HITRUST CSF Assessments: e1, i1, r2—What’s the Difference?

December 14, 2023 | HITRUST

HITRUST CSF is the most widely-adopted cybersecurity framework for healthcare organizations in the U.S. HITRUST CSF provides broad assurance for different risk levels and compliance requirements with greater reliability than other assessment options. There are three types of HITRUST CSF Assessments to consider when deciding what’s best for your organization—the e1, i1, and r2 Assessments.

HITRUST recently released CSF version 11, which added the e1 Assessment to its services and updated the i1 and r2 Assessments, allowing organizations to reuse work from lower-level HITRUST assessments and progressively achieve higher assurance by sharing common control requirements in inheritance. CSF v11 was designed to be threat-adaptive to protect organizations against new and emerging threats.

When it comes to HITRUST assessments, the level of effort each assessment takes directly correlates to the level of assurance it provides. For example, while the e1 Assessment is low effort, it provides only basic assurance. The r2 Assessment requires significantly more effort, but a higher level of risk assurance.

HITRUST Assessments Key Differences


HITRUST Assessments Key Differences

Let’s take a closer look at the e1, i1, and r2 Assessments and how they can benefit your organization. 

HITRUST e1 Assessment 

The HITRUST Essentials, 1-year (e1) Assessment is a low effort yet reliable assessment that helps organizations focus on foundational cybersecurity controls and prepares them for the most critical cybersecurity threats. 

The e1 Assessment can serve as a stepping stone to more comprehensive and higher-effort assessments such as the HITRUST i1 Assessment or r2 Assessment. With only 44 controls, it is significantly more attainable than other cybersecurity assessments. 

Similar to other HITRUST assessments, the e1 Assessment is threat-adaptive, which means that as the threat landscape evolves, the requirements will also proactively shift to address risks as they emerge. This includes mitigations for the most critical cybersecurity threats such as ransomware, phishing, brute force, and abuse of valid accounts. 

The e1 Assessment is valid for one year from its issuance date. After that year, BARR experts recommend building on the established cybersecurity foundation with a higher level assessment. 

Who Needs the e1 Assessment?

As the minimum level of cybersecurity assurance in the HITRUST framework, the e1 Assessment is an excellent first step for any organization looking for validation of essential cybersecurity controls that plan to progress to more robust assessments in the future. BARR experts recommend the e1 Assessment to startups or other organizations that are just getting started in their cybersecurity journey.

While the e1 Assessment reliably demonstrates an organization’s commitment to the basics, it doesn’t provide coverage of compliance related to laws like HIPAA or other leading cybersecurity practices. 

HITRUST i1 Assessment 

The HITRUST Implemented, 1-year (i1) Assessment is designed to address the constantly developing threat landscape. As a threat-adaptive assessment, the i1 requirements will also be updated to address future risks as they emerge. 

The Provider Third Party Risk Management Council, which is comprised of prominent chief information security officers from leading health systems and provider organizations, announced that any moderate-risk vendors that want to work with them must obtain the HITRUST i1 Certification. The Council’s governing organizations include Cleveland Clinic, Mayo Clinic, and Tufts Medicine. 

The HITRUST i1 Assessment is valid for one year from its issuance date. Because the control set evolves over time, vendors will obtain the i1 on an annual basis. With the new HITRUST v11 updates, the i1 Assessment decreased controls from 219 to 182, which helps accelerate the time it takes to complete certification.  It’s important to note the level of effort to achieve and maintain HITRUST i1 Certification can be reduced up to 45% over the course of two years.

Who Needs the i1 Assessment?

The HITRUST i1 Assessment is a good choice for any vendor looking to provide a moderate level of assurance on transparency, accuracy, consistency, and integrity. It allows smaller organizations with less support staff to become HITRUST certified. The reason for this is the i1 only addresses the implementation of each control as opposed to the r2 which requires a policy, procedure, and the actual implementation of the control. 

HITRUST r2 Assessment 

The HITRUST Risk-based, 2-year (r2) Assessment offers the highest level of assurance and requires significantly more effort than the e1 and i1. Within the updated v11 HITRUST CSF framework, i1 Assessments now serve as the baseline for the r2 Assessments, which has reduced the number of controls in scope considerably. 

The r2 Assessment is valid for two years with an interim period in between and addresses five key areas—policy, procedures, implementation, measurement, and management—and over 200 controls. 

Who Needs the r2 Assessment?

The r2 is the right assessment for established organizations who obtain a significant volume of sensitive data and protected health information (PHI) to keep secure. As the most comprehensive of the HITRUST assessments, the r2 is key for organizations that need high-level assurance and have the necessary resources and team dedicated to complete a larger, more complex assessment.

For a side-by-side breakdown comparison of each assessment, the HITRUST Alliance offers an easy-to-reference chart to help organizations decide which assessment is the best fit.

BARR’s HITRUST Proven Process

Our BARR experts will guide you through every step of the way during your HITRUST engagement. During the readiness assessment, BARR will assess initial controls and provide recommendations for remediation. Once these controls are remediated, they’ll be implemented for a period of 90 days prior to your assessment. 

BARR then completes a validation assessment that includes a number of testing procedures to ensure compliance gaps have been appropriately identified and controls are implemented and operating effectively, followed by a HITRUST QA review as the final stage of your journey toward certification.

If you’re interested in more information about HITRUST CSF v11 or HITRUST certification, reach out to BARR for a free consultation or join us for our weekly HITRUST Open House every Wednesday at 11 a.m. CST.

This blog post was originally published June 5, 2023 and has since been updated to reflect new content.


Let's Talk