What is HITRUST?

HITRUST is a standards organization whose programs and services help safeguard sensitive information and manage information risk for global organizations across all industries.  In collaboration with privacy, information security, and risk management leaders from the public and private sectors, HITRUST develops, maintains, and provides broad access to its widely adopted common risk and compliance management frameworks, related assessment, and assurance methodologies. The organization’s evaluation criteria draw from prominent safety standards, frameworks, and guidelines, including HIPAA, PCI, and ISO.


How does HITRUST evaluate companies?

HITRUST evaluates companies using 19 domains, which are designed to address every facet of a business’s security operations. Those domains are:

  • Information protection program
  • Endpoint protection
  • Portable media security
  • Mobile device security
  • Wireless security
  • Configuration management
  • Vulnerability management
  • Transmission protection
  • Network protection
  • Password management
  • Access control
  • Audit logging and monitoring
  • Education, training, and awareness
  • Third-party assurance
  • Incident management
  • Business continuity and disaster recovery
  • Risk management
  • Physical and environmental security
  • Data privacy and protection


After multiple rounds of evaluation by an independent auditor, vendors who meet HITRUST standards are issued CSF certification.



The HITRUST CSF is a rigorous set of controls that incorporates multiple regulatory sources and security best practices, including all the requirements of HIPAA.

But it is important to note that while many healthcare vendors claim HIPAA compliance, there is no definitive third-party that verifies HIPAA compliance. However, HITRUST CSF Certification standards are set by a governing alliance and certification requires an independent, unbiased, expert audit of each company.


Why does it matter?

Health systems are vulnerable to two basic kinds of breach: external attacks and internal issues. An effective security and privacy system protects against both.

The process and requirements of HITRUST CSF Certification helps us ensure that patient health information is kept safe from both external threats and internal errors. Which in turn, supports our clients’ mission to protect health information. Our HITRUST Certification also helps our clients in completing their due diligence when managing third-party vendors. Clients can be reassured that independent reviewers have thoroughly assessed our security and privacy systems, policies, and procedures.


How did Veracity and AppealMasters infrastructure get HITRUST CSF Certified?

Control Case, an authorized third-party, external assessor, conducted a thorough audit of PayerWatch’s security operations, system architecture, and office operations. The Control Case report was then submitted to HITRUST for their review and assessment. This multi-layer assessment is designed to ensure a complete review of security and privacy – with no area of security being untested.


How long does HITRUST certification last?

HITRUST certification is valid for two years. One year in, HITRUST will conduct an interim review, that includes ensuring we have not had any significant changes to our systems, policies, or procedures or experienced any breaches. PayerWatch completed another full certification of Veracity and AppealMasters infrastructure after achieving initial certification in 2019.


How does HITRUST help Intersect Healthcare clients?

The HITRUST CSF Certification of Veracity and AppealMasters infrastructure means that clients can be confident in our handling of protected health information – whether that information is being transferred or stored.

Additionally, our HITRUST CSF certification makes it easier for our clients to prove the privacy, security, and integrity of their patient data during assessments or audits. Vendor assessments are a critical activity for our clients to support their own compliance efforts. Our HITRUST CSF Certification can help clients save time and cost in reviewing us as a vendor. Which in turn, makes it simpler for our clients to prove their due diligence in managing third-party vendors.


In Closing

HITRUST CSF Certification is a complex, comprehensive, ongoing journey. PayerWatch is proud to have, once again, achieved HITRUST CSF certification of our Veracity software and AppealMasters infrastructure. We are grateful for the trust our clients place in us – to protect sensitive patient information – and our HITRUST CSF Certification helps to prove we are worthy of that trust.

Quickly overturn Sepsis-3 denials with PayerWatch’s Sepsis Appeal Letter Template

Sepsis is a popular focus of clinical validation audits and commercial payers conducting superficial sepsis claims reviews that may lead to claim denials. Hospitals can easily overturn sepsis claims denials if sepsis is supported in the documentation with evidence of organ dysfunction. Click here to apply for PayerWatch's Sepsis Appeal Letter Template.


Trusted Partners

PayerWatch has increased revenue for over 500 hospitals.

PayerWatch Partner: Mercy Health System
PayerWatch Partner: Christus Health
PayerWatch Partner: Valley Health System
PayerWatch Partner: Adventist Health System
PayerWatch Partner: Dignity Health