Security Option Comparison

Effective January 2021, organizations can choose either the EHNAC or HITRUST versions of security criteria (available in most, but not all programs). The comparison chart below is designed to assist in understanding the differences between the options.

Choosing Between Security Versions

For organizations that are HITRUST Certified:

EHNAC accepts HITRUST Certification in fulfillment of the criteria in the Security and , if appropriate, Privacy section(s)of its programs, with the following qualifications:

  1. The HITRUST Certification needs to be validated within 2-years prior to the Self-Assessment (SA) submission and maintained throughout the two-year accreditation. If an organization has not achieved HITRUST Certification at the time of SA submission, the organization must submit its own security and privacy responses and evidence without reliance upon a HITRUST report even if the HITRUST Certification effort is in progress but not yet complete. If an organization falls out of compliance during the accreditation process, FULL Accreditation will either be delayed or, if sufficient evidence of progress toward HITRUST Certification is provided, EHNAC may at its discretion award Provisional Accreditation until such time that a HITRUST Certification is received and validated as appropriate by EHNAC.
  2. The HITRUST Assessment must have encompassed at minimum the same scope as the EHNAC Review. Specifically, the scope of the HITRUST Assessment must cover all services targeted by the EHNAC Review, and this scoping must be stated in the Executive Summary document provided by the Candidate to EHNAC as part of the Self-Assessment package.
  3. The entire HITRUST Validated Assessment Report including CAPs must be submitted for review.
  4. The response to each of the criteria within the Security and, if appropriate, Privacy section(s) must include a statement similar to: “HITRUST Certification is in place covering the scope of this review. Please see the full HITRUST Assessment Report provided.” Any criteria for which there are outstanding CAPs should be so noted.
  5. For those accredited for any EHNAC program who have been certified by HITRUST and who have used a validated report to satisfy the Security and/or Privacy criteria in that program, a Sentinel Event must be reported if HITRUST certification is not maintained throughout the EHNAC accreditation period.


More details on applying for HITRUST certification can be found here, or for the specific steps on attaining EHNAC accreditation, new applicants can start here, while those attaining re-accreditation can start here.