HITRUST Assessments: What You Need to Know from an Assessor

HITRUST assessments are essential for organizations in regulated industries to demonstrate data security compliance. In this post, we’ll explore the critical aspects of them, share expert insights on preparation, and outline best practices to ensure success from readiness to certification.

Why HITRUST Assessments Matter

Organizations pursuing HITRUST assessments gain a structured framework to safeguard patient data, streamline audits, and demonstrate compliance. With these assessments, a robust readiness phase is crucial to meet strict control incubation periods, ensuring no major gaps emerge during the formal evaluation.

The Readiness Phase

During the readiness phase, you’ll work with a trained readiness assessor to identify evidence and implement controls. Successful planning means that policy items must be in place 60 days before review, and system controls 90 days. Skipping readiness spells trouble in later stages.

Choosing Your HITRUST Assessments Certification

Before you begin, decide which certification fits your organization. There are three types of certification: e1, i1, and r2. Each option varies in scope and rigor. The e1 assessment provides baseline controls, while the i1 assessment expands coverage. The r2 assessment tailors controls based on risk factors, offering the most extensive scope. Selecting the right certification aligns your compliance goals with resource availability.

e1, i1, and r2: HITRUST Assessment Types Explained

e1 Assessment (44 Controls)

The e1 assessment within HITRUST focuses on basic hygiene controls, making it ideal for smaller environments. Organizations completing e1 often finish within four to five months, especially if they hold existing certifications.

i1 Assessment (182 Controls)

The i1 assessment builds on the e1, adding more policy and procedure requirements. Year two rapid recertification eases ongoing maintenance.

r2 Assessment (Risk-Based Controls)

The r2 assessment is the most comprehensive option, scaling based on your risk profile within the myCSF portal. Proper planning is critical for timely execution.

The Validation and QA Process

Submitting to the Assessor

Once your readiness work is complete and all controls meet incubation periods, self-grade and submit via myCSF to your HITRUST assessor. They’ll independently review evidence and grade each control.

HITRUST Alliance QA

After assessment, HITRUST Alliance conducts an automated review followed by a manual QA of selected controls. Be prepared to provide clarifications within their typical 10-day response window.

Addressing Corrective Action Plans

Deficiencies become Corrective Action Plans (CAPs) in your final report. CAPs don’t block certification but highlight areas for improvement—another reason readiness is key.

Crucial Success Factors

• Reserve Your QA Slot Early: Lock in your HITRUST QA date to drive internal deadlines.
• Tackle Big Rocks Up Front: Identify major implementations (e.g., firewalls, IDS/IPS) early to avoid timeline delays.
• Secure Senior Management Buy-In: Leadership support ensures resource allocation and organizational commitment.
• Start Sooner, Not Later: Rushing leads to gaps. Early engagement reduces stress and corrective work.

Beyond Certification: Compliance as a Service

Maintaining compliance between assessments is just as important. Compliance as a Service provides:

• Policy & Procedure Maintenance
• Technology Advisory
• Ongoing Evidence Collection
• Proactive Monitoring

Outsourcing these tasks can be more cost-effective than hiring full-time staff, especially for smaller organizations.