Press / News


HITRUST Expands Assessment Portfolio : Understand i1 and r2

In the final months of 2021, HITRUST announced new assessment types, i1, r2 and bC — read more here:

“HITRUST CSF Certification is the most reliable information assurance report on the market and made possible by the transparency and consistency in the selection of controls, and in the scoring, and validation of controls by both qualified third-party assessors and the HITRUST Assurance and Quality teams. The Assurance process is rigorous by design to ensure a high level of assurance in the results provided. However, there are many situations where a moderate or low level of assurance is warranted, and organizations are seeking a broader range of assessment options that require less effort and time to perform while still providing a commensurate level of reliability for moderate- to lower-risk scenarios.

To meet the market needs for varying levels of assurance with higher reliability, HITRUST is adding two new assessment offerings. Like the HITRUST CSF Validated Assessment, these new offerings will aid in understanding control effectiveness as well as cyber preparedness and resilience. With the two new additions, the HITRUST assessment portfolio will include:

  • The Basic, Current-State (bC) Assessment is a “good hygiene” assessment and offers higher reliability than self-assessments and questionnaires by utilizing the HITRUST Assurance Intelligence Engine™ (AI Engine) to identify errors, omissions, and deceit.
  • The Implemented, 1-Year (i1) Validated Assessment is a “best practices” assessment and recommended for situations that present moderate risk or where a baseline risk assessment is needed. The i1 is designed to provide higher levels of transparency, integrity, and reliability over existing moderate assurance reports, with comparable levels of time, effort, and cost. HITRUST Authorized External Assessors will validate i1 Validated Assessments.
  • The industry standard HITRUST CSF Validated Assessment is a risk-based and tailorable assessment, which continues to provide the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors. The HITRUST CSF Validated Assessment is renamed the HITRUST Risk-Based, 2-Year (r2) Validated Assessment.

Additional HITRUST assessment options include:

  • HITRUST Risk-based, 2-year (“r2”) Readiness Assessment. A self-attested assessment that is often used to determine security posture and any potential remediation efforts in preparation for a future HITRUST Assessment. Available for use with the HITRUST Implemented, 1-year (“i1”) Validated Assessment and the HITRUST Risk-based, 2-year (“r2”) Validated Assessment.
  • HITRUST Interim Assessment for r2 Certification. Organizations with a HITRUST Risk-Based, 2-year (“r2”) Validated Certification Report will need to perform a r2 Interim Assessment at the one-year mark to keep their certification valid.
  • HITRUST Bridge Assessment for r2 Certification. Allows organizations to earn a bridge certificate to maintain their HITRUST Risk-based, 2-year (“r2”) Certification Report for an additional 90 days, even if their assessment submission due date is missed.”

The purpose of these new assessment types is to allow organizations with specific needs or limitations to have access to HITRUST assurance and certification. Follow this link to read the official announcement from HITRUST. If you have any questions about these additions, please contact a member of our team.