HITRUST has rolled out several changes providing new assessment options for organizations to achieve various levels of assurance. Overall, there are three assessments, each helping organizations to evaluate and understand the effectiveness of their cyber preparedness and resilience. These new HITRUST assessment options give more flexibility based on risk, level of assurance, frequency, and cost for organizations to validate information assurance. 


What is the HITRUST i1 assessment? 

The biggest change is the new i1, HITRUST Implemented, 1-year Assessment. 

HITRUST is addressing the need for a continuously relevant cybersecurity assessment that aligns and incorporates best practices and leverages latest threat intelligence to stay ahead of information security risks and emerging cyber threats, such as ransomware.” 

For Business Associates having the i1 option provides a way to obtain information assurance when there is only moderate risk. Before this option was available obtaining HITRUST CSF Certification (now called r2 assessment) may have been prohibitive. 

The i1 assessment is meant to address ever-evolving cybersecurity threats, as such it is only valid for one year, not two. In addition, HITRUST will evaluate the controls and implementation and make updates as needed. Organizations will undergo yearly assessments and be evaluated against the current published HITRUST CSF and i1 controls. This provides a way to sunset controls that have lost relevance and have limited assurance value. 

The level of effort is less than an r2 assessment. However, it still provides the high levels of transparency, integrity, and reliability to ensure the safeguarding of information in moderate risk environments for Business Associate agreements. 

  • There is a fixed pre-set number of controls curated by HITRUST.
  • The maturity levels for the controls for an r2 review includes Policy, Procedure, Implemented, Measured, and Managed. For an i1 assessment the focus is only on Implemented to ensure controls are in place and operating as intended.
  • Service providers (such as cloud service providers) can be carved out / excluded from consideration in i1 validated assessments.
  • An Authorized HITRUST External Assessor Organization will inspect documented evidence to validate control implementation.
  • Assessment results undergo a full Quality Assurance (QA) by HITRUST.
  • A shareable, final report with certification is issued by HITRUST, valid for one year.

HITRUST i1 can be a way to quickly provide the certification for Business Associate Agreements. Previously getting HITRUST Certified was a complex endeavor. Now with the creation of i1 certification more organizations can achieve the information assurance that their business needs. Having the experience of i1 is a great step to grow your business. Moving to the more complex r2 the following year, as risk warrants, can leverage the original effort and maturity in implementation to the full spectrum of maturity levels. 

What is the HITRUST r2 assessment? 

The former HITRUST CSF Assessment is still the premier assessment for the healthcare industry. It has just been renamed HITRUST Risk-Based 2-Year (r2) Validated Assessment. The r2 is the most comprehensive and suited for organizations with high assurance requirements. 

What is the HITRUST bC assessment? 

The HITRUST Basic, Current-State (bC) Assessment is a newly enhanced self-assessment option. Organizations attest to their ‘good hygiene’ by answering questionnaires that utilizes the HITRUST Assurance Intelligence Engine (AI Engine). This brings a high level of reliability by identifying errors, omissions, and flags suspected deceitful answers. 

TECH LOCK can help you get certified at any level 

Our HITRUST Certified Assessors can work with you on achieving i1 or r2 HITRUST Certification. Even those that are planning to utilize the bC self-assessment, our managed security services can provide many of the security controls with 24×7 security operations. We can guide you through a readiness assessment to identify and close gaps or engage with you for a validation assessment. Explore what these HITRUST changes can mean for your organization, talk to us today.