BLOG

By Brandon Weidemann 

Introduction 

HITRUST certifications have become a standard for the healthcare organizations including payers, providers, and business associates. HITRUST recently announced the release of v11 and outlined a comprehensive plan for decommissioning older r2 versions (v9.1 to v9.6).  

In this blog post, we will discuss key dates, significant changes, and essential steps that organizations should take to ensure compliance with HITRUST r2 certifications. 

Note: If you have a HITRUST e1 or i1 certification, you are already using v11, so you don’t need to worry about these changes.  

Key Dates and Decommissioning Plans 

HITRUST unveiled v11 on January 18, 2023, and simultaneously disclosed plans to retire v9.1 through v9.4.  

September 30, 2023: Organizations are no longer able to create objects using v9.1 to v9.4. If you are a HITRUST certified organization currently on v9.1 through v9.4, and you have not already created the assessment object for 2024, you will be required to upgrade to v11. Note that you will still be able to use your current version to submit interim assessments.  

December 31, 2024: This is the last day organizations can submit assessments using v9.1 through v9.4. HITRUST will no longer accept assessments submitted on v9.1 to v9.4 after this date.  

Additionally, on October 10, 2023, HITRUST introduced v11.2 and announced the retirement of v9.5 and v9.6.  

June 30, 2024: This is the last day organizations can create an object in MyCSF using v9.5 and v9.6. 

April 30, 2025: This is the last day organizations can submit assessments using v9.5 and v9.6. 

Major Changes in v11 

HITRUST v11 introduced significant changes. Moving the evaluative elements from the policy illustrative procedure to the requirement statement improves visibility into the control requirements.  

For example, the HITRUST v9.6 Control Specification reads: 

An Information Security Management Program (ISMP) shall be defined in terms of the characteristics of the business and established and managed, including monitoring, maintenance, and improvement. 

In HITRUST v11, this same control is broken down into 6 Evaluative Elements: 

The organization 

1. has a formal information security management program (ISMP) that is documented and addresses the overall security program of the organization. 

Management support for the ISMP 

1. is demonstrated through signed acceptance or approval by management. 

The ISMP 

1. is based on an accepted industry framework, 

1. considers all the control objectives of the accepted industry framework, 

1. documents any excluded control objectives of the accepted industry framework and the reasons for their exclusion, and 

1. is updated at least annually or when there are significant changes in the environment. 

This change makes policy and procedure requirements prescriptive in nature and will require organizations to update policies and procedures to include all Evaluative Elements.  

In addition, HITRUST has introduced new controls, removed some controls, and modified other controls. These changes create a net delta in terms of new controls that were not present in the previous certification.  

Readiness Assessment and Recommendations 

When organizations upgrade to v11, they will find that 40 to 60 percent of the assessment control scoping requirements have undergone material changes. This change in scope will significantly impact the controls included in the assessment.  

The upgrade from 9.x to v11 is impactful, and Meditology strongly advises organizations to undergo a readiness assessment prior to heading into a v11-validated assessment for the first time.  

The readiness assessment allows organizations to prepare for all of the changes ensuring compliance when submitting HITRUST certification.  

We are finding that organizations who upgrade to v11 and neglect to conduct a readiness assessment are at risk of missing certification because they are unprepared to address all of the changes. 

Conclusion 

As organizations navigate the v11 upgrade process, it's imperative to stay informed about key dates, understand the significant changes, and prioritize a readiness assessment. Meditology is here to support you in this journey. 

All organizations currently operating on v9.1 to v9.4 must transition to v11 by the end of 2024 and all organizations currently on v9.5 to v9.6 must transition to v11 by April 30, 2025, at the latest.  

In light of this timeline, Meditology strongly recommends initiating a readiness assessment as soon as possible. This proactive approach will ensure a smooth transition and will mitigate the risk of non-compliance. 

For more information or assistance with your HITRUST v11 upgrade, please contact us. We are dedicated to ensuring your organization's seamless transition to the latest standards in cybersecurity. 

---

About the Author 

Brandon has over eight years of progressive experience in Information Technology and Cybersecurity Risk Management. Brandon’s audit experience includes both internal and external audit of information technology and systems. His career transitioned into IT risk management and leadership with oversight of project teams, client engagements, and risk consulting. As a member of Meditology’s Management team, Brandon is responsible for leading the HITRUST Service Line. Brandon stays up to date on all new HITRUST releases to ensure Meditology’s tools and processes lead to successful HITRUST engagements. Brandon also delivers HITRUST and security webinars to provide information to our clients and the industry at large. Additionally, Brandon leads security risk assessments and SOC2 engagements for Meditology, bringing his well-rounded experience and focused expertise in HITRUST to payors, providers, and business associates. 

Resources 

For an in-depth discussion of v11 and HITRUST changes introduced in 2023, navigate to https://hitrustalliance.net/advisories/