15.7.1 The HITRUST Essentials, 1-year (e1) Certification Report and HITRUST Implemented, 1-year (i1) Certification Report are valid for 12 months from the date of the report, after which the Assessed Entity will be required to re-assess. NOTE: The date of the report is the same date as the management representation letter Letter (see Chapter 13.8 Management Representation Letter).
15.7.2 The HITRUST Risk-based, 2-year (r2) Certification Report is valid for 24 months from the date of the report, after which the Assessed Entity will be required to re-assess. To maintain the two-year certification, the Assessed Entity must complete an interim assessment at the 12th month mark (see Chapter 15.4 Interim Assessment for additional details).
15.7.3 If the re-assessment fieldwork testing is not complete with a signed Management Representation Letter by the last day of the certification period, the Assessed Entity will have a certification gap. A certification gap is the period between the day the certification expires and the date of the re-certification. During the certification gap, the Assessed Entity is not considered to be HITRUST certified.
15.7.4 HITRUST does not, under any circumstances, extend the expiration date of a HITRUST certification.
For Assessed Entities that have circumstances where they may not be able to submit their r2 validated assessment by the expiration date of the prior certification, HITRUST provides a mechanism to extend the submission date using a bridge assessment (see Chapter 15.8 Bridge Assessments). The bridge assessment allows for up to 90 days after expiration of the prior r2 certification to submit the validated assessment to maintain the HITRUST certification without a certification gap (bridge assessments are not available for i1 or e1 certifications).