 (Essential 1)

The e1 assessment is HITRUST’s entry-level option. It provides a streamlined path to demonstrate baseline security controls.

• Best for: early-stage teams, startups, and low-risk scopes that need foundational credibility
• Why it helps: faster and lighter evidence burden than higher levels

HITRUST i1 (Implemented 1)

The i1 assessment is a middle ground: more thorough than e1, less complex than r2.

• Best for: teams that need stronger assurance but aren’t ready for r2
• Practical note: some organizations still choose to go e1 → r2 directly depending on scope and buyer needs

HITRUST r2 (Risk-based 2)

The r2 assessment is HITRUST’s most comprehensive option. It’s scoped to your organization, so control count and effort vary based on data, systems, and risk.

• Best for: sensitive data, enterprise customers, strict requirements, and heavily regulated environments
• Trade-off: higher resourcing needs, but strongest assurance and market differentiation

---

HITRUST compliance readiness checklist (5 phases)

Use these phases as a roadmap from “we should do HITRUST” to “we’re ready for validation.”

---

1) Scoping and assessment planning

This phase prevents scope surprises and helps you choose the right level the first time.

Determine business requirements

• Identify which customers/partners require HITRUST
• Document contractual obligations tied to HITRUST
• Clarify the assessment level (e1, i1, r2) needed to meet requirements

Define certification scope

• Identify in-scope systems and applications that store/process/transmit sensitive data
• Document data flows inside and outside the organization (including vendors)
• Determine in-scope business units and facilities
• Map organizational roles involved in maintaining controls

Build your HITRUST roadmap

• Create a 24–36 month progression plan (often e1 → r2)
• Set realistic milestones based on readiness and dependencies
• Allocate budget for assessor, tooling, and remediation
• Identify resourcing needs by phase (security, IT, engineering, legal, HR)

---

2) Governance and resource alignment

HITRUST doesn’t fail because teams don’t care. It fails because ownership is unclear and calendars aren’t real.

Establish executive sponsorship

• Secure leadership buy-in for the initiative
• Define executive oversight roles
• Create a reporting structure for progress and risk

Assemble your HITRUST team

• Designate a program manager
• Assign control owners across departments (IT, HR, Legal, Engineering, etc.)
• Add specialized expertise if needed (hire/contract)
• Run regular coordination meetings

Select implementation partners

• Evaluate HITRUST-experienced consultants (e.g., Workstreet)
• Choose a HITRUST Assessor Organization
• Implement an evidence platform (like SecureSlate) to keep controls and evidence organized

---

3) Gap assessment and remediation planning

The goal here is to turn “we’re not ready” into a prioritized plan with owners, deadlines, and evidence targets.

Perform initial gap analysis

• Assess current policies against HITRUST requirements
• Evaluate procedures against HITRUST’s prescriptive expectations
• Identify documentation and evidence gaps
• Document technical control deficiencies

Develop a remediation strategy

• Prioritize gaps by risk and complexity
• Create remediation plans with owners and deadlines
• Establish a tracking mechanism for progress
• Allocate resources for policy + technical remediation work

Address common challenge areas

• Prescriptive policies and procedures aligned to real implementation
• Security awareness training evidence with a repeatable process
• Vulnerability management with clear timelines and SLAs
• Access control plus periodic access review processes
• BC/DR planning that’s documented and testable

---

4) Implementation and evidence collection

Implementation is only half the work. HITRUST is evidence-heavy, and evidence needs a system.

Develop and revise documentation

• Revise policies to meet HITRUST expectations
• Write detailed procedures that guide real execution
• Create supporting materials (training, forms, templates)
• Establish access and approval workflows

Implement technical controls

• Close technical gaps identified during assessment
• Validate implementations against HITRUST requirements using SecureSlate
• Document configurations and technical specifications
• Test controls to confirm they operate as intended

Establish an evidence collection process

• Automate evidence collection through SecureSlate where possible
• Create a calendar for manual evidence needs
• Implement organized evidence storage with ownership and retention
• Document evidence procedures for control owners

GIF via GIPHY

---

5) Pre-assessment validation

This is your “measure twice, cut once” step before formal assessor validation.

Conduct an internal readiness assessment

• Run a mock assessment across all controls
• Validate evidence completeness and quality
• Test control owner readiness for interviews
• Review scoring risk using HITRUST’s strict scoring criteria

Refine implementation based on findings

• Address weaknesses discovered internally
• Strengthen documentation where needed
• Collect missing evidence for problematic controls
• Re-validate remediated areas

Remediate and test controls

• Test new and existing controls to confirm operating effectiveness

Prepare for assessor engagement

• Organize the evidence package for assessor review
• Brief control owners on expectations and interview flow
• Schedule stakeholder availability during the assessment window
• Create a communication plan for the assessment period

---

Working with Workstreet + SecureSlate

Working with Workstreet and SecureSlate can reduce friction in building and operating a successful HITRUST program.

Workstreet brings specialized knowledge to your HITRUST journey:

• Strategic planning: build a realistic roadmap from e1 to r2 over 24–36 months
• Policy development: create prescriptive documentation without starting from scratch
• Implementation guidance: navigate strict scoring requirements that catch teams by surprise
• Assessment management: coordinate with assessors and prepare for interviews and evidence review
• Remediation support: address gaps efficiently with proven approaches

If you want to move quickly, pair structured execution (Workstreet) with evidence automation (SecureSlate).

---

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.