Five Key Considerations for SaaS Healthtech Companies Pursuing HITRUST Certification

It isn’t enough to simply claim trust in healthcare. It must be proven and reaffirmed on a daily basis. For SaaS healthtech companies, HITRUST certification has become one of the most recognized ways to demonstrate that trust to customers, partners, and regulators.

Thoropass’ teams work with organizations across the spectrum –from early-stage startups to global enterprises – guiding them through HITRUST assessments, and while most organizations ultimately achieve validated certification, the process often surfaces recurring challenges that can slow progress or introduce unnecessary risk.

Understanding these common pitfalls early can make the difference between a smooth certification journey and a reactive, resource-intensive one. Here are five issues that we often encounter.

1. Scope Drives Everything (And It Can’t Be Ambiguous)

Scope is the foundation of every HITRUST assessment. When it’s unclear or overly broad, the entire process becomes more complex – and in some cases, unsuccessful.

Effective scoping starts by working backward from the business objective:

• Which applications or services require HITRUST certification?
• What systems support those offerings?
• Who has access to those systems?

Common missteps include:

• Including physical office locations with no on-prem infrastructure (e.g. servers, wireless access points)
• Excluding endpoints (like laptops) that directly access in-scope systems
• Overlooking dependencies such as cloud providers or managed service partners

Key considerations when defining scope:

• Which users interact with in-scope systems?
• Are there on-prem or hosted environments involved?
• What cloud service providers are in use?
• Will third parties need to provide audit evidence?

A clearly defined scope not only streamlines the assessment but also reduces rework during fieldwork.

2. The E1 Assessment: Lower Effort but Smaller Margin for Error

The HITRUST e1 assessment is often positioned as an entry point for certification, covering essential cybersecurity hygiene with only 43 requirements. However, fewer requirements do not mean lower risk.

Since those requirements are distributed across all 19 HITRUST CSF domains – and scoring is evaluated at the domain level – a gap in a single domain can prevent certification entirely.

This creates a unique dynamic:

• Fewer controls provide less opportunity to offset weaknesses
• Each requirement carries greater weight

Organizations that treat e1 as a quick or low-effort certification often encounter unexpected challenges late in the process.

The most successful teams approach e1 with the same level of rigor and preparation as more comprehensive assessments like i1 or r2.

3. Over-Reliance on Cloud Providers

While cloud service providers (CSPs) play a critical role in security for SaaS HealthTech organizations, HITRUST operates under a shared responsibility model.

A common misconception is that responsibilities can be fully inherited from providers like AWS, GCP, or Azure.

In practice:

• Full inheritance applies to a limited subset of controls (such as physical security)
• Most controls involve partial inheritance, requiring evidence from both the CSP and the organization

For example:

• Access control, logging, and identity management typically require organization-level controls
• Even with inheritance, organizations must demonstrate how controls are implemented and managed internally

A frequent issue during assessments is the lack of evidence for partially inherited controls, often due to assumptions that the CSP has full responsibility.

Early alignment on shared responsibility and clear mapping of control ownership are essential to avoid delays during fieldwork.

4. HITRUST Requires Organization-Wide Coordination

HITRUST certification is not limited to a single group, like an in-house governance, risk and compliance team. It requires coordinated effort across the organization.

Successful assessments are typically characterized by:

• A dedicated primary point of contact (POC) for assessor communication
• Clear internal ownership of evidence collection and task tracking
• Strong collaboration across teams, including:
  
  • GRC and compliance
  • Engineering and IT
  • Security
  • HR

Common challenges arise when:

• Ownership is unclear and responsibilities are diffused
• Compliance teams operate in isolation without engaging key stakeholders
• Evidence requests are handled reactively instead of proactively

Without structured coordination, organizations often face last-minute gaps and delays.

5. Common Areas Where Scores Decline

Even well-prepared organizations tend to see score reductions in a few recurring areas:

• Privileged Access Management
  
  • Lack of separate accounts for administrative functions
• Access Reviews
  
  • Inconsistent or undocumented user access reviews
• Password Policy Enforcement
  
  • Misalignment between policy and system configurations
• Backup and Recovery
  
  • Absence of offline or immutable backups for production data

These issues are not uncommon, but in HITRUST, consistent implementation and clear evidence are critical for scoring.

Final Thoughts

HITRUST certification is one of the most comprehensive frameworks in the compliance landscape – and that rigor is what makes it so valuable.

Organizations that navigate the process successfully tend to:

• Define scope with precision
• Treat all assessment levels with appropriate rigor
• Understand and operationalize shared responsibility in the cloud
• Approach HITRUST as a cross-functional initiative

Avoiding these common pitfalls not only improves the likelihood of certification but also leads to a more efficient and predictable assessment process.

If you’re looking to achieve HITRUST certification without the headache, get in touch today.

‍