Home
Pricing
Talk to our team
Compliance Hub

HITRUST Compliance Checklist: 19 Domains and Key Requirements

Espresso Labs Team
5 min read
HITRUST Compliance Checklist: 19 Domains and Key Requirements

The HITRUST CSF is organized around 19 control domains. The specific requirements within each domain vary by certification level (e1, i1, r2) and your organization’s risk profile. This checklist covers the key requirements across all domains as a starting point for your readiness assessment.

Note: The r2 certification includes additional requirements tailored to your specific risk factors. This checklist provides a high-level overview — your HITRUST assessor will provide the complete, tailored control set for your assessment.

Domain 1: Information Protection Program

  • Written information security program approved by executive leadership
  • Defined roles and responsibilities for cybersecurity
  • Regular management reviews of the security program
  • Security policy framework covering all major security domains
  • Annual security program review and update process

Domain 2: Endpoint Protection

  • Antivirus/anti-malware deployed on all endpoints and servers
  • Endpoint detection and response (EDR) deployed
  • Regular malware definition updates (automated)
  • Removable media controls (USB blocking or monitoring)
  • Host-based firewall on endpoints

Domain 3: Portable Media Security

  • Policy governing the use of removable and portable media
  • Encryption of PHI on portable media devices
  • Tracking and inventory of portable media containing PHI
  • Secure disposal procedures for portable media

Domain 4: Mobile Device Security

  • Mobile Device Management (MDM) or equivalent for devices accessing PHI
  • Remote wipe capability for lost or stolen devices
  • Device encryption enabled on all mobile devices with PHI access
  • Minimum security configuration requirements for mobile devices
  • BYOD policy (if personal devices are permitted)

Domain 5: Wireless Protection

  • Wireless networks segregated from wired networks (separate VLANs)
  • Strong wireless encryption (WPA3 or WPA2) required
  • Rogue wireless access point detection
  • Guest wireless networks isolated from internal systems

Domain 6: Configuration Management

  • Baseline security configurations defined for all system types (servers, workstations, network devices)
  • Hardening guides applied to new systems before deployment
  • Configuration compliance monitoring and alerting
  • Change management process for configuration changes

Domain 7: Vulnerability Management

  • Regular vulnerability scans of all systems (at minimum quarterly)
  • Annual penetration testing by a qualified firm
  • Defined SLAs for vulnerability remediation based on severity (Critical: 30 days, High: 90 days)
  • Vulnerability management tracking and reporting
  • Patch management process covering OS, applications, and firmware

Domain 8: Network Protection

  • Network segmentation separating PHI systems from other systems
  • Firewall rules reviewed and updated regularly
  • Intrusion detection/prevention system (IDS/IPS) deployed
  • Network traffic monitoring and logging
  • VPN or equivalent secure access for remote connections

Domain 9: Password Management

  • Password complexity requirements enforced (length, character requirements)
  • Multi-factor authentication (MFA) for all remote access
  • MFA for all access to systems containing PHI
  • Prohibition on shared or default passwords
  • Password manager or SSO for internal use

Domain 10: Access Control

  • Least privilege access: users have access only to what they need for their role
  • Role-based access control (RBAC) implemented
  • User access reviews conducted at least semi-annually
  • Timely provisioning and deprovisioning process (access removed within 24 hours of termination)
  • Privileged access management (PAM) controls
  • Privileged account usage logging

Domain 11: Audit Logging and Monitoring

  • Centralized logging (SIEM or equivalent) for all systems with PHI
  • Log retention for at least 1 year (6 months online, 12 months total)
  • Alerting on suspicious activity and policy violations
  • Regular log review process
  • Tamper-evident log storage

Domain 12: Education, Training, and Awareness

  • Security awareness training for all employees at hire and annually
  • HIPAA/PHI-specific training for all staff with PHI access
  • Phishing simulation program
  • Role-specific training for IT, security, and privileged users
  • Training completion tracking and documentation

Domain 13: Third-Party Security

  • Written agreements (BAAs or equivalent) with all third parties accessing PHI
  • Third-party risk assessment process
  • Vendor inventory covering all third parties with PHI access
  • Ongoing monitoring of critical vendor security posture
  • Contractual right to audit key vendors

Domain 14: Incident Management

  • Written incident response plan
  • Incident response team with defined roles
  • 24/7 incident detection capability (monitoring or on-call)
  • HIPAA breach notification procedures (60-day notification to HHS)
  • Annual IRP testing (tabletop or equivalent)
  • Post-incident review and lessons-learned process

Domain 15: Business Continuity and Disaster Recovery

  • Business impact analysis completed and current
  • Recovery time objectives (RTO) and recovery point objectives (RPO) defined
  • Disaster recovery plan documented and tested annually
  • Data backup procedures with off-site or cloud backup of PHI
  • Backup restoration testing

Domain 16: Risk Management

  • Formal risk assessment process conducted at least annually
  • Risk register maintained and updated
  • Risk treatment decisions documented (accept, mitigate, transfer, avoid)
  • Risk management integrated into business decision-making

Domain 17: Physical and Environmental Security

  • Physical access controls to data centers and server rooms (badge access, cameras)
  • Environmental controls (temperature, humidity, fire suppression)
  • Visitor management procedures for restricted areas
  • Clean desk policy for PHI in physical form

Domain 18: Data Protection and Privacy

  • PHI inventory: know what PHI you have, where it is stored, and who has access
  • Data classification scheme covering PHI and other sensitive data
  • Encryption of PHI at rest on all systems
  • Encryption of PHI in transit
  • Data retention and disposal policies aligned with HIPAA requirements
  • Privacy notice aligned with HIPAA Privacy Rule

Domain 19: Transmission Protection

  • TLS 1.2 or higher enforced for all external data transmission
  • Certificate management process (valid, current certificates)
  • Prohibition on transmitting unencrypted PHI via email
  • Secure file transfer mechanisms for PHI sharing

How Espresso Labs Helps

Espresso Labs implements and maintains the technical controls across all 19 HITRUST domains as a managed service — giving your organization a continuously enforced security program ready for HITRUST assessment at any time. We have helped healthcare vendors and business associates achieve HITRUST certification faster and at lower cost than building equivalent programs in-house. Contact us to start your HITRUST readiness journey.

Ready to Get Started?

CMMC compliance does not have to require a large internal team or a 6-figure budget. Espresso Labs delivers it as an automated, managed service so you can focus on winning contracts, not managing controls.

Talk to our team