HITRUST i1 Frequently Asked Questions

During a recent webinar we received several questions about the new i1 and r2 HITRUST assessment options. For easy reference, we’ve summarized the questions and answers in this blog post.

Q. What was the basis for deciding which controls go into i1?

A. HITRUST took several frameworks and industry segments into consideration when developing the requirements for i1.

  • For healthcare organizations, HIPAA is a high priority. i1 provides some coverage of the HIPAA security rule and portions of the privacy rule.
  • NIST’s framework is broadly adopted across many industries. The i1 is mapped to NIST 171 which focuses on non-government entities who do business with the federal government.
  • Industry-specific and non-industry specific frameworks were taken into consideration to ensure i1’s coverage applies to most, if not all, industries.

HITRUST reviews changes in the threat profile and threat modeling on a quarterly basis and will adjust the current controls as needed to address any new threat vectors not covered by the current requirements.

Q. In general, which assessment option is most appropriate for different types of organizations?

Simply put, the assessment option depends on the level of risk. From a use case perspective, an organization that has PHI, PII or remote administrative access to intellectual property represents the highest level of risk and would be best protected by an r2 validated assessment.

For organizations with a very young cybersecurity program and a low level of vendor risk, a bC assessment may be sufficient. This self-validated assessment can serve as a benchmark or informal documentation for current cybersecurity efforts.

Mid-tier risk organizations, which represent a huge group of vendors, weren’t well served by previous assessment options. I1 was built specifically to address the mid-tier risk profile. Products or assessments available before the i1 provided insight, but the assurance level wasn’t ideal compared to other compliance standards. i1 not only addresses that gap but goes beyond.

As an example, SOC 2 requires documentation from both the assessed organization and from the CPA firm that provides testing and validation, so there are two levels of review. I1’s assurance methodology includes those two levels and adds three more. Once documentation, validation and testing from the assessed entity and a third-party assessor are completed, HITRUST requires that external firms like Intraprise Health, have a quality assurance team – separate from the actual audit team – do a QA of each assessment. From there, the HITRUST Alliance conducts their own QA of the assessment alongside the assessor firm to ensure accuracy, consistency, and transparency. As a final step, a separate compliance team at HITRUST conducts a final review.

Q. How does the i1 compare to the r2 in terms of assessor involvement, timeline and cost?

Where an r2 assessment focuses on three of the five HITRUST maturity levels (Policy, Process and Implemented), an i1 assessment only looks at implemented maturity to determine if they are functioning. Assessor firms like Intraprise Health still conduct full testing on the implemented maturity level, and there will be an element of policy and process, but only as it relates to an implemented control.

As an example, if a control asks if an organization has a business continuity plan, it will still be necessary to demonstrate that there is a policy and process in place, but it’s a dramatically reduced effort for all parties involved compared to the same control in an r2.

While every organization’s timeline is unique, an i1 assessment can be completed in less time and with considerably less effort – for the client and the assessor – than an r2. Even the evidence-gathering part of the assessment (between the readiness and validation phases), is significantly reduced. Rather than providing policies and procedures for each control, organizations are only required to supply implemented evidence for review.

Intraprise Health completed an i1 assessment for an organization that was already working on maturing their cybersecurity program in less than 40 days from start to submission to QA. In comparison, the timeline for an r2 submission is typically 12 to 18 months.

Q. Can organizations switch from an i1 assessment to an r2?

An i1 assessment can be a good starting point for organizations that want to establish a cybersecurity program through the lens of HITRUST. An external assessor can help you evaluate the pros and cons of each assessment option and guide you through the process of moving from i1 to r2 at a future date.

An i1 is a good choice for startups in any industry that want to demonstrate their maturity from a security and privacy perspective to potential business partners. As startups grow and mature, demands on their organizations may become more rigid and an r2 assessment may be more appropriate.

Q. To date, have any providers or payers accepted the i1 assessment?

In March 2022 the Provider Third Party Risk Management Council (PRPRM), an organization comprised of Chief Information Security Officers from leading health systems and provider organizations, announced they are accepting the i1 assessment for low and moderate risk vendors. In addition, discussions with payer entities have indicated support for the i1 assessment, suggesting it’s gaining traction within the healthcare industry.

Have a question we didn’t cover? Contact us to speak with a HITRUST expert.

Intraprise Health is one of the longest tenured HITRUST assessors, with over 10 years of industry experience. Due to our proven methodology, we have a 100% certification rate for our clients. Learn more about our industry-leading HITRUST Assessor services and to claim your complimentary scoping session.