HITRUST Recertifies FAIR Health’s Systems Handling Electronic Protected Health Information

Home > Newsroom > Article

HITRUST Recertifies FAIR Health’s Systems Handling Electronic Protected Health Information

August 21, 2025

In April, HITRUST, an information protection standards organization and certifying body, issued a final report effectively recertifying FAIR Health’s systems handling electronic protected health information (ePHI) for another two years, through January 2027. FAIR Health’s ePHI systems first obtained HITRUST certification in 2017. The report confirmed that FAIR Health’s systems meet both the HITRUST Common Security Framework (CSF) certification criteria and the objectives specified in the NIST Cybersecurity Framework.

The HITRUST certification confirms that FAIR Health has implemented comprehensive risk management, privacy and cybersecurity practices to protect ePHI, based on regulatory requirements and leading industry standards. The most recent HITRUST validated assessment was conducted by independent third-party auditors and consisted of testing 553 unique security controls, an increase of 9.7 percent from the previous assessment, and 40 percent over the last four years. The full validated assessment took approximately four months to complete. FAIR Health will be required to perform a HITRUST interim assessment midway through the period to maintain the certification.

Data Security at FAIR Health
In addition to HITRUST certification, FAIR Health has maintained SOC 2 Type 2 compliance through annual audits since 2019. SOC (System and Organization Controls) 2 is a security framework that specifies how service providers should protect customer data from cybersecurity risks based on five “Trust Service Principles”: security, availability, processing integrity, confidentiality and privacy. In December 2024, FAIR Health successfully completed its annual SOC 2 Type 2 examination, which consisted of sample testing about 200 individual control requirements and covered a period of 12 months prior to the engagement. A SOC 2 Type 2 audit report demonstrates that FAIR Health has implemented mature, reliable and robust security controls to protect sensitive customer data, and that those controls are operating effectively over time.

In further recognition of FAIR Health’s data security policies and practices, the organization has been certified as a Qualified Entity under the Qualified Entity Certification Program since 2016, undergoing data security evaluations by the Centers for Medicare & Medicaid Services. This enables FAIR Health to receive traditional Medicare claims data for all 50 states and Washington, DC.

FAIR Health rigorously protects the privacy of healthcare data and employs administrative, procedural, technical and physical safeguards that comply with applicable law and meet or exceed industry standards and best practices.