logo
+1 619 559 3838
Image

BLOG

How the Right Partner Helped Western Reserve Achieve HITRUST Certification

Achieving HITRUST certification is not just about compliance. It is about building a strong security foundation while simplifying complex audit requirements.

For Western Reserve Area Agency on Aging, this journey became much smoother after finding the right partner.

This case study shares practical insights from Mark Davidson, CIO of Western Reserve, and highlights what truly matters when choosing a HITRUST partner.

About Western Reserve and the Challenge

Western Reserve Area Agency on Aging operates in a highly regulated healthcare environment, working with multiple managed care providers.

This meant frequent audits.

Mark Davidson explains:

“We go through anywhere from three to a half dozen audits a year… and there’s always a point where they ask if we are HITRUST certified.”

Over time, these repeated audits became inefficient and resource-heavy. The team realized they needed a long-term solution rather than continuing to manage multiple compliance processes separately.

Why Western Reserve Chose HITRUST Certification

The decision to pursue HITRUST certification was driven by both necessity and strategy.

Mark shares:

“We always knew we were going to get to the point where we’d want a HITRUST certification… and we finally said, let’s just go ahead and do it.”

For Western Reserve, HITRUST offered:

  • A unified approach to compliance
  • Stronger data protection for sensitive health information
  • Reduced audit fatigue
  • Increased trust with partners

It wasn’t just about ticking a box. It was about committing to long-term security and operational efficiency.

How HITRUST Simplified Audits

One of the biggest benefits Western Reserve experienced was audit simplification.

Mark highlights:

“We could say we are HITRUST certified and our partners would reply that HITRUST is stricter than the security they had in place.”

Because HITRUST integrates multiple frameworks, it helped cover requirements across different audits.

This aligns with the well-known “assess once, report many” concept, making compliance more streamlined and less repetitive.

Choosing the Right HITRUST Partner

When starting their HITRUST journey, Mark and his team had little experience with the process. So choosing the right partner became critical.

They evaluated multiple vendors before selecting SecurityMetrics.

Mark explains what mattered most:

“The number one thing would be expertise and experience. Reputation was important… but communication was critical.”

Key factors they considered:

  • Proven expertise in HITRUST assessments
  • Strong industry reputation
  • Clear and consistent communication
  • Cost-effectiveness
  • Ability to guide from a beginner level

Good communication stood out as a deciding factor, especially for a complex certification like HITRUST.

Facing the Challenge of r2 Certification

Western Reserve chose to go directly for the most advanced level, the HITRUST r2 assessment.

This brought its own challenges.

Mark recalls:

“Seeing the sheer amount of controls we had to gather evidence for was an eye-opener.”

Despite the complexity, they discovered something important:

  • They were already about 80% prepared
  • Most work involved documentation and formalization
  • Policies needed refinement rather than complete rebuilding

This shows that many organizations are closer to certification than they think.

The Role of a Supportive Partner

A major reason for their success was the guidance provided by their partner, along with support from Privaxi.

Mark shares:

“There’s no dumb questions… they handled everything with such grace and made me comfortable with the process.”

As the project progressed:

  • Confidence increased
  • Processes became clearer
  • Stress reduced significantly

By the time they reached the interim assessment stage, the team felt fully in control.

From Stressful to Structured

At certain points, the process did feel overwhelming.

Mark admits:

“We reached points where I was pretty stressed out… but the team helped us focus on what really mattered.”

What made the difference:

  • A customized approach instead of a one-size-fits-all method
  • Clear prioritization of tasks
  • Hands-on guidance throughout the process

This transformed the certification journey into something structured and manageable.

Key Lessons for Organizations

Western Reserve’s experience offers valuable takeaways:

1. Think Long-Term

HITRUST is not just a certification. It’s a long-term solution for managing compliance and security.

2. You May Be Closer Than You Think

Many organizations already have controls in place. The real work is often documentation and alignment.

3. Choose Your Partner Carefully

Expertise matters, but communication is just as important.

4. Don’t Fear Complexity

Even the r2 assessment is achievable with the right support and planning.

5. Focus on Value, Not Just Cost

A good partner saves time, reduces stress, and improves outcomes.

Conclusion

Western Reserve’s journey shows that HITRUST certification doesn’t have to be overwhelming.

With the right partner, even a complex process like r2 certification can become clear, structured, and achievable.

More importantly, it demonstrates that cybersecurity and compliance are not just obligations. They are opportunities to build trust, improve efficiency, and strengthen your organization’s foundation.