Comparing the HITRUST Assessment Options

In 2021, HITRUST added 2 assessments to its portfolio, the bC, and i1, to go along with the r2 which has long been available under its previous title, the HITRUST CSF Validated Assessment. For healthcare organizations, having the 3 HITRUST assessment options provides more flexibility, but it can be confusing to identify the assessment that is the best fit. To simplify the selection process here is a breakdown of the differences between the assessments, including:

  • The level of effort required for each certification
  • The types of businesses each certification makes the most sense for
  • How each assessment is accepted in the healthcare industry

HITRUST CSF Basic, Current State (bC) Assessment

The bC is a verified self-assessment designed to demonstrate “good security hygiene.” There are 71 control requirements for the bC. These controls are the same for every organization, there is no tailoring. The controls are only evaluated on implementation, so not a lot of policy and process documentation is required. Your organization’s assessment is reviewed by HITRUST’s Assurance Intelligence Engine. The results of your assessment can be added to the HITRUST distribution system, where they will be visible to your clients that use the system.

Of all the HITRUST assessment options, the bC requires the least effort, time, and financial investment, but it also provides the lowest level of assurance. Being a self-assessment, working with a HITRUST External Assessor Firm isn’t necessary with the bC.

There is no formal certification for the bC. If a client requires HITRUST certification, the bC  may not be an option.

The bC self-assessment is a good choice for organizations just getting started on their HITRUST journey and aren’t ready to devote the time and effort required for an i1 or r2 certification. All 71 bC controls are included in the i1 assessment, making the bC a good starting point to obtain a more rigorous certification down the road.

The bC is also recommended for service providers who have limited access to or use of Protected Health Information.

HITRUST CSF Implemented, 1-Year (i1) Validated Assessment

The i1 is a validated assessment that requires the use of a HITRUST External Assessor Firm and does result in certification. It is based on NIST and the HIPAA Security rule and is designed to demonstrate “best security practices.” There are 219 i1 controls, and like with the bC, the controls cannot be tailored. The i1 controls are also evaluated on implementation. Your assessment is submitted to HITRUST for a Quality Assurance Review for your certification to be approved or denied.

The i1 is the midrange assessment option in terms of effort and time.  The i1 does not require that you have detailed policy and procedure documentation for all of the 219 controls as it is scored on implementation only. Additionally, if you use a cloud service provider you may be able to inherit some of your control maturity from your provider. The i1 does require an external assessor to validate your control implementation. Once that is done and your assessment is submitted, HITRUST guarantees they will complete your review in no more than 45 days if everything is done correctly on your end. i1 certifications are endorsed by the Provider Third Party Risk Management Council, but keep in mind that it is still a new assessment and may not be as well recognized in the industry.

The i1 certification must be completed annually. Organizations that also have SOC, PCI or other security assurances that are renewed yearly can sync i1 to the same schedule as their other certifications to reduce the impact of multiple reviews on the organization.

An i1 assessment is a good selection for companies that have cyber security controls in place but have limited policy and process documentation. If an organization eventually wants an r2 certification, i1 can serve as a good steppingstone.

HITRUST CSF Risk-based, 2-Year (r2) Assessment

The r2 is the legacy HITRUST assessment that is based on more than 40 security frameworks, including NIST, ISO, and PCI DSS. It is highly regarded throughout the healthcare industry. An r2 certification is a fit for organizations that want to show the highest level of commitment to data security.

The r2 certification is the heaviest lift, requiring the most effort, time, and money.  Securing r2 certification will require large amounts of policy and process documentation and potentially the implementation of new tools and processes.

There are more than 2,000 r2 controls, but your scope will be tailored to match your organization’s operations. Businesses typically have a control count of between 200-800.  Scoring for r2 controls is based on 5 maturity levels, policy, process, implementation, measured, and managed. Like the i1, r2 requires a HITRUST External Assessor Firm, and assessments are submitted to HITRUST for a Quality Assurance Review.

A full r2 assessment is required every two years. On alternate years an interim assessment must be completed. You will work with your assessment firm to show you are still meeting the requirements of 19 controls selected by HITRUST. During the interim assessment, you will also need to show you have remediated or are working to remediate any gaps from the previous year’s full assessment.

The payoff for all the effort is a certification that will give your customers great confidence in your organization’s ability to protect data. The r2 certification may also provide certification for NIST depending on your control implementation status.  .

To take a deeper dive into the HITRUST assessment options, watch our “Selecting the Right HITRUST Assessment for your Organization” presentation.

CompliancePoint has an experienced team of healthcare and cybersecurity professionals that guide you through the HITRUST certification process. Contact us at to learn more about how we can help your organization.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.