From Readiness to Certification: How BARR Guides You Through the HITRUST Journey

May 28, 2025 | HITRUST

The HITRUST Common Security Framework (CSF) is a comprehensive, threat-adaptive standard designed to help organizations strengthen their security posture and build trust with customers, partners, and stakeholders.

While HITRUST has long been known as the gold standard for healthcare organizations, its reach today extends far beyond hospitals and health insurance carriers. In fact, SaaS and technology companies accounted for more than a third (37%) of HITRUST certifications in 2024.

Whether you’re a fast-growing startup or an established enterprise, HITRUST offers flexible certification options that scale with your needs—and BARR Advisory is here to guide you through every step of the journey. Here’s how.

Understanding the HITRUST Framework

Recognized internationally, HITRUST stands out for its flexibility and responsiveness to emerging threats. Because the framework is updated more frequently than standards like SOC 2 or ISO 27001, it is better equipped to help organizations across industries keep pace with today’s fast-evolving risk landscape.

Organizations pursuing HITRUST certification can choose one of three assessment options that provide varying levels of assurance:

  • The e1 certification covers 44 foundational security controls and is ideal for low-risk organizations and early-stage startups to demonstrate adherence with baseline security best practices.
  • The i1 certification adds 138 controls, for a total of 182, and provides a moderate level of assurance for businesses with more robust information security programs and greater assurance needs.
  • The r2 certification is designed for organizations with complex environments that need the highest levels of assurance. The most rigorous of the three options, the r2 requires 200 or more controls, depending on the scope of the assessment.

“Because all of the e1 requirements can be found in the i1 and r2 assessments, the e1 often functions as an excellent starting point for organizations that want time to implement more robust control environments,” Brianna Plush, senior specialist and HITRUST field manager on BARR’s attest services team, said in a recent webinar. “But for many organizations, the e1 assessment is their destination. The e1 is often right for startups or organizations that have a lower level of risk that just need to demonstrate that they’ve got the essential cyber hygiene in place.”

The HITRUST Journey with BARR

As a HITRUST Authorized External Assessor with a dedicated cybersecurity consulting practice, BARR is able to support your organization throughout the HITRUST journey, from readiness to certification. Here’s how it works.

1. Readiness Assessment

In most cases, your path to HITRUST certification will start with our attest services team, who will perform a readiness assessment tailored to your chosen assessment option: e1, i1, or r2. This process results in a gap report—a detailed list of areas for improvement that must be addressed before certification.

2. Remediation Support

Once any gaps are identified, our consulting team steps in to help you prioritize and remediate those issues efficiently and effectively. This includes support with:

  • Vulnerability management
  • Reducing technical debt
  • Policy and procedure documentation
  • Endpoint detection and response
  • Identity and access management
  • Third-party risk management
  • Business continuity and disaster recovery planning

“We work side by side with your team to help you build a security program that’s compliant, practical, and scalable,” said Teddy VanGalen, a senior consultant at BARR Advisory. “Our goal isn’t just to put you on the path to certification—it’s to help you implement effective controls that reduce risk and support long-term growth.”

BARR’s consulting team provides tailored guidance based on your organization’s size, complexity, and project timeline. For example, r2 certifications generally require more extensive remediation work than e1 or i1 assessments, which may be completed more quickly.

3. Certification

Once remediation is complete, our attest services team takes over to conduct the formal HITRUST assessment. At the conclusion of their assessment, they will submit the results to HITRUST for approval and final certification.

One Firm, Seamless Experience

Under frameworks like ISO 27001, the firm performing the audit is not allowed to help fix identified gaps. HITRUST is structured differently, however, allowing for a more collaborative approach.

Here’s why organizations of all sizes can trust BARR to guide them from gap analysis to HITRUST certification:

  • Clear separation of roles: Our consulting team does not participate in the readiness assessment or the certification process—ensuring independence.
  • Third-party oversight: HITRUST independently reviews all certification submissions through its quality assurance (QA) process.
  • Trusted partnership: With BARR’s separate attest and consulting divisions, you’ll work with one trusted partner from start to finish, without compromising quality or integrity.

In addition, when you partner with BARR for both HITRUST readiness and certification, you benefit from continuity across the entire engagement. This translates into real benefits for your team:

  • Streamlined onboarding: We leverage background knowledge from initial assessments to hit the ground running on remediation.
  • Faster execution: There’s no learning curve or handoff between firms. Your timeline stays on track.
  • Consistent quality: You get the same high standard of work from end to end.

BARR is also one of a select few firms in the U.S. that is accredited to perform audits against all of the top cybersecurity frameworks: HITRUST, ISO 27001, SOC 2, and PCI DSS. This allows us to offer assessments across multiple frameworks simultaneously as part of our proven coordinated audit approach, reducing duplication and simplifying your audit experience.

No matter where you’re starting from—or where you’re headed—BARR Advisory is here to help you build trust, reduce risk, and achieve HITRUST certification with confidence. 

Contact us today to learn how our HITRUST readiness and certification services can support your organization’s security and compliance goals.

Let's Talk