HITRUST Offers Streamlined Assessment Alternatives

The HITRUST™ organization provides a framework that safeguards sensitive information and can help manage information risk for organizations across all industries. Its programs have been widely adopted in the healthcare industry. 

Until recently, organizations wishing to obtain HITRUST certification have been required to undergo a rigorous HITRUST Common Security Framework (CSF) Validated Assessment performed by a third-party External Assessor organization that has been approved by HITRUST to perform validated assessments.

In October 2021, HITRUST announced two new assessment options to accommodate organizations with different levels of risk exposure. With these additions, HITRUST now offers three assessment alternatives:

  • The Basic, Current-State (bC) Assessment (New). Suitable for lower-risk scenarios. Offers higher reliability than self-assessments and questionnaires. Uses HITRUST Alliance Intelligence Engine—an Artificial Intelligence (AI) tool—to identify errors, omissions, and deceit.
  • The Implemented, 1-Year (i1) Validated Assessment (New). Suitable for moderate-risk scenarios or where a baseline risk assessment is needed. HITRUST Authorized External Assessors will validate i1 Validated Assessments.
  • Risk-Based, 2-Year(r2) Validated Assessment (Current). This is the new name for the CSF Validated Assessment. Otherwise, the requirements are the same. Suitable for higher-risk scenarios. HITRUST Authorized External Assessors will validate r2 Validated Assessments.

What Are the Main Differences Between the Three HITRUST Assessment Options?

HITRUST published the following table summarizing the key differences between the three assessment options:

Current-State Assessment (bC)
HITRUST Implemented,
1-year (i1) Validated Assessment
HITRUST Risk-Based,
2-year (r2) Validated Assessment
(Former Name: HITRUST CSF Validated Assessment)
DescriptionVerified Self-AssessmentValidated Assessment + CertificationValidated Assessment +
Risk-Based Certification
Purpose (Use Case)Focus on good security hygiene controls in virtually any size organization with a simple approach to evaluation, which is suitable for rapid and/or low assurance requirementsA threat-adaptive assessment focused on best security practices with a more rigorous approach to evaluation, which is suitable for moderate assurance requirements Focus on a comprehensive risk-based specification of controls suitable for most organizations with a very rigorous approach to evaluation, which is suitable for high assurance requirements
Number of Control Requirement Statements71 Static219 Static2000+ based on Tailoring
(360 average in scope of assessments)
Flexibility of Control SelectionNo TailoringNo TailoringTailoring
Evaluation Approach1×3: Control Implementation1×5: Control Implementation3×5 or 5×5: Control Maturity assessment against either 3 or 5 maturity levels
Targeted Coverage*NISTIR 7621: Small Business Information Security FundamentalsNIST SP 800-171, HIPAA Security RuleNIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and 37 others
Level of Assurance**LowModerateHigh
Relative Level of Effort0.51.05.0
Certifiable AssessmentNoYes, 1 YearYes, 2 Year
Complementary AssessmentsNoneReadinessReadiness, Interim, Bridge

Key Takeaways

Although the new i1 validated assessment only offers certification for one year versus a two year certification for the traditional r2 validated assessment, it comes with key benefits.  The i1 validated assessment is an implemented only assessment, which means the rigorous policy and procedure assessment from the r2 validated assessment is not performed.  This makes the i1 validated assessment a solid choice for organizations that may not have the full maturity required for an r2 validated assessment and serves as a steppingstone towards the r2 validated assessment.

Additionally, by only having 219 requirements, it takes a relatively moderate level of effort to complete when compared to traditional HITRUST certification efforts, while still levelling up to the gold-standard quality for which HITRUST certifications are known. 

When Are the New Assessment Options Available?

The new assessments options were available starting December 30, 2021.

How Do We Share Assessment Results?

Effective December 31, 2021, organizations were able to submit third-party assessment results to HITRUST via a new Results Distribution System. This replaces the former inefficient process of authenticating, requesting, sharing, and analyzing results in the form of PDF files. The RDS will allow assessed organizations to share results through a secure web portal or API, which streamlines and accelerates the submission and review process.

Additional Resources

For a deeper dive on these topics, check out these resources:

We Can Help

As a HITRUST Authorized External Assessor, we are fully qualified to perform i1 and r2 Validated Assessments. Our team of experienced healthcare security experts can also help you bring your organization into line with HITRUST requirements to ensure you are ready for a Validated Assessment. If you have questions about which assessment option is best for you or any other HITRUST questions, just give us a call at (833) 292-1609 or email us at sales@tevora.com.

Get Started with Tevora Today

Experience a partner that is trustworthy, reliable, and produces the quality you demand.