HITRUST REPORT

We have put together all the information you need to answer your questions about SOC Reporting, including what they are, what they do, and what it takes to get them done. We also help you figure out where to start when choosing a partner to help issue your report.

The HITRUST Report and Why It Benefits Service Providers


Maloney + Novotny is one of only 90 trained and listed HITRUST assessors across the country with the ability to prepare and submit a HITRUST report.

Organizations and third-party administrators working with, consuming and storing information that’s protected under the Health Insurance Portability and Accountability Act (HIPAA) may be asked to provide a HITRUST Report for their customers.

Maloney + Novotny is one of only 90 trained and listed HITRUST assessors across the country with the ability to prepare and submit a HITRUST report.

Examples include hospitals, doctors offices, and affiliated locations, where each location is generally considered in scope within the HITRUST audit.

This specialized audit process results in a certified report similar to other SOC reports, but it’s unique in that it can be issued only by the Health Information Trust Alliance  (HITRUST). This third-party membership organization is managed by privacy, information security and risk management leaders from the public and private sectors.

HITRUST has developed its own framework and list of controls, built from the Health Insurance Portability and Accountability Act (HIPAA). This certification program focused on risk and compliance management, assessment and assurance systems to safeguard sensitive information and manage information risk for global organizations and throughout the third-party supply chain.

HITRUST reports are similar to SOC 2 Reports but with a much higher degree of complexity and granularity incorporated into the controls. These reports can contain anywhere from 280 up to 2,800 individual controls across 19 different domains. Examples include controls on how data is encrypted in transmission and during storage, how risks are classified for the organization, and how employees are trained and kept aware of their responsibilities. In addition, each individual control has up to three levels of specificity depending up how much personal health information the organization consumes and stores.

The resulting HITRUST report renders an opinion on whether an organization meets HIPAA’s specified criteria related to how they create, access, store or exchange personal health and financial information.

HITRUST reports can be prepared only by independent auditors that are certified members of the Health Information Trust Alliance (HITRUST), and all HITRUST reports are certified and issued by HITRUST.

As a certified HITRUST partner, Maloney + Novotny is qualified to assess an organization’s controls under the HITRUST framework and render an opinion as to whether the organization meets the criteria or not. The report is then submitted to HITRUST, which issues the certification.

Auditors for Maloney + Novotny performing HITRUST Reports have industry experience from organizations on both sides of the process, making our experts well-versed in the process and able to eliminate many of the common concerns surrounding this process. We have a unique understanding of what’s required throughout the HITRUST auditing process and can help our clients through the process.


Components of a HITRUST Report


At Maloney + Novotny, preparing a HITRUST Report typically begins of a Readiness Assessment, where clients are asked to consider 28 scoping questions. This allows us to determine the extent of personal health information managed by the organization.

The Readiness Assessment is followed by a Validated Assessment, which is the certification process through HITRUST.

After issuance, HITRUST Reports are good for two years, with an interim audit required at the one-year mark. During the interim audit, the assessor randomly audits a selection of controls to ensure the organization is managing risks according to defined operational controls.


Organizations That Benefit From HITRUST Reports


  • Software-as-a-Service Companies using protected health information
  • Third-party Administrators using protected health information
  • Organizations using electronically protected health information

Choosing A HITRUST Assessor


Smaller organizations seeking a HITRUST Report have many options when choosing an assessor, and those options include a wide difference in price points. However regardless of the price point selected, the result of these audits is the same, as all HITRUST reports are ultimately issued by HITRUST.

Currently there are only 75 assessors across the country that have been trained and listed by HITRUST with the authority to conduct HITRUST audits, and this list includes CPA firms, consulting firms and other niche organizations.

One big difference to consider is the level of personal service each of these firms are able to provide to their clients.

Maloney + Novotny is well equipped to help our clients by delivering a higher level of personalized service while also controlling overhead costs.

Some of the pain points we commonly hear from clients seeking HITRUST reports include the ability to secure proper documentation and how to analyze risk. Because of our specialized experience on both sides of the process, Maloney + Novotny is well equipped to help our clients by delivering a higher level of personalized service while also controlling overhead costs. This allows us to meet the needs of our customers with an eye for resource efficiency. In most cases we represent a more affordable option, more personalized service, and the comfort level of auditors that have experienced the HITRUST process both as an auditor and previously, as a customer requesting a HITRUST audit.  Because of this unique perspective, Maloney + Novotny auditors understand how to conduct these audits making it as convenient as possible, and much less intrusive, for our clients.


Get a no cost, no obligation assessment of your HITRUST report needs!

Contact A SOC Report Expert