HITRUST has multiple assessment types that an organization may pursue to determine its maturity level, including the r2, i1, e1, and targeted assessments.
- HITRUST Risk-based, 2-year (r2) Assessment: A risk-based and tailorable assessment that provides the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors. The r2 provides a high level of assurance that focuses on a comprehensive risk-based specification of controls with an expanded approach to risk management and compliance evaluation.
- HITRUST Implemented, 1-year (i1) Assessment: A cybersecurity assessment inclusive of Information Technology controls generally recognized as leading cybersecurity practices that allows for the optional addition of other authoritative sources available through the HITRUST CSF. The i1 provides a moderate level of assurance that addresses cybersecurity leading practices and a broader range of active cyber threats than the e1 assessment.
- HITRUST Essentials, 1-year (e1) Assessment: A cybersecurity assessment that focuses on a curated set of cybersecurity controls encompassing fundamental cybersecurity practices, or “good cybersecurity hygiene” that allows for the optional addition of other authoritative sources available through the HITRUST CSF. The e1 provides entry-level assurance focused on the most critical cybersecurity controls and demonstrates that essential cybersecurity hygiene is in place.
- Targeted assessment: A non-certifiable self-assessment which consists only of HITRUST requirement statements that map to one or more authoritative sources (e.g., NIST 171, FedRAMP, HIPAA). The authoritative source(s) for this assessment is selected by the Assessed Entity.
HITRUST refers to the r2, i1, and e1 as a traversable portfolio, meaning the portfolio builds on the baseline requirement statements within each assessment type starting with the e1. All requirements within the e1 assessment are included within the i1, and all requirements within the i1 are included within the baseline requirements of the r2 assessment.
HITRUST also offers Insights Reports (e.g., HIPAA, AI Risk Management) or additional certifications (e.g., NIST CSF, ai1, ai2) when assessing requirement statements where the authoritative source has been selected as a Compliance Factor within the r2, i1 or e1 assessment and the source is available for an Insights Report or certification. For additional information on these report types, see Chapter 15.1 HITRUST Reporting.
The following table further details the characteristics and differences between the r2, i1, and e1 assessments.
| Characteristic | e1 | i1 | r2 |
| Deliverables | |||
| Can result in a HITRUST-issued certification (i.e., HITRUST certifiable) | Yes | Yes | Yes |
| Length of certification | 1 year | 1 year | 2 years |
| Final reports resulting from the assessment can be shared through the HITRUST Assessment XChange and assessment results can be shared through the HITRUST Results Distribution System | Yes | Yes | Yes |
| Can result in a HITRUST-issued certification over the NIST Cybersecurity Framework | No | No | Yes |
| Can result in a HITRUST-issued certification over Artificial Intelligence (AI) | Yes | Yes | Yes |
| Can result in Insights Reports over select authoritative sources | Yes | Yes | Yes |
| Assessments | |||
| Readiness assessments and validated assessments can be performed | Yes | Yes | Yes |
| Requires an Authorized HITRUST External Assessor to inspect documented evidence to validate control implementation | Yes | Yes | Yes |
| Leverages the HITRUST Control Maturity Scoring Rubric | Yes | Yes | Yes |
| Assessor’s validated assessment fieldwork window (maximum) | 90 days | 90 days | 90 days |
| HITRUST CSF requirements performed by the assessed entity’s service providers (such as cloud service providers) on behalf of the organization can be carved out / excluded from consideration | Yes | Yes | No |
| Personnel from either Assessed Entity or their External Assessors are allowed to enter control maturity scoring and assessment scoping information | Yes | Yes | No |
| Requires an interim assessment | No | No | Yes |
| Can be bridged through a HITRUST bridge certificate | No | No | Yes |
| Must use the most current version of the CSF available at time of assessment creation | Yes | Yes | No |
| CSF Report Subject Matter | |||
| Threat-adaptive assessment | Yes | Yes | Yes* |
| Includes HITRUST CSF requirements specifically tailored to the assessment scope | No | No | Yes |
| Can be tailored to optionally convey assurances over dozens of information protection regulations and standards (e.g., HIPAA, PHIPA, NIST AI RMF & ISO/IEC 23894). | Yes** | Yes** | Yes |
| Can be tailored to include privacy | No | No | Yes |
| *For HITRUST CSF v11 and later | |||
| ** The e1 and i1 can include certain regulations and standards when performing a combined assessment for the available authoritative sources. | |||
This Assessment Handbook defines the Assessed Entity and External Assessor responsibilities and HITRUST requirements for readiness, validated, bridge, rapid assessment, and interim assessments related to the r2, i1, and e1 assessment types.