HITRUST certification options: FAQ

Erika L. Del GiudiceJared HamiltonZach Rutz
HITRUST certification options: FAQ

Our team of specialists answers six key questions to help organizations understand HITRUST, the r2 vs. i1 assessments, and how to decide which is right for them. 

Since the HITRUST CSF® information security framework was first introduced in 2007, a rapidly growing number of organizations across many industries have established HITRUST certification as a requirement for their suppliers, affiliates, and other partner organizations. 

In early 2022, HITRUST introduced a new certification option: the Implemented, 1-Year (i1) Validated Assessment + Certification. While the previously established Risk-based, 2-Year (r2) Validated Assessment + Certification provides the highest level of information protection assurance to customers, boards, and other interested parties, the new i1 certification can be a valuable alternative, offering many organizations a simpler and faster way to become HITRUST-certified. 

To help organizations decide which approach is most appropriate for them, here are answers to some of the most frequently asked questions.

Q: Why did HITRUST introduce a second certification option? 

The original purpose of the HITRUST CSF framework was to provide organizations with a structured approach to data protection compliance by integrating various regulations and standards into a single overarching security and privacy framework. By taking into account the broad range of nationally and internationally accepted security and privacy-related regulations and standards – including those of the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST), the Payment Card Industry (PCI) Security Standards Council, HIPAA, and the General Data Protection Regulation (GDPR) – the HITRUST framework standardizes various diverse requirements, providing clarity and consistency while reducing the burden of compliance.  

For many organizations, however, achieving HITRUST certification still required the commitment of extensive resources. In addition, many moderate-risk situations exist in which a less demanding level of assurance would be sufficient. The new i1 assessment was introduced to meet this need, offering assessment and certification processes that require less effort and time to perform while still providing a level of reliability that is appropriate for moderate-risk and lower-risk scenarios.  

Q: What are the differences between the two HITRUST certifications? And what do they have in common? 

Both the i1 assessment and the r2 assessment are built around the HITRUST CSF framework, which addresses information security control requirements across 19 specific domains. These 19 assessment domains encompass the full range of information security issues, from endpoint protection, wireless security, and network protection to incident management, third-party assurance, and business continuity and disaster recovery, to name only a few. In both certification approaches, the assessment, testing, and validation activities are carried out by a qualified HITRUST Authorized External Assessor firm that is chosen by the subject organization.  

The two HITRUST certification options differ in three important areas: 

  1. The scope of their control requirements. The r2 certification process uses a set of scoping factors to generate a custom, risk-based set of control requirements that are specific to each organization. The total number of r2 control requirements can range from as few as 198 to as many as 2,000 or more. Somewhere around 360 controls is common. 

    The i1 assessment, on the other hand, uses a fixed set of control requirements that use current security best practices, ongoing threat intelligence data, and the MITRE ATT&CK® framework to keep pace with the latest threats. The current i1 assessment encompasses 219 preset control requirements, but that number is subject to change. HITRUST reevaluates current controls and intelligence at least quarterly to be sure the requirements stay up to date.  

  2. The scope of their assessment methodologies. Once the control requirements have been defined in an r2 certification, each control is evaluated against the HITRUST maturity model, which assesses the organization’s policies, processes, and implementation of controls in daily operations. An r2 assessment also may include optional evaluation of the relevant measurement and management activities for each control requirement.

    An i1 assessment, on the other hand, focuses only on the implementation maturity level for each control. This narrower focus simplifies and accelerates the assessment process while still providing assurance that control requirements are in place and operating as intended.   

  3. The frequency and depth of their assessment processes. An r2 certification process requires greater effort, but it also provides higher levels of assurance. The complete assessment is conducted every two years, with an interim assessment at the one-year intervals. 

    The i1 assessment process, on the other hand, is conducted annually, but it requires a more moderate level of effort, providing a level of assurance that is sufficient for many organizations.  

Q: How does an organization choose the correct HITRUST certification approach? 

The right choice depends in large part on the maturity level of the organization’s security program and, even more important, the expectations of the external partner organization that is requiring certification or the internal actors who are calling for it. 

Because of the flexibility, customization, and comprehensive breadth of its control requirements, the Risk-based r2 assessment is globally recognized as a high-level validation showing that an organization successfully manages cyber risk. It is especially applicable to organizations that handle significant volumes of personal information or other sensitive data, providing necessary certification of compliance with a range of industry standards and frameworks as well as federal and state regulations. HITRUST r2 certification also can include an optional HIPAA reporting pack that streamlines response to a HIPAA audit. 

The implementation-focused i1 assessment, on the other hand, often is recommended for situations that present more moderate levels of risk. Because it is threat-adaptive, with a control set that evolves over time, it is well suited for situations that require continuous vigilance to emerging cybersecurity threats. It also is particularly useful as a first step for organizations that are getting started with information security certification and compliance, or situations in which speed to certification is a critical factor.  

Q: If an organization already is HIPAA-compliant, why does it need HITRUST certification? 

HITRUST is indeed the leading security certification for healthcare providers and healthcare services organizations, but its relationship to HIPAA sometimes is misunderstood. Put simply, the HIPAA security and privacy rules spell out detailed standards of compliance but offer no prescriptive guidance or processes for achieving compliance. The HITRUST CSF framework offers a workable methodology to accomplish that.  

This capability recently led the Provider Third-Party Risk Management Council, an organization of chief information security officers from leading health systems, to instruct moderate-risk vendors to provide information security assurances through the new HITRUST i1 certification rather than through other third-party mechanisms such as a System and Organization Controls (SOC) 2 report.  

Q: What if an organization doesn’t need to be HIPAA-compliant? Why should it consider HITRUST certification? 

The HITRUST CSF framework is applicable across a broad range of industries in addition to healthcare. Numerous organizations in the financial services, retail, manufacturing, higher education, and government sectors now include HITRUST certification – either Risk-based, r2 certification or Implementation-oriented, i1 certification – as a contract requirement for information protection assurance.  

Moreover, in addition to third-party assurance, HITRUST assessments also are useful in helping company management, boards, and investors evaluate the effectiveness of their organizations’ cyber preparedness and resilience efforts. A growing number of internal users and investors now are requiring their information security teams to achieve HITRUST certification as an internal control and assurance measure. 

Q: How does the HITRUST certification process work? How does an organization get started?  

The first step in HITRUST certification is an initial readiness assessment to identify and analyze gaps between current practices and the HITRUST CSF. A qualified HITRUST Authorized External Assessor can lead this assessment, which then will be followed by a remediation phase that must be performed by the sponsoring organization itself to address any control gaps that were identified. The assessor then can perform a validated assessment that tests and reviews control scoring, in preparation for final HITRUST quality assurance and certification.  

Our HITRUST assessors can help guide your assessment

Experience collaborative, customizable HITRUST assessment services tailored to your needs.

Contact us

Our knowledgeable team is ready to answer your questions and help you map out the best HITRUST certification process for your business. 
Erika Del Giudice
Erika L. Del Giudice
Principal, IT Assurance Services
Jared Hamilton
Jared Hamilton
Managing Director, IT Assurance Services
Zach Rutz
Zach Rutz