HITRUST Offers Streamlined Assessment Alternatives
The HITRUST™ organization provides a framework that safeguards sensitive information and can help manage information risk for organizations across all industries. Its programs have been widely adopted in the healthcare industry.
Until recently, organizations wishing to obtain HITRUST certification have been required to undergo a rigorous HITRUST Common Security Framework (CSF) Validated Assessment performed by a third-party External Assessor organization that has been approved by HITRUST to perform validated assessments.
In October 2021, HITRUST announced two new assessment options to accommodate organizations with different levels of risk exposure. With these additions, HITRUST now offers three assessment alternatives:
- The Basic, Current-State (bC) Assessment (New). Suitable for lower-risk scenarios. Offers higher reliability than self-assessments and questionnaires. Uses HITRUST Alliance Intelligence Engine—an Artificial Intelligence (AI) tool—to identify errors, omissions, and deceit, ensuring AI compliance in data protection efforts.
- The Implemented, 1-Year (i1) Validated Assessment (New). Suitable for moderate-risk scenarios or where a baseline risk assessment is needed. HITRUST Authorized External Assessors will validate i1 Validated Assessments.
- Risk-Based, 2-Year(r2) Validated Assessment (Current). This is the new name for the CSF Validated Assessment. Otherwise, the requirements are the same. Suitable for higher-risk scenarios. HITRUST Authorized External Assessors will validate r2 Validated Assessments.
What Are the Main Differences Between the Three HITRUST Assessment Options?
HITRUST published the following table summarizing the key differences between the three assessment options:
HITRUST Basic, Current-State Assessment (bC) (NEW) | HITRUST Implemented, 1-year (i1) Validated Assessment (NEW) | HITRUST Risk-Based, 2-year (r2) Validated Assessment (Former Name: HITRUST CSF Validated Assessment) | |
| Description | Verified Self-Assessment | Validated Assessment + Certification | Validated Assessment + Risk-Based Certification |
| Purpose (Use Case) | Focus on good security hygiene controls in virtually any size organization with a simple approach to evaluation, which is suitable for rapid and/or low assurance requirements | A threat-adaptive assessment focused on best security practices with a more rigorous approach to evaluation, which is suitable for moderate assurance requirements | Focus on a comprehensive risk-based specification of controls suitable for most organizations with a very rigorous approach to evaluation, which is suitable for high assurance requirements |
| Number of Control Requirement Statements | 71 Static | 219 Static | 2000+ based on Tailoring (360 average in scope of assessments) |
| Flexibility of Control Selection | No Tailoring | No Tailoring | Tailoring |
| Evaluation Approach | 1×3: Control Implementation | 1×5: Control Implementation | 3×5 or 5×5: Control Maturity assessment against either 3 or 5 maturity levels |
| Targeted Coverage* | NISTIR 7621: Small Business Information Security Fundamentals | NIST SP 800-171, HIPAA Security Rule | NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and 37 others |
| Level of Assurance** | Low | Moderate | High |
| Relative Level of Effort | 0.5 | 1.0 | 5.0 |
| Certifiable Assessment | No | Yes, 1 Year | Yes, 2 Year |
| Complementary Assessments | None | Readiness | Readiness, Interim, Bridge |
Key Takeaways
Although the new i1 validated assessment only offers certification for one year versus a two year certification for the traditional r2 validated assessment, it comes with key benefits. The i1 validated assessment is an implemented only assessment, which means the rigorous policy and procedure assessment from the r2 validated assessment is not performed. This makes the i1 validated assessment a solid choice for organizations that may not have the full maturity required for an r2 validated assessment and serves as a steppingstone towards the r2 validated assessment.
Additionally, by only having 219 requirements, it takes a relatively moderate level of effort to complete when compared to traditional HITRUST certification efforts, while still levelling up to the gold-standard quality for which HITRUST certifications are known.
When Are the New Assessment Options Available?
The new assessments options were available starting December 30, 2021.
How Do We Share Assessment Results?
Effective December 31, 2021, organizations were able to submit third-party assessment results to HITRUST via a new Results Distribution System. This replaces the former inefficient process of authenticating, requesting, sharing, and analyzing results in the form of PDF files. The RDS will allow assessed organizations to share results through a secure web portal or API, which streamlines and accelerates the submission and review process.
Additional Resources
For a deeper dive on these topics, check out these resources:
- Case Study: Helping Medical Device Manufacturer Achieve HITRUST Certification
- Tevora HITRUST Certification Data Sheet
- Introduction to HITRUST Webinar
- Blog Post: How to Get HITRUST Certified: Keys to Certification Success
- Expanded HITRUST Assessment Portfolio
- HITRUST Results Distribution System
We Can Help
As a HITRUST Authorized External Assessor, we are fully qualified to perform i1 and r2 Validated Assessments. Our team of experienced healthcare security experts can also help you bring your organization into line with HITRUST requirements to ensure you are ready for a Validated Assessment. If you have questions about which assessment option is best for you or any other HITRUST questions, just give us a call at (833) 292-1609 or email us at sales@tevora.com.
Get Started with Tevora Today
Experience a partner that is trustworthy, reliable, and produces the quality you demand.