I Survived HITRUST, Now What? Guiding your organization through a successful HITRUST certification is an accomplishment. As you are now aware, the process required input from stakeholders and subject matter experts across your entire organization. At times, the list of requirements probably seemed impossible, and the number of project planning meetings and personal reminders seemed to extend forever. Be sure to take a moment to reflect on the tasks and compliment your team for their efforts. After a few weeks, take a moment to think about your process. List the tools that you used to complete the work and take specific note of where your processes were disconnected or inefficient.

PolicyCo was explicitly born with the challenges associated with HITRUST, SOC2, and HIPAA certifications. My team passed all three with a standard word processor, an excel spreadsheet, a project management system, and many emails and phone conversations.

HITRUST prescribes a five-layer system that forces your organization to bolster the structure of your compliance posture. They delineate the requirements as:

  1. Policy
  2. Procedure
  3. Implemented
  4. Measured
  5. Managed

The first three are pretty easy to grasp and add meaningful structure to your existing organization. HITRUST forces you to separate policy from procedure and then introduces you to evidence collection through the implemented and measured phases. It’s virtually impossible to claim something is implemented without being able to tie evidence to the process. Furthermore, these processes can only be measured by looking at evidence over time.

Managed deserves a separate category because this speaks to how you act on the data presented from the implemented and measured. Management asserts that your team looks at the evidence critically and strives to acknowledge and address potential risks and gaps over time. Every organization operates with risk, and those who can identify and rate risk have a huge advantage because it promotes a culture of being honest about the potential for breaches. A healthy organization holds meetings regularly to discuss all risks and re-evaluate the severity. Those more critical risks are more clearly defined and surrounded by an action plan to remediate over time.


A month or so after getting through HITRUST, start the planning process to streamline your following partial review. Taking action now will prevent the recurring chaos of your entire team from turning to a reactionary mode in two years. So how can you start planning?

Define Evidence

Look at every piece of evidence you gathered for your assessors. Place them into buckets: Monthly, Quarterly, Annually. Define each one. Were they log files? Screenshots? Meeting minutes? Spreadsheets?

Remember that each piece of evidence is tied back to at least one HITRUST control. Be sure to make this association for each one and assign the task to appropriate team members. As you are aware, there are many disciplines involved, including HR, IT, DevOps, Executives, etc.

Make it clear to your team that your goal is to establish a culture of compliance; this promotes a spirit of gathering evidence in an ongoing fashion instead of at the last minute with auditors present. Enforce accountability for these responsibilities by seeking buy-in from the very top. The repercussions for failure are too significant to ask for less.

Hold appropriate periodic meetings.

I’ll list a few here, but be sure to add whatever other meetings are relevant for your enterprise.

  1. Annual Vendor SLA Review
  2. Annual Risk Assessment
  3. Annual Disaster Recovery Test
  4. Annual Data Breach Exercise


Suppose your organization needs to adhere to more than one Framework, such as HIPAA and SOC2, along with HITRUST. In that case, you have the perfect opportunity to bring them under a unified organizational policy and gather evidence simultaneously for all three. HITRUST is essentially a superset of the HIPAA and SOC2, but unfortunately, it’s likely your audits are offset, meaning your organization is scrambling unnecessarily 2-3 times per year. By harmonizing your evidence-gathering activities across the organization, you effectively buy back time from your most valuable resources in the company. This takes care and planning, but that’s what you are paid for - to think critically for your organization and optimize its activities.


PolicyCo was built to address this exact problem. Write policy in the language of your organization and map all relevant controls to your internal statements. Write procedures and map them to your policy statement. Map evidence to your required frameworks and assign them to the right people in your organization. Finally, hold your team accountable for their actions.