As security expectations continue to rise, organizations are increasingly asked a simple but critical question by customers and partners: “Are you HITRUST™ certified?”
The answer is not always obvious. HITRUST™ is no longer a single certification path – it is a comprehensive portfolio of assurance options, each designed to address different risk profiles, maturity levels, and business objectives.
In our previous article, The HITRUST™ Certification Journey: From Readiness to Validated Assessment, we explored the ten core elements that determine certification success – from management buy-in to remediation strategies. In this guide, we focus on a different decision: how to choose the right HITRUST™ assessment for your organization.
Why the Assessment Choice Matters
Selecting an assessment that is inadequate can leave gaps in assurance and fail to meet customer expectations, requiring costly rework when requirements increase. Conversely, pursuing an overly comprehensive assessment can strain resources and extend timelines beyond what is needed for current business objectives.
Choosing the appropriate assessment can improve efficiency, reduce redundant effort, and provide the level of assurance – customers, regulators, and stakeholders expect. It also helps organizations scale their compliance journey in a practical way, whether they are building a foundational program through e1, validating implemented controls through i1, or pursuing the broader assurance offered by r2.
Selecting the right assessment also helps align assurance investments with business goals, whether supporting market expansion or preparing for future growth.
The optimal HITRUST™ path balances four key factors:
- Customer and regulatory requirements
- Risk and data sensitivity
- Security program maturity
- Business trajectory
Understanding the Three Core HITRUST™ Assessments
e1 Validated Assessment: Foundational Security
The e1 assessment addresses 43 (v11.7) essential requirements and provides foundational cybersecurity assurance. This assessment is valid for one year and is designed for organizations establishing baseline security practices.
Ideal for:
- Early-stage organizations building their first structured security program
- Companies establishing foundational security controls
- Organizations new to formal security frameworks
- Businesses responding to initial customer security inquiries
While e1 provides foundational assurance, it is not intended for high-risk environments or enterprise-level assurance requirements.
i1 Validated Assessment: Standardized Moderate Assurance
The i1 assessment encompasses 182 (v11.7) requirements and delivers moderate assurance through a prescriptive framework. This is a common path for SaaS providers entering healthcare markets and is valid for one year.
Ideal for:
- SaaS and cloud service organizations
- Companies selling into regulated industries
- Organizations with operational security programs in place
- Businesses seeking to streamline repetitive customer security reviews
The i1 assessment utilizes a prescriptive requirement set rather than a risk-tailored approach. This standardization improves implementation efficiency, though some requirements may not perfectly align with an organization’s specific threat landscape.
If there is no material change in scope from the previous assessment, HITRUST™ also offers an i1 Rapid Recertification option, which provides an expedited assessment path after successful completion of the full i1 assessment and can be used to demonstrate assurance when timelines or business needs require a faster path to validation.
r2 Validated Assessment: Comprehensive Risk-Based Assurance
The r2 assessment represents HITRUST™‘s most rigorous certification option. Fully risk-based and customized to an organization’s specific environment, data sensitivity, and threat exposure, this assessment provides the highest level of assurance. This assessment is valid for two years and is typically required by large healthcare systems and payers.
Ideal for:
- Organizations processing large volumes of sensitive health information
- Highly regulated industries with stringent compliance requirements
- Businesses with explicit HITRUST™ r2 requirements in customer contracts
- Companies requiring demonstrated compliance across multiple frameworks (HIPAA, NIST CSF, ISO 27001)
The r2 assessment requires more extensive planning, coordination, and resources compared to e1 or i1. However, for organizations with stringent customer or regulatory requirements, r2 certification is often non-negotiable. The two-year validity period also reduces the frequency of recertification efforts compared to annual assessments.
To prove continued assurance during the certification cycle, organizations that have successfully completed the r2 assessment also need to undergo a mandatory Interim Assessment, which should be completed prior to the certification anniversary date. This helps validate that security controls remain effective between certification periods and supports ongoing compliance maturity.
Assessment Comparison at a Glance
| Assessment Criteria | e1 | i1 | r2 |
|---|---|---|---|
| Level of assurance | Foundational | Moderate | High |
| Requirements covered | 43 (v11.7) | 182 (v11.7) | Risk tailored (Average 350 requirements) |
| Validity period | 1 year | 1 year | 2 years |
| Typical timeline | 3-4 months | 5-7 months | 8-10 months |
| Best suited for | Early-stage, foundational security | Growing SaaS, vendor requirements | Enterprise, highly regulated |
| Certification Maintenance | Annual Full Assessment Required | Rapid Recertification Option Available | Mandatory Interim Assessment After 1 Year |
Expanding Assurance: HITRUST™ AI Security Assessment
As organizations increasingly adopt AI-driven technologies, security and governance considerations are expanding beyond traditional compliance domains. The HITRUST™ AI Security Assessment helps organizations evaluate controls related to the responsible use, governance, and security of artificial intelligence, offering a structured way to address emerging risks. For organizations integrating AI into critical systems or services, it can serve as a valuable extension of broader assurance and compliance efforts. To learn more, see our article Security for AI Systems: Why HITRUST™ Matters Now.
A Simple Framework for Choosing the Right Assessment
Rather than guessing which assessment to pursue, evaluate these four critical questions:
1. What do your customers and partners explicitly require?
Review customer requirements and contracts carefully. If requirements explicitly state “HITRUST™ r2 certification required,” that determines the organization’s necessary path. If it does not state r2, confirm whether e1 or i1 assessment will suffice. Understanding customer expectations upfront prevents misalignment and delays.
2. What types of data does your organization handle?
Organizations handling Protected Health Information (PHI) often view i1 certification as a practical baseline, while organizations processing or storing large volumes of PHI or handling multiple sensitive data types may require r2 certification to satisfy customer and regulatory expectations.
3. How mature is your organization’s security program today?
Organizations still establishing foundational controls should consider starting with e1. Those with documented policies, implemented procedures, and dedicated security personnel are positioned for i1 or r2 assessments.
4. What are your organization’s strategic business objectives?
If your organization is targeting enterprise healthcare customers, r2 certification will often become a requirement over time. While beginning with an e1 or i1 may be appropriate for current needs, understanding the future certification path and associated timeline is essential for strategic planning and resource allocation.
With the appropriate assessment path and implementation partner, HITRUST™ certification becomes more than a credential, it becomes a strategic differentiator and foundation for scalable, sustainable security. Achieving that outcome, however, requires more than selecting the right assessment. Organizations must also manage controls, evidence, and ongoing compliance in a structured and repeatable way.
How ControlCase Supports HITRUST™ Success
Many organizations struggle with HITRUST™ not because their security practices are weak, but because translating existing controls into HITRUST™ requirements, managing evidence, and handling cloud control inheritance can quickly become complex.
ControlCase addresses these challenges through:
- Requirement clarification – Ensuring precise understanding of control expectations and implementation requirements
- Evidence management – Centralizing documentation and evidence through the ControlCase Compliance Hub portal to streamline assessment preparation and ongoing compliance
- Control inheritance optimization – Leveraging inherited controls from major cloud providers (AWS, Azure, GCP) to reduce implementation burden
- Cross-environment complexity – Managing security and compliance across cloud, SaaS, and emerging AI systems
With the right assessment strategy and the right partner, HITRUST™ becomes more than a certification – it becomes a long-term foundation for trust, resilience, and secure growth in an increasingly demanding risk environment.