HITRUST has multiple assessment types that an organization may pursue to determine its maturity level, including the r2, i1, e1, and targeted assessments.
- HITRUST Risk-based, 2-year (r2) Assessment: A risk-based and tailorable assessment that provides the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors. The r2 provides a high level of assurance that focuses on a comprehensive risk-based specification of controls with an expanded approach to risk management and compliance evaluation.
- HITRUST Implemented, 1-year (i1) Assessment: A cybersecurity assessment inclusive of Information Technology controls generally recognized as leading cybersecurity practices. The i1 provides a moderate level of assurance that addresses cybersecurity leading practices and a broader range of active cyber threats than the e1 assessment.
- HITRUST Essentials, 1-year (e1) Assessment: A cybersecurity assessment that focuses on a curated set of cybersecurity controls encompassing fundamental cybersecurity practices, or “good cybersecurity hygiene”. The e1 provides entry-level assurance focused on the most critical cybersecurity controls and demonstrates that essential cybersecurity hygiene is in place.
- Targeted assessment: A non-certifiable self-assessment which consists only of HITRUST requirement statements that map to one or more authoritative sources (e.g., NIST 171, FedRAMP, HIPAA). The authoritative source(s) for this assessment is selected by the Assessed Entity.
The following table further details the characteristics and differences between the r2, i1, and e1 assessments.
| Characteristic | e1 | i1 | r2 |
| Deliverables | |||
| Can result in a HITRUST-issued certification (i.e., HITRUST certifiable) | Yes | Yes | Yes |
| Length of certification | 1 year | 1 year | 2 years |
| Final reports resulting from the assessment can be shared through the HITRUST Assessment Xchange and assessment results can be shared through the HITRUST Results Distribution System | Yes | Yes | Yes |
| Can result in a HITRUST-issued certification over the NIST Cybersecurity Framework | No | No | Yes |
| Assessments | |||
| Readiness assessments and validated assessments can be performed | Yes | Yes | Yes |
| Requires an Authorized HITRUST External Assessor Organization to inspect documented evidence to validate control implementation | Yes | Yes | Yes |
| Leverages the HITRUST Control Maturity Scoring Rubric | Yes | Yes | Yes |
| Assessor’s validated assessment fieldwork window (maximum) | 90 days | 90 days | 90 days |
| HITRUST CSF requirements performed by the assessed entity’s service providers (such as cloud service providers) on behalf of the organization can be carved out / excluded from consideration | Yes | Yes | No |
| Personnel from either assessed entity or their external assessors are allowed to enter control maturity scoring and assessment scoping information | Yes | Yes | No |
| Requires an interim assessment | No | No | Yes |
| Can be bridged through a HITRUST bridge certificate | No | No | Yes |
| Subject matter | |||
| Threat-adaptive assessment | Yes | Yes | Yes* |
| Includes a fixed number of HITRUST CSF requirement statements | Yes | Yes | No |
| Includes HITRUST CSF requirements specifically tailored to the assessment scope | No | No | Yes |
| Can be tailored to optionally convey assurances over dozens of information protection regulations and standards (e.g., HIPAA, NIST CSF, PCI DSS). | No | No | Yes |
| Can be tailored to include privacy | No | No | Yes |
| Must use the most current version of the CSF available at time of assessment creation. | Yes | Yes | No |
| *For HITRUST CSF v11 and later | |||
This Assessment Handbook defines the Assessed Entity and External Assessor responsibilities and HITRUST requirements for readiness, validated, bridge, rapid recertification, and interim assessments related to the r2, i1, and e1 assessment types.