HITRUST

HITRUST (formerly known as Health Information Trust Alliance) is an organization headquartered in Frisco, Texas, that provides information risk management and compliance assessments and certifications.^{[1][better source needed]}

HITRUST

Company type	Private
Industry	Health information technology
Founded	2007; 18 years ago (2007) in Frisco, Texas, U.S.
Founder	Daniel Nutkis
Headquarters	Frisco, Texas , U.S.
Key people	Daniel Nutkis (CEO) Brad Almond (CFO) Robert Booker (CSO) Steve Perkins (CMO)
Parent	Brighton Park Capital
Website	hitrustalliance.net

History

HITRUST was formed in 2007 in response to heightened concerns about healthcare data breaches, expanding federal and state compliance mandates, and the need for a standardized approach to information protection in healthcare.^[2] Initially focused on HIPAA and other U.S. healthcare privacy and security laws, HITRUST later adapted its framework for broader use in different industries, including financial services and defense contracting.^[3][4]

In response to emerging AI concerns, the organization developed AI-specific control requirements and certifications to address related risks in 2024.^[5]

In December 2024, the organization announced a cyber insurance consortium in partnership with Lloyd’s of London.^[6] This partnership benefitted customers of both HITRUST and Lloyd's of London by offering discounted insurance rates through Lloyd's of London if users pass a HITRUST assessment and achieve a certification.^[7] Organizations that use both services also experience a more streamlined process due to Lloyd's of London using HITRUST's framework to assess coverage and costs.^[8]

In 2025, the organization announced the general availability of its HITRUST Assessment XChange App for ServiceNow.^[9]

HITRUST Framework

HITRUST's assessments are based on its cybersecurity framework, the HITRUST CSF (originally the HITRUST Common Security Framework), which integrates requirements from multiple regulations and standards.^[3]

The HITRUST Framework incorporates control requirements from more than 60^{[10][better source needed]} regulations and standards for assessing security and compliance.^[11] It is divided into 19 control domains,^[3] such as endpoint protection, access control, business continuity, and incident management.^[2] The certification model built on the framework adjusts security requirements based on an organization’s size, risk profile, and regulatory obligations.^[2]

According to the HITRUST’s 2025 Trust Report, certified environments reported an incident rate under 1%. However, independent validation of the finding is unclear.^[12]

Critics argue that HITRUST certification can be expensive and time-consuming, especially for smaller entities with limited budgets and staffing.^[2] Some also caution that while the framework covers many cybersecurity controls, it does not guarantee full compliance with every niche regulation (e.g., certain OSHA requirements and CMS’s conditions of Medicare and Medicaid participation).^[3]

Certifications

HITRUST offers multiple kinds of certifications depending on organization's data security needs and regulations that need to be met. These certifications are achieved through assessments to help build organization's security through HITRUST's framework.^[13] Organizations are able to work their way up through certifications to further strengthen security.^[14] These certifications help to protect organizations with lots of data from cybersecurity threats, such as phishing, data breaches, and ransomware.^[15][16]

Certification	Target User	Purpose	# of Controls	Level of Assurance	Time of Validity	Complexity of Assessment	Ref.
e1	Small, low-risk organizations new to HITRUST	Set up organizations with an entry-level cybersecurity system and strengthen security	44	Foundational	1 Year	Low	[13][14]
i1	Moderate-risk organizations with needs higher than e1	Focus on new and rising threats to data security (used to help obtain r2 certification)	182	Intermediate	1 Years	Medium	[13][14]
r2	High-risk and large-scale organizations with lots of regulations	Managing and securing large amounts of sensitive data	2,000+ (chosen based on risk)	Risk-Based	2 Years	High	[13][14]

Cost

HITRUST's certifications scale in price depending on the company's needs and size. Multiple purchases are required for the assessment process and certification, along with an annual fee to access HITRUST's MyCSF tool, which allows for documentation of risk assessments.^[17] Several factors determine the total price, including the organization's location and range, the organization's previous cyber liabilities, and assessments required for the desired certification.^[18] The majority of the accounted prices is due to external assessor fees from a third-party, with organizations needing to complete more assessments depending on the complexity of the certification.^[18]

The total costs of the assessment, certification, MyCSF tool, and additional fees can range from approximately $50,000 USD for the e1 certification, $120,000 USD for the i1 certification, and upwards of $500,000 for the r2 certification.^[18] Renewal costs are significantly less expensive than initial certification costs, as the data needed for assessment is already in HITRUST's database, along with annual fees such as the MyCSF tool being part of the cost of a certification renewal.^[17]

Although the MyCSF tool isn't needed to obtain a certification, the annual fee of approximately $15,000 USD (Price scales depending on the company's needs and size) allows for annual, full access to these analysis reports compared to the limited access window that HITRUSTS CSF report offers, which is a service that is paid for per report at approximately $3,600 USD.^{[17] [19]} While most companies attempting to obtain a certificate choose to get MyCSF tool, the CSF report allows for uncertified companies to still get a risk assessment in a more budget-friendly way.^[17]

Board of Directors

HITRUST is led by a management team and governed by a Board of Directors made up of leaders from across a variety of industries. These leaders represent the governance of the organization, but other founders also comprise the leadership.^{[20][better source needed]}

In September of 2025, the founder of HITRUST, Daniel S. Nutkis stepped down from his current position of Chief Executive Officer and appointed Gregory Webb in his position.^[21] Webb is a 20-year veteran in the cybersecurity field holding leadership roles at tech companies such as Venafi and Bromium.^[22]

The Board Members are:

• Daniel S. Nutkis - Executive Chairman & Founder, HITRUST
• Gregory Webb - Chief Executive Officer, HITRUST
• Robert Booker - Chief Strategy Officer, HITRUST
• Pamela Arora - President and Chief Executive Officer, AAMI
• Caroline Budde - Associate General Counsel, Digital & Data Assets, McKesson
• Dr. Kevin Charest - Chief Information Security Officer, Accumulus Synergy
• George DeCesare, JD - Senior Vice President, Chief Technology Risk Officer, Kaiser Permanente
• Kimberly Gray, Esq - CIPP Chief Privacy Officer, Global, IQVIA
• Omar Khawaja - Vice President, Security, and Field Chief Information Security Officer, Databricks
• Stirling Martin - Senior Vice President, Epic and President, Epic Hosting
• Roy R. Mellinger - Senior Vice President, Security, Privacy, IT Risk and Compliance and Global Chief Information Security Officer, Aimbridge Hospitality
• Aman Raheja - Chief Information Security Officer, HP Enterprise