Its aim is at the healthcare industry, as a means to meet HIPAA compliance. They basically started off with ISO/IEC 27002 controls (pretty clear if you compare the two control sets), and then started to dump on top of that almost every other possible control set. In fact, if you take a look at the change list in the HITRUST document, you'll see all the standards and regulations they've dumped into it (PCI, GDPR, NY-DFS, etc etc). You almost have to wonder if they're training to create the "one ring" of IT control sets.
Its a bit daunting, as depending on the size of the organization, more controls are expected.
What I also find a little confusing is they have their MyCSF tool that isn't quite the same as the HITRUST CSF. Don't understand why.
At this point, my experience is that most of the companies that are pursing HITRUST certification are those that are forced to by their clients.
I won't claim to be a HITRUST expert, but I've helped several clients get prepared for HITRUST certification, but can't do the certification work. That can only be don't by people certified by HITRUST (similar to PCI assessments).
--- Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, CIST, CIGE, ISSA Fellow
I have implemented and used the framework and used to be a certified in HITRUST. (I let it lapse as the certification only holds value if you are at a company that does HITRUST audits.)
HITRUST is a proprietary framework that is copyrighted. However, you can get a list of the controls as they map to AICPA's SOC framework from the AICPA website. That might be a good place to start if you are looking for something that is no cost.