HITRUST is the most comprehensive healthcare compliance framework — and the one large hospital systems and national health plans use as their vendor security baseline. We scope the right HITRUST assessment level for your buyer requirements and deliver certification on a clear, fixed timeline.
Timeline 14–20 weeks (HITRUST i1) · 20–28 weeks (HITRUST r2)
What you get HITRUST Validated Assessment + Certificate of compliance
Assigned to HITRUST CCSFP-certified advisor on every engagement
First pass rate 98% of clients achieve HITRUST certification at first assessment
HITRUST MyCSF portal fees included · Fixed advisory fee
HITRUST — the Health Information Trust Alliance — is a private company that developed the HITRUST Common Security Framework (CSF), a certifiable security framework that incorporates requirements from HIPAA, NIST, ISO 27001, PCI DSS, and other standards into a single comprehensive control set. HITRUST certification is issued following a validated assessment by an authorised HITRUST External Assessor.
Unlike HIPAA compliance — which is self-declared and verified through vendor questionnaires — HITRUST is an independently validated certification that tells your healthcare customers that your security programme has been objectively tested against a rigorous, healthcare-specific control framework. Large hospital systems, national health plans, and major healthcare networks have adopted HITRUST as their preferred vendor security certification precisely because it provides a consistent, independently validated standard of assurance.
HITRUST offers three assessment levels — e1, i1, and r2 — that differ in scope, rigor, and the type of assurance they provide. The right level depends on your specific customer requirements, the sensitivity of the PHI you handle, and the type of healthcare organisations you are selling to. Most HealthTech companies selling to large hospital systems need i1 or r2. We scope the correct level for your situation based on your actual buyer requirements — not a generic recommendation.
The e1 assessment is HITRUST's entry-level validated certification. It covers 44 essential security requirements focused on the most critical cybersecurity threats — access controls, malware protection, configuration management, patch management, and incident response. The e1 is a 1-year certification appropriate for vendors at the early stages of a healthcare relationship or for lower-risk use cases. Some hospital systems accept e1 as an initial qualification while requiring i1 or r2 for deeper integrations.
The i1 assessment is the most commonly required HITRUST level for HealthTech vendors. It covers 182 implemented controls across all critical cybersecurity threat areas and HIPAA Security Rule requirements. The i1 provides a significantly more comprehensive assurance than e1 and is increasingly the baseline requirement for hospital system and health plan vendor programmes. Most companies that get asked for 'HITRUST certification' by a hospital system are being asked for i1 or higher.
The r2 assessment is the most comprehensive HITRUST certification — covering 375+ controls tailored to your organisation's specific risk profile. The r2 is required for the most sensitive PHI use cases, for vendors with deep clinical integrations, and for organisations seeking the highest level of independent assurance. The r2 is a 2-year certification and involves a substantially larger assessment scope than i1. For organisations that can demonstrate i1 or previous r2 certification, the assessment process is streamlined through HITRUST's bridge assessment programme.
HITRUST r2 certification is designed to satisfy HIPAA's Security Rule requirements. Completing an r2 assessment does not eliminate your HIPAA obligations, but it provides documented evidence that your security programme meets or exceeds HIPAA requirements across all relevant control areas. Most healthcare enterprise buyers who require HITRUST also require HIPAA compliance documentation and SOC 2 Type 2 — we build all three as a coordinated programme.
The first question is which level they actually require. e1, i1, and r2 are very different engagements. We will review their requirement and tell you the right level, the correct scope, and a realistic timeline — at no cost.
We review your customer's specific HITRUST requirement, confirm the correct assessment level, and define your assessment scope in HITRUST MyCSF — the portal through which all HITRUST assessments are conducted. Scoping is the most consequential early decision in a HITRUST programme. An incorrectly scoped assessment wastes time, money, and delays certification.
We implement the required controls and produce the documentation your External Assessor will test. HITRUST assessments are evidence-driven — every control claim requires supporting documentation. We build your control evidence package, resolve gaps, and prepare your team for assessor interviews. We work alongside your engineering and security teams to ensure every control is genuinely implemented, not just documented.
Before the formal External Assessor engagement begins, we conduct a complete readiness review — testing every control for correctness, completeness, and assessor-readiness. We identify and close every remaining gap before your External Assessor engages. This is the step that protects your certification timeline and prevents finding surprises during formal fieldwork.
Your HITRUST External Assessor conducts the validated assessment. We support your team through the entire fieldwork process — managing assessor requests, reviewing evidence before submission, and responding to any corrective action requests. Following fieldwork, results are submitted to HITRUST for quality review and final certification decision. We track the submission through to certificate issuance.
HITRUST e1 and i1 certificates are valid for one year. HITRUST r2 certificates are valid for two years. We maintain your HITRUST programme through the full certification cycle — keeping controls current, preparing your interim assessment documentation, and managing re-certification when due.
Choose e1 if your healthcare customers have explicitly specified e1 as their requirement, or if you are entering the healthcare market for the first time and need an initial qualification that can be obtained relatively quickly. e1 is not accepted by most large hospital systems as a sufficient vendor qualification — it is a starting point, not an endpoint, for most HealthTech companies.
Choose i1 if a hospital system, health plan, or healthcare network has requested 'HITRUST certification' without specifying a level, or if you handle PHI directly and are selling to mid-size to large healthcare organisations. i1 is the de facto standard for vendor qualification in most hospital system and health plan procurement programmes. We recommend i1 as the right default for most HealthTech companies beginning their HITRUST programme.
Choose r2 if your customer has explicitly specified r2, if you handle highly sensitive clinical data or deep EHR integrations, or if you are selling to the largest national health plans and academic medical centres that require the most comprehensive independent assurance available. r2 is a significantly larger undertaking than i1 — we will give you an honest assessment of whether r2 is genuinely required for your specific customer before recommending it.
Our recommendation for most companies: begin a Type 1 engagement immediately and start your Type 2 observation period at the same time. You receive your Type 1 report in 10–12 weeks to close near-term deals, and your Type 2 report roughly 6–9 months later. Same advisory team. Same controls. No duplicated work.
If your question is not here, just email us — we will give you a straight answer.
HITRUST offers three validated assessment levels: e1 covers 44 essential security requirements; i1 covers 182 implemented controls; r2 covers 375+ risk-based controls tailored to your risk profile. The right level depends on what your specific healthcare customers require. e1 is for initial qualifications, i1 is the de facto standard for most hospital and health plan vendor programmes, and r2 is required for the highest-sensitivity use cases.
HITRUST i1 certification typically takes 14–20 weeks from scoping to certificate issuance. HITRUST r2 takes 20–28 weeks. The exact timeline depends on your current control maturity, the complexity of your environment, and the availability of your External Assessor. Companies that have already completed SOC 2 or have existing HIPAA documentation have a faster path to HITRUST certification due to control overlap.
For most healthcare enterprise buyers, SOC 2 and HIPAA compliance documentation is sufficient at the early stages of the relationship. As deals get larger — particularly with major hospital systems and national health plans — HITRUST certification becomes a requirement. HITRUST provides a higher level of independent assurance than SOC 2 or HIPAA self-assessment combined. We recommend beginning HITRUST when your first major customer requires it, not as a proactive first step.
Yes — and for HealthTech companies targeting large hospital systems, a combined SOC 2 + HIPAA + HITRUST programme is significantly more efficient than three sequential engagements. The frameworks share substantial control overlap. We map controls across all three frameworks, build them once, and deliver all three certifications on a coordinated timeline. This is the approach we use for most HealthTech companies with enterprise healthcare ambitions.
MyCSF is HITRUST’s online assessment portal. All HITRUST assessments are conducted through MyCSF — you enter your control implementations, upload evidence, respond to assessor questions, and track your assessment progress. Your External Assessor works within the portal during fieldwork. We manage your MyCSF account throughout the assessment, ensuring your evidence submissions are complete and organised before assessor review.
Book a free 30-minute consultation. A HITRUST CCSFP-certified advisor will review your customer’s requirement, confirm the correct assessment level, and give you a realistic timeline and cost estimate for your specific situation.
HITRUST is built on top of HIPAA. Most HealthTech companies complete their HIPAA compliance programme before pursuing HITRUST certification. We build both on a single coordinated timeline.
The full compliance stack for HealthTech companies — SOC 2, HIPAA, and HITRUST — built as a unified programme on a single timeline with a single advisory team.
If you are building toward a combined healthcare compliance programme, a gap assessment covering all required frameworks simultaneously gives you a single prioritised roadmap and avoids duplicated work.
