Articles & Blogs

HITRUST Framework – e1, i1, and r2 Assessments Explained

June 22, 2023 | By Accorian
HITRUST Certification (e1, i1 & r2 Assessments)

According to IBM Security, the average cost of a healthcare data breach has increased to $10.1 million in 2022. This significant rise in cost highlights the critical need for healthcare organizations to protect patients’ confidential information. This need triggered the growing demand for compliance with regulations, standards, and certifications, such as the (Health Information Trust Alliance) HITRUST certification. Adhering to such standards can help organizations demonstrate their commitment to data security and assure patients that their information is being protected.

What is HITRUST Certification?

HITRUST was established in 2007 to address security and privacy concerns related to sensitive information, including medical records. HITRUST created the Common Security Framework (CSF), which can be used by any organization that creates, accesses, stores, or exchanges sensitive data. It is a cybersecurity risk management framework that helps healthcare organizations assess the effectiveness of security data.

HITRSUT CSF includes 14 security controls, 149 control specifications, and 45 control objectives. It provides organizations with a comprehensive, risk-based, certifiable framework that assists healthcare service providers with regulation standards into a single overarching security framework.

Types of HITRUST Assessments

  • HITRUST Essentials 1-Year (e1) Assessment

The HITRUST e1 assessment provides a solid foundation for cybersecurity and is an ideal starting point for organizations seeking to get oriented with the HITRUST CSF framework. With 44 standardized controls, this assessment offers assurance for organizations with low-level information security risks, making it an excellent choice for small businesses or startups with limited resources. Additionally, it is a faster assessment option that can be used to establish a baseline security posture and identify areas that require further coverage.

  • HITRUST Implemented 1-Year (i1) Assessment

The i1 assessment is a one-year certification that offers moderate assurance for healthcare organizations and business partners. It focuses on a set of controls selected by HITRUST that are updated annually and evaluates their effectiveness in practice. The current version (v11) includes a standardized set of 182 requirement statements that apply to all organizations seeking this certification.

  • HITRUST Risk-Based 2-Year (r2) Validated Assessment

The HITRUST Risk-based 2-year (r2) Validated Assessment demonstrates an organization’s commitment to proactive and comprehensive data protection and risk mitigation practices. This globally recognized certification validates that an enterprise effectively manages risk by meeting and exceeding industry-defined cybersecurity standards.

Customized for each organization based on a scoping exercise, the risk-based 2-year assessment assigns the number of requirement statements based on the business’s risk profile. The r2 assessment comprises over 40 security frameworks, including NIST, ISO, and PCI DSS, making it highly regarded in the healthcare industry. An r2 certification is suitable for organizations with the highest commitment to data security.

Comparing HITRUST Assessments

Comparing HITRUST Assessments

Benefits of Achieving HITRUST Certification

HITRUST is often misunderstood as just a framework. It’s a consortium of experts in privacy, information security, and risk management who view information security as an essential aspect of data systems and exchanges.

Below are the steps to become HITRUST Certified:

1. Readiness Assessment
• Define the scope of work for HITRUST
• Use the HITRUST MYCSF® tool better to understand the framework and several controls under consideration
• Conduct a high-level review of the HITRUST domains and identify gaps in comparison to the organization’s current state
• Create a roadmap certification that outlines the steps to achieve HITRUST certification

2. Roadmap Execution
• Partner with the client to implement the roadmap
• Create policies and procedures as required
• Perform security testing as required
• Assist with program management to ensure ongoing compliance with HITRUST requirements

3. Incubation
• Assess your organization’s level of maturity model
• Implement security controls and practices for a minimum of 90 days before initiating the validated assessment to demonstrate compliance with the HITRUST CSF

4. Validated Assessment
• Audit the evidence uploaded to MyCSF® by the client
• Partner with the client to mitigate gaps and implement appropriate procedures
• Submit the assessment for validation or verification to HITRUST

5. Maintaining HITRUST Certification
• For an e1, annual Validated Assessment
• For an i1, rapid recertification in the second year
• For an r2, an interim assessment in the second year

Benefits of Achieving HITRUST Certification

1. Mitigate the Risk of Cyber Attacks
HITRUST CSF certification contributes to the robust security of health data, intellectual property, and other proprietary data. This improves data security and lowers the risk of breaches.

2. Recognized as the Golden Standard
According to research conducted by HITRUST, organizations that pursue HITRUST CSF certification experience significant improvements in their information security posture, with 97% of organizations being able to meet and maintain a high level of security posture.

3. Shorter Future Audits
HITRUST CSF is an all-inclusive security framework that covers various compliance requirements such as HIPAA, PCI-DSS, and NIST. By implementing HITRUST controls, organizations can streamline the compliance audit process and reduce the time and effort required for future audits.

4. Ensures Business Success in the Healthcare
In today’s healthcare industry, strong information security practices are a prerequisite for business success. Achieving HITRUST certification can not only safeguard sensitive data but also enhance an organization’s reputation and credibility. Furthermore, it increases revenue potential by expanding the organization’s total addressable market.

Accorian: Your Ideal Partner for Achieving HITRUST Certification


As an authorized HITRUST CSF Assessor, Accorian specializes in assisting businesses of all sizes to achieve certification. We work with you to reinforce your organization’s compliance and ensure you meet all requirements for HITRUST certification. Our security team possesses extensive experience in HITRUST implementation and certification, enabling us to serve as your full-service cybersecurity partner throughout the process.

Recent Blog

Ready to Start?

Ready to Start?​

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide