Comparing Your HITRUST Assessment Options

In January 2023, version 11 of the HITRUST CSF was released. Included in v11 is a new assessment option, HITRUST Essentials (e1), to go along with the i1 and r2. It was also announced that the HITRUST CSF Basic, Current State (bC) Assessment is being retired in January 2023. The e1 will replace the bC as the least rigorous assessment option that may be the best option for lower-risk scenarios.

For healthcare organizations, having the three HITRUST assessment options provides more flexibility, but it can be confusing to identify the assessment that is the best fit. To simplify the selection process here is a breakdown of the differences between the assessments, including:

• The level of effort required for each certification
• The types of businesses each certification makes the most sense for
• How each assessment is accepted in the healthcare industry

HITRUST Essentials, 1-year (e1)

The e1 is designed as a low-effort cybersecurity assessment focusing on basic cybersecurity hygiene and addressing what HITRUST identified as the most critical cybersecurity practices. The e1 is a good match for vendors whose risk may not be high enough to warrant the more extensive HITRUST assessments, but do need to demonstrate a verifiable commitment to basic security. This assessment option evaluates controls based on the implementation of the control which reduces the amount of required policy and procedure documentation. The e1 contains 44 standardized controls and no scoping is required.

The e1 is a validated assessment that requires the organization to use a HITRUST assessor firm to evaluate their control maturity for submission to HITRUST for certification. e1 certifications must be renewed annually.

The e1 is a good choice for organizations just getting started on their HITRUST journey and aren’t ready to devote the time and effort required for an i1 or r2 certification. Establishing compliance with the e1 controls can serve as a good starting point if you plan on obtaining a more rigorous certification down the road.

The e1 is a good assessment option for service providers who have limited access to or use of Protected Health Information.

HITRUST CSF Implemented, 1-Year (i1) Validated Assessment

The i1 is a validated assessment that requires the use of a HITRUST External Assessor Firm and does result in certification. It is based on NIST and the HIPAA Security rule and is designed to demonstrate “best security practices.” There are approximately 180 i1 controls that cannot be tailored. The i1 controls are also evaluated on implementation. Your assessment is submitted to HITRUST for a Quality Assurance Review for your certification to be approved or denied.

The i1 is the midrange assessment option in terms of effort and time.  The i1 does not require that you have detailed policy and procedure documentation for all controls as it is scored on implementation only. Additionally, if you use a cloud service provider you may be able to inherit some of your control maturity from your provider. The i1 does require an external assessor to validate your control implementation. Once that is done and your assessment is submitted, HITRUST guarantees they will complete your review in no more than 45 days if everything is done correctly on your end. i1 certifications are endorsed by the Provider Third Party Risk Management Council, but keep in mind that it is still a new assessment and may not be as well recognized in the industry.

The i1 certification must be completed annually. Organizations that also have SOC, PCI, or other security assurances that are renewed yearly can sync i1 to the same schedule as their other certifications to reduce the impact of multiple reviews on the organization.

An i1 assessment is a good selection for companies that have cyber security controls in place but have limited policy and process documentation. If an organization eventually wants an r2 certification, i1 can serve as a good steppingstone.

HITRUST CSF Risk-based, 2-Year (r2) Assessment

The r2 is the legacy HITRUST assessment that is based on more than 40 security frameworks, including NIST, ISO, and PCI DSS. It is highly regarded throughout the healthcare industry. An r2 certification is a fit for organizations that want to show the highest level of commitment to data security.

The r2 certification is the heaviest lift, requiring the most effort, time, and money. Securing r2 certification will require large amounts of policy and process documentation and potentially the implementation of new tools and processes.

There are more than 2,000 r2 controls, but your scope will be tailored to match your organization’s operations. Businesses typically have a control count of between 200-800.  Scoring for r2 controls is based on 5 maturity levels, policy, process, implementation, measured, and managed. Like the i1, r2 requires a HITRUST External Assessor Firm, and assessments are submitted to HITRUST for a Quality Assurance Review.

A full r2 assessment is required every two years. On alternate years an interim assessment must be completed. You will work with your assessment firm to show you are still meeting the requirements of 19 controls selected by HITRUST. During the interim assessment, you will also need to show you have remediated or are working to remediate any gaps from the previous year’s full assessment.

The payoff for all the effort is a certification that will give your customers great confidence in your organization’s ability to protect data. The r2 certification may also provide certification for NIST depending on your control implementation status.

To take a deeper dive into the HITRUST assessment options, watch our “Selecting the Right HITRUST Assessment for your Organization” presentation.

CompliancePoint has an experienced team of healthcare and cybersecurity professionals that guide you through the HITRUST certification process. Contact us at connect@compliancepoint.com to learn more about how we can help your organization.