Protection of patient and other sensitive healthcare information is a top priority for all healthcare organizations, which entails compliance with a growing range of regulations. Staying on top of all the relevant standards can be daunting for stakeholders across a broad array of healthcare service organizations, associates, and vendors.

HITRUST recently released the e1 and i1 versions, to enhance mitigation against evolving cyber threats and to speed up the transition to higher levels of assurance.

The Health Information Trust Alliance (HITRUST) strives to address such problems by:

  • Offering an integrated security strategy
  • Introducing a mechanism to certify compliance with HIPAA security criteria to a third-party assessor

HITRUST provides a comprehensive, risk-based certifiable framework that helps healthcare service providers of all types, sizes, and complexity integrate compliance with a wide range of regulations, standards, and best practices.

Why Choose Accorian?


HITRUST developed and maintains the Common Security Framework (CSF), which provides a mechanism for standardizing Health Insurance Portability and Accountability(HIPAA) compliance and coordinating it with other national and international data security standards in addition to numerous state laws.

The HITRUST CSF certification allows healthcare organizations to perform a single assessment, by integrating more than 20 distinct standards and processes, to certify compliance with multiple initiatives, including a HIPAA compliance audit.

How Important Is HITRUST?

The healthcare sector generally drives and controls HITRUST enforcement, while HIPAA establishes specific consequences for data security violations.
The industry, including hospitals and payer requiring certification, has seen swift adoption of HITRUST and it is gaining ground as an expectation for service providers and vendors.

It’s not always necessary to get HITRUST certification when implementing new technology, but it provides opportunities to streamline security and compliance as part of the implementation process.

When And Why Should You Adopt HITRUST?

You can benefit from HITRUST in a multitude of ways.

A Single Framework For Vital Certifications
The HITRUST architecture offers a single framework for synchronizing current worldwide security legislation and standards. The following are some examples of what it entails:
The Advantage of a Sterling Reputation

Providers and vendors that serve the healthcare sector may find that HITRUST gives them an edge in terms of market value and reputation.

The Security of Certification

If a client sends you a letter requesting HITRUST CSF certification, you can be ready with a certified data security program ahead of time. Here’s to being proactive!

Offers Enhanced Security

HITRUST assessments enhance the security status and risk management procedures of your firm.

It’s Scalable

Controls are applicable to any size, kind, and complexity of organization.

Types of HITRUST Assessments

It may be a daunting task to choose the correct HITRUST assessment when you want to analyze and express assurances about the security of protected health information (PHI).

Consider assessments to guarantee that passing an audit by the Office of Civil Rights, the agency within the Department of Health and Human Services that implements the penalties related with the HIPAA Privacy and Security Rules.

The HITRUST CSF certification offers healthcare businesses a variety of examinations. Each of them serves a distinct goal and employs a different methodology. Let’s take a closer look at each one to see which one is right for your organization.


HITRUST e1 Assessment

The e1 version offers ‘Good hygiene’ 44 control assurance for organizations with low-level info security risk. It is ideal for small organizations or start-ups with limited resources to differentiate themselves in the marketplace. It’s a faster option to establish a benchmark security posture and identify coverage gaps.


HITRUST Implemented, 1-Year (i1) Validated Assessment

This one-year certification is for healthcare organizations and business partners that need moderate assurance. It focuses on a list of controls that HITRUST chooses and updates every year. These controls are tested for how well they are being used. Our assessors will look over the assessment, make sure it is correct, and send it to HITRUST for approval.


HITRUST Risk-Based, 2-Year (r2) Validated Assessment

HITRUST CSF assessments look at the different controls that are in scope and how mature they are in the Policy, Procedure, Implemented, Measured, and Managed categories. HITRUST certifications can be earned through validated assessments if you receive a satisfactory assessment score.

It is suggested that new clients do a self-assessment first to get a sense of where they are standing in terms of their score. Our assessors take the time to help clients understand all parts of the assessment and give helpful suggestions for improving scores in areas where they are low.


HITRUST Interim Assessment

As required by HITRUST, all validated assessments must be followed by an interim assessment within the first year after certification. The interim assessment checks to see if the controls still work and looks at how well any Corrective Action Plans that were made during the initial validation process are being followed.


Bridge Assessment

What happens when an organization that is already HITRUST CSF certified can’t finish its next HITRUST CSF Validated Assessment before its current certificate expires? In such a case, the Bridge Assessment fills the gap.

A Bridge Assessment is similar to an Interim Assessment since it only looks at a limited number of controls and gives an organization a temporary certificate that is acceptable for 90 days. This lets the organization keep working with those who requested HITRUST certification and also finish the next Validated Assessment.

Comparing HITRUST Assessments

Who should get an e1 Certification

The e1 certification can be used for reliable, efficient cybersecurity reviews of:

  • New business units
  • Recently deployed technology platforms
  • Prospective or newly onboarded third-party business partners such as vendors
  • Existing, lower-risk vendors (e.g., those who handle little to no PII)
  • Scope, systems, or vendors with minimum inherent risk but that are part of a system with greater aggregate risk
  • An organization’s practices in support of M&A transactions (buy side or sell side)
  • Near-term review and baseline scoring of a newly acquired organization’s initial cybersecurity maturity
  • And use to show justification for more favorable cyber insurance premiums

Accorian’s HITRUST Services

Our team of experts have extensive experience helping clients comply with healthcare security standards and information security. Our HITRUST assessor’s recommendations are transparent and actionable.

We know the complexity of day-to-day IT and security operations, so we’ll never deliver a standard auditor guide or playbook response. We make sure you fully understand and can execute recommendations, personalized for you. From HIPAA to HITRUST and any needs in between, we can support your organization.

GAP Assessment

Facilitated Self – Assessment


Interim Assessment

Bridge Assessment

Continuous Monitoring of Framework Compliance

Third-Party Risk Management Program

Healthcare Risk Analysis & Advisory




What Our
customers are
saying about us

Team Certifications

Ready To Start?

Ready to Start?​

Drop your CVs to joinourteam@accorian.com

Interested Position

Download Case study

Download SOC2 Guide

Download HITRUST Guide