HITRUST CSF for MSPs: How to Build a Healthcare Certification Service Line

HITRUST started as a healthcare framework. It has become the price of admission to the healthcare supply chain.

If your client sells software, services, or infrastructure to hospitals, payers, or digital health platforms, the certification question is no longer hypothetical. It arrives in a procurement questionnaire, or as a contract clause, or in a flat statement from a prospect: “We can’t move forward until you’re HITRUST certified.” For an SMB in the healthcare supply chain, that sentence can stall a six-figure deal indefinitely.

Most of these companies have no idea where to start. HITRUST CSF is dense, prescriptive, and unforgiving of a sloppy assessment. The certification cycle is continuous, not one-and-done. And the cost of getting it wrong — a failed validated assessment, a scope that has to be redone — is high enough that clients want a partner who has done it before.

MSPs are already in the building. You manage the systems where this data lives. You are the logical partner to make HITRUST manageable. The question is whether you have built the service line to deliver it.

What HITRUST Actually Is

HITRUST CSF is a certifiable security framework. That word — certifiable — is the whole point. HIPAA tells a healthcare organisation what outcomes it must achieve but offers no certification and no prescriptive control set. SOC 2 is an attestation against criteria you partly define yourself. HITRUST is different: it specifies the controls, scores how well they are implemented, requires an independent external assessor, and issues a certification that a buyer’s procurement team will accept as proof.

The framework harmonises a long list of authoritative sources — HIPAA, the HITECH Act, NIST 800-53, ISO 27001, PCI DSS, GDPR, state privacy laws, and others — into a single control library. This is why buyers like it: one HITRUST certification answers questions that would otherwise require a stack of separate attestations. It is also why the framework is large. The full r2 control set, tailored by risk factors, can run to several hundred requirement statements.

HITRUST scores controls on a maturity model rather than a simple pass/fail. Each in-scope requirement is evaluated across maturity levels — policy, process, implemented, and (for r2) measured and managed. A control is not “done” because the technology exists. It is scored on whether there is a documented policy, a defined process, evidence that the process is actually operating, and — at the top tiers — evidence that the organisation measures and improves it. This maturity model is what catches MSPs who treat HITRUST like a checklist.

The Three Assessment Tiers

HITRUST’s tiered model is the key to scoping a service line, because it lets you match the engagement to the client’s actual buyer pressure and budget.

e1 — Essentials (1-year certification). Around 44 controls covering foundational cybersecurity hygiene. This is the entry tier for low-risk organisations or those facing light buyer requirements. It is fast and affordable, and it is a useful on-ramp: a client can earn an e1 certification, demonstrate momentum to a prospect, and progress to i1 when requirements escalate.

i1 — Implemented (1-year certification). Roughly 182 controls demonstrating that leading security practices are implemented. The i1 is the most common starting point for SMB healthcare vendors who have hit a procurement wall. It is rigorous enough to satisfy most buyers, but its one-year cycle and threshold-based scoring make it achievable for a well-run SMB within a few months.

r2 — Risk-based (2-year certification). The comprehensive certification. The control count is tailored to the organisation’s risk factors — data volume, regulatory exposure, system complexity — and commonly lands between 300 and 400+ requirement statements. The r2 uses the full maturity scoring model and includes an interim assessment in year two. This is what large healthcare systems and major payers increasingly demand from their critical vendors.

A well-structured service line sells the path, not just the destination. Most clients start at i1, and many will need to move to r2 within eighteen months as their customer base moves upmarket. Positioning the engagement as a progression keeps the relationship — and the revenue — continuous.

Who Needs This Service

The demand clusters around clear triggers:

Buyer-mandated certification. A digital health startup signs its first hospital system and discovers HITRUST is a contractual prerequisite. A billing vendor loses a renewal because a payer tightened its third-party requirements. This is the most common and most urgent trigger — there is a deal on the line and a deadline attached.

Business associates under pressure. Any organisation that handles protected health information on behalf of a covered entity is a business associate. As covered entities push security requirements down their supply chain, business associates — IT vendors, SaaS platforms, claims processors, transcription services — are being asked to certify. Many of these are exactly the SMBs an MSP already serves.

Competitive differentiation. In crowded healthcare software categories, a HITRUST certification is a sales asset. Vendors pursue it proactively to shorten sales cycles and clear security reviews faster than uncertified competitors. These clients are less time-pressured but more strategic, and they make excellent retainer customers.

Post-incident credibility rebuild. A healthcare vendor that has suffered a breach often pursues HITRUST to rebuild trust with customers and demonstrate a credible, independently validated security posture. These engagements tend to be well-funded and urgent.

Building the Service Line: Phase Structure

Phase 1: Scoping and Readiness Assessment (3-6 weeks)

Scope is the single most important decision in a HITRUST engagement, and getting it wrong is the most expensive mistake. The scope defines which systems, facilities, and processes are covered by the certification. Too broad, and the client pays to assess and remediate systems that never needed to be in scope. Too narrow, and the certification does not cover what the buyer actually cares about — which means it fails to close the deal it was meant to close.

Start by understanding what the buyer needs the certification to cover, then define the platform, environment, and supporting processes that deliver that. Confirm the right assessment tier (e1, i1, or r2) against the buyer requirement and the client’s maturity. Then run a readiness assessment against the in-scope control set: evaluate each requirement at policy, process, and implementation maturity, and produce a gap list with a prioritised remediation roadmap. The readiness assessment is where you find the gaps before the external assessor does — and it is billable in its own right.

Phase 2: Remediation and Control Implementation (4-12 weeks)

This phase closes the gaps the readiness assessment found. The work spans three maturity layers, and all three are scored:

Policy. Every in-scope control needs a documented policy that establishes intent and assigns responsibility. Generic, downloaded policies score poorly — they must reflect how the organisation actually operates.

Process. Each policy needs a defined, documented process that operationalises it. A policy that says access is reviewed quarterly needs a documented review procedure with an owner and a cadence.

Implementation. The control must actually be operating, with evidence. This is where MSPs add the most value, because much of the implementation is technical — access controls, logging, encryption, vulnerability management, endpoint protection, backup and recovery — and the MSP often already runs these systems for the client.

The efficiency play here is evidence reuse. HITRUST shares controls with HIPAA, SOC 2, ISO 27001, and NIST. A client who already holds SOC 2, or who you are also taking through HIPAA, has evidence that maps directly onto HITRUST requirements. Collecting it once and mapping it across frameworks is where the delivery margin lives.

Phase 3: Validated Assessment Support (4-8 weeks)

The validated assessment must be performed by a HITRUST-authorised external assessor inside MyCSF, HITRUST’s assessment platform. The MSP’s role here is to prepare the client and shepherd the process: assembling and mapping evidence to requirement statements in MyCSF, conducting an internal pre-assessment dry run, liaising with the external assessor, and managing remediation of any findings the assessor raises before submission to HITRUST for certification.

An MSP cannot be the external assessor and the implementer for the same engagement — those roles are independent — but the MSP owns everything around the assessment. The smoother the evidence package and the better-prepared the client, the faster the certification and the fewer the surprises.

Phase 4: Continuous Compliance Retainer

HITRUST is not a one-time project. The i1 recertifies annually; the r2 runs on a two-year cycle with an interim assessment in between. Controls drift, evidence goes stale, the environment changes. The retainer keeps the certification alive:

• Continuous evidence collection so the next assessment is not a scramble
• Control monitoring and maturity tracking against the in-scope requirements
• Interim assessment support (r2) and annual recertification (i1, e1)
• Scope review as the client’s systems and buyer requirements change
• Tier progression support when the client needs to move from i1 to r2
• Coordination of the next validated assessment with the external assessor

Clients who certify and then drop the retainer arrive at their next assessment with stale evidence and drifted controls, turning a manageable recertification into a fresh project. The retainer is the mechanism that keeps it from happening — and it is the most valuable part of the service line.

Pricing the Service

Scoping and readiness assessment: $6,000–$15,000 depending on tier and environment complexity.

Remediation and control implementation: $15,000–$60,000+ depending on the tier, the number of control gaps, and how much existing evidence can be reused from other frameworks.

Validated assessment support: $8,000–$25,000 for the MSP’s preparation, MyCSF management, and assessor liaison. Note this is separate from the external assessor’s own fee and the HITRUST platform/certification fees, which the client pays directly.

Continuous compliance retainer: $1,500–$5,000/month covering evidence collection, control monitoring, maturity tracking, and assessment coordination.

The retainer economics are strong because the certification cycle never stops. An i1 client needs you every year; an r2 client needs you across a two-year cycle with an interim assessment in the middle. For an MSP with ten healthcare clients on a HITRUST retainer at an average of $3,000/month, that is $360,000 in annual recurring revenue — from a service that deepens relationships with clients who cannot afford to let the certification lapse.

What Most MSPs Get Wrong

Scoping too broadly. The instinct is to scope everything. The result is a client paying to assess and remediate systems that the buyer never cared about, and a timeline that balloons. Scope to what the certification needs to cover, no more.

Treating it like a checklist. HITRUST scores maturity, not existence. A control that is technically present but has no documented policy or process scores poorly. The policy and process layers are not paperwork — they are scored components of the certification, and MSPs who skip them fail the assessment.

Collecting evidence from scratch every time. HITRUST overlaps heavily with HIPAA, SOC 2, ISO 27001, and NIST. An MSP that collects HITRUST evidence in isolation is leaving margin on the table. Map evidence across frameworks once and reuse it.

Selling the certification, not the cycle. HITRUST recertifies. An engagement priced as a one-time project ignores where the real value — and the real client need — sits. Build the retainer into the commercial model from day one.

Underestimating MyCSF fluency. The validated assessment lives in MyCSF, and a disorganised evidence package inside the platform slows the assessor and raises findings. MSPs who are not fluent in MyCSF lose time and credibility at exactly the moment the client is most anxious.

Why HITRUST Is the Right Service Line for 2026

Healthcare buyers have standardised on HITRUST as the answer to vendor risk. The pressure is flowing down the supply chain faster every year, and the tiered model — e1, i1, r2 — has lowered the barrier enough that SMBs can realistically pursue certification. That combination, rising demand and an achievable path, is what makes a service line viable.

Your healthcare clients will face the certification question. They do not have the expertise to navigate scoping, maturity scoring, evidence, and MyCSF on their own. You manage their infrastructure and you already hold much of the evidence the framework demands. The MSP who builds a credible HITRUST service line intercepts that requirement before an outside specialist does, and turns a one-off compliance scramble into a continuous, high-value relationship.

GetCybr maps HITRUST CSF requirements to specific implementation tasks and evidence types per client, tracks control gaps and maturity scores continuously, and reuses evidence across HIPAA, SOC 2, and NIST so you are not collecting it twice. When the validated assessment comes around, the compliance record is current, structured, and ready.

See how GetCybr supports HITRUST CSF delivery for MSPs.