HITRUST-Certified Companies: Verified List and How to Confirm a Vendor's Status

HITRUST Certification Overview

HITRUST certification provides an independently validated way to demonstrate strong information risk management. It aligns controls to the HITRUST CSF, a framework that harmonizes leading standards and regulations to streamline compliance assessments across healthcare, financial services, technology, and other regulated industries.

When a company says it is “HITRUST-certified,” that claim applies to a defined scope—such as a product, system, service, environment, or legal entity—not necessarily the entire organization. The authoritative, verified list of active certifications is maintained in the HITRUST Relying Party Directory, which buyers can use to confirm vendor status before onboarding.

Assessment types you’ll encounter

• Risk-based certification (often referred to as r2): a comprehensive, two-year certification with a required interim review after year one.
• Implemented, one-year certification (i1): a streamlined, annually renewed certification focused on well-established security practices.

HITRUST Certification Process

The certification journey follows a structured, evidence-driven path designed to validate control design and operation against the chosen assessment type.

End-to-end steps

1. Scope and readiness. Define systems, services, and legal entities in the HITRUST MyCSF tool. Conduct a readiness review to identify gaps and remediation priorities.
2. Control selection and implementation. Select controls appropriate to the environment and assessment type (i1 or risk-based certification), implement or refine them, and gather objective evidence.
3. Validated assessment. Engage a HITRUST Authorized External Assessor to test control operation, review artifacts, and score maturity in MyCSF.
4. Remediation and submission. Address findings, update evidence, and submit the validated assessment through MyCSF to HITRUST for quality assurance.
5. Certification decision. Upon approval, HITRUST issues a certification letter, and the certified scope is published in the Relying Party Directory for relying parties to verify.
6. Ongoing maintenance. Maintain controls, monitor changes, and prepare for the interim review (for r2) or annual renewal (for i1) to sustain certification.

Verifying HITRUST Certification Status

Always confirm claims against the verified list and the vendor’s official artifacts. Do not accept “HITRUST-aligned” or “based on HITRUST” as certification.

Ask the vendor for these details

• Legal entity name exactly as certified.
• Assessment type (i1 or risk-based r2) and certification ID.
• Scope description (system, product, environment, geography, and in-scope services).
• Issue and expiration dates, plus the interim review date for r2.
• Contact information for the Authorized External Assessor who performed the validated assessment.

Cross-check steps in the verified list

1. Search the HITRUST Relying Party Directory by legal name. If the name differs (e.g., a subsidiary), request documentation tying the entities together.
2. Match the assessment type, certification ID, issue/expiration dates, and scope one-for-one with the vendor’s letter.
3. Confirm status shows Active (or equivalent). Treat Expired, Suspended, or Revoked as non-current until corrected.
4. Review scope carefully. A product-level certification does not automatically cover other products, regions, or environments.

Practical red flags

• Claims of “company-wide certification” with no scope details.
• Only a self-assessment report, not a HITRUST-issued certification letter.
• Mismatched legal names or outdated expiration dates.

HITRUST Relying Party Directory

The HITRUST Relying Party Directory is the authoritative, verified list of HITRUST-certified organizations and scoped environments. Procurement, security, and compliance teams rely on it to validate certification claims before granting access to data or networks.

What you can see in a listing

• Legal entity name and, when applicable, the certified product, service, or environment.
• Assessment type (i1 or risk-based r2) and certification status.
• Issue and expiration dates, and interim review requirements for r2.
• Scope statement summarizing the boundary of what is covered.

Tips to search effectively

• Try exact legal names; include known subsidiaries or former names.
• If a vendor claims coverage “in specific regions,” verify the geography in the scope.
• Document your verification with screenshots or PDFs for audit trails.

HITRUST Vendor Directory

The HITRUST Vendor Directory helps you discover service providers that showcase HITRUST achievements and share information to streamline third-party risk evaluations. Use it to build a candidate list, then validate certification claims in the Relying Party Directory before onboarding.

How to use it in practice

• Search by service category or industry to identify vendors accustomed to rigorous compliance assessments.
• Engage shortlisted vendors to obtain their certification letters and scope details.
• Perform final verification against the Relying Party Directory to confirm status and dates.

Key distinction

The Vendor Directory is discovery-oriented; the Relying Party Directory is the verified list for confirmation. Always rely on the latter for definitive status checks.

HITRUST Certification Benefits

For buyers, HITRUST certification reduces due diligence time by providing a standardized, independently validated view of a vendor’s security and privacy controls. It enables apples-to-apples comparison across providers and supports risk-based decisions.

• Simplifies third-party information risk management with a common control language.
• Reduces redundant questionnaires and bespoke audits through reusable evidence.
• Maps to multiple regulations and standards, streamlining compliance assessments and oversight.
• Signals mature governance, risk, and compliance practices to customers and partners.

HITRUST Certification Validity and Renewal

Validity depends on assessment type. Risk-based certifications (r2) are valid up to two years with a required interim review after the first year. Implemented certifications (i1) are valid for one year and must be renewed annually to remain current.

The certification renewal process

1. Plan early. Begin 4–6 months before expiration to avoid gaps in coverage, especially for contracts that require continuous certification.
2. Maintain controls. Track organizational and technical changes that may affect scope or control effectiveness, updating artifacts in the HITRUST MyCSF tool.
3. Revalidate. Engage your Authorized External Assessor to perform the new validated assessment (and complete the interim review for r2).
4. Submit and publish. After HITRUST QA approval, the renewed certification replaces the prior listing in the Relying Party Directory.

If certification lapses, vendors should disclose this immediately and provide a remediation timeline. Buyers should treat expired or suspended statuses as non-current until renewal is confirmed in the verified list.

FAQs.

How can I verify a company's HITRUST certification status?

Request the vendor’s certification letter and scope, then search the HITRUST Relying Party Directory by the exact legal name. Match assessment type, certification ID, dates, and scope. Only an Active status in the Directory confirms a current certification.

What is the validity period of a HITRUST certification?

Risk-based certifications (r2) are valid for up to two years with a mandatory interim review at year one. Implemented certifications (i1) are valid for one year and must be renewed annually.

What are the benefits of HITRUST certification?

It provides a rigorous, independently validated demonstration of security and privacy controls, streamlines third-party compliance assessments, reduces due diligence effort, and supports consistent, risk-based decisions across vendors.

How often must HITRUST certification be renewed?

i1 certifications renew annually. r2 certifications renew every two years, provided the organization successfully completes the one-year interim review and maintains control effectiveness throughout the cycle.