HITRUST Interim Assessment: What It Is and How It Works

Achieving HITRUST certification is a major milestone for any organization—but maintaining it requires ongoing diligence. 

For organizations with an r2 certification, that means completing a HITRUST interim assessment in the off-year between full assessments. This process helps ensure that your security controls remain effective and your organization continues to live up to HITRUST’s rigorous standards.

What is HITRUST?

The HITRUST CSF is a comprehensive, threat-adaptive standard designed to help organizations strengthen their security programs while building trust with stakeholders.

Organizations pursuing HITRUST certification can choose one of three assessment options that provide varying levels of assurance: e1, i1, and r2. 

The e1 certification covers 44 foundational security controls and is ideal for low-risk organizations and early-stage startups to demonstrate adherence with baseline security best practices. The i1 certification includes 182 controls and provides a moderate level of assurance for businesses with greater assurance needs.

Because the e1 and i1 certifications last only one year, organizations must undergo the full assessment process on an annual basis in order to stay certified.

The r2 certification is designed for organizations with more complex environments that need the highest levels of assurance. The most rigorous of the three options, the r2 requires 200 or more controls, depending on the scope of the assessment, and lasts for two years—but work is still required in the meantime to maintain your certification.

Organizations that want to maintain HITRUST r2 certification must undergo the full assessment process every other year. During the off-year, organizations must complete an interim assessment to confirm their ongoing compliance with the standard.

What Does a HITRUST Interim Assessment Look Like?

A HITRUST interim assessment serves as a follow-up to the r2 certification and takes place one year after the initial certification. It is mandatory for organizations to maintain their r2 certification and typically takes only a few weeks to complete.

During the interim assessment, your assessor will test a smaller subset of your full control list. One control statement is randomly selected from each of the 19 HITRUST domains for re-testing. 

In addition, your assessor will review all of your existing corrective action plans to verify that they have been completed or assess your progress toward remediation. They will also evaluate whether any significant changes or security incidents have occurred; if this is the case, you may be required to restart the full assessment process.

Upon completion of the interim assessment, your assessor submits the results to HITRUST via the MyCSF portal for final review and approval.

The Bottom Line

Completing a HITRUST interim assessment is a critical part of maintaining your r2 certification. While it’s less intensive than the initial assessment, it reinforces your organization’s commitment to continuous compliance and strong security practices.

By keeping your controls up to date, addressing any corrective action plans, and confirming that no significant changes or incidents have occurred, you demonstrate that compliance is not just a one-time goal for your team, but a continuous practice.

Ready to take the first step on your HITRUST journey? Contact us today to get started.