HITRUST Certification

A low-effort, entry-level assessment that focuses on the 44 most critical cybersecurity requirements. It’s a good first step for organizations that are just starting out or have low levels of risk, and it can help them demonstrate that they’re following basic cybersecurity practices. The e1 assessment is valid for one year and includes mitigations for threats like ransomware, phishing, and abuse of valid accounts.

A moderate-level assessment that takes 6–12 months to complete and is suitable for organizations with robust information security programs. It’s more comprehensive than the e1 assessment and offers a higher level of assurance by covering more controls. The i1 assessment is a good fit for organizations that want to demonstrate leading security practices.

A robust assessment for established organizations who obtain a significant volume of sensitive data and protected health information (PHI) to keep secure. As the most comprehensive of the HITRUST assessments, the r2 can take 18-24 months to complete and is key for organizations that need high-level assurance and have the necessary resources and team dedicated to complete a larger, more complex assessment.

The HITRUST AI Security Assessment is a comprehensive, threat-adaptive framework designed to help organizations secure AI with confidence. With 44 tailored controls to address AI-specific risks, it offers a comprehensive, threat-adaptive framework that provides assurance to customers that your AI-powered platforms and applications are secure. By achieving a HITRUST AI Security Certification, organizations demonstrate top-tier security and build trust with customers and stakeholders.

The HITRUST AI Risk Management Assessment is a comprehensive solution that helps organizations identify and manage risks associated with artificial intelligence technologies by leveraging 51 harmonized controls aligned with ISO/IEC 23894:2023 and NIST AI RMF standards. It provides actionable insights through detailed scoring and reports, empowering organizations to strengthen their AI risk management strategies.

HITRUST is a leading information protection standards organization and certifying body that has created a comprehensive, threat-adaptive framework—called the HITRUST CSF—for attesting to the quality and effectiveness of an organization’s security controls.

The HITRUST CSF is a comprehensive, threat-adaptive, and globally recognized standard designed to help organizations strengthen their security postures and build trust with stakeholders. The framework was developed by HITRUST, a leading information protection standards organization and certifying body. 

Over the years, HITRUST has continued to publish updates to ensure the HITRUST CSF addresses the latest cybersecurity risks. The latest version of the HITRUST CSF, v11.5.1, was released in 2025. It includes three main assessment options that provide varying levels of assurance:

• The HITRUST Essentials, 1-year (e1) Assessment covers 44 foundational security controls and is ideal for low-risk organizations and early-stage startups to demonstrate adherence with baseline security best practices.
• The HITRUST Implemented, 1-year (i1) Assessment adds 138 controls, for a total of 182, and provides a moderate level of assurance for businesses with more robust information security programs and greater assurance needs.
• The HITRUST Risk-based, 2-year (r2) Assessment is designed for organizations with complex environments that need the highest levels of assurance. The most rigorous of the three options, the r2 requires 200 or more controls, depending on the scope of the assessment.

Regardless of size or industry, the HITRUST security framework provides a scalable, structured way for organizations to strengthen their security posture and demonstrate that they’re taking the right steps to manage risk. Whether you’re a FinTech startup, a healthcare provider, or a growing SaaS firm, HITRUST can help you meet the rising expectations of customers, partners, and stakeholders.

While HITRUST has long been known as the gold standard for healthcare organizations, its reach today extends far beyond hospitals and health insurance carriers. In fact, SaaS and technology companies accounted for more than a third (37%) of HITRUST certifications in 2024, and business services firms accounted for roughly 19% of HITRUST certifications.

Part of what makes HITRUST so effective is its flexibility. With three levels of reporting options, compliance leaders can choose the assessment that best fits their organization’s current needs, and scale up as the business grows. What’s more, the HITRUST CSF is updated more frequently than other leading security frameworks, meaning organizations that achieve certification are better equipped to withstand emerging threats.

For growing organizations aiming to mature their security and compliance programs, achieving HITRUST certification can also help you carve a path toward other internationally recognized standards like ISO 27001. Since ISO 27001 auditors aren’t allowed to provide guidance on how to fix issues or mitigate gaps, HITRUST is a great option to serve as a risk assessment ahead of your ISO 27001 audit. Working with a HITRUST external assessor like BARR Advisory to remediate security gaps before you begin the ISO 27001 certification process can help you avoid potential nonconformities and make for a smoother certification process.

In addition to ISO 27001, a HITRUST certification can help satisfy the requirements of other security assessments, including SOC 2, PCI DSS, and FedRAMP. For example, the HITRUST CSF was designed to align with the AICPA’s trust services criteria, which underpin all SOC 2 reports. This empowers qualified auditing firms to issue both attestations in a collaborative reporting model. 

In order to be HITRUST CSF certified, organizations must work with a HITRUST authorized external assessor such as BARR Advisory. To be formally authorized as a HITRUST external assessor, firms must employ several individuals who have achieved the designation of HITRUST Certified CSF Practitioner (CCSFP). Achieving this credential requires completing a training course, passing a certification exam, and meeting a series of background and experience requirements.

After completing a formal audit with an external assessor firm, each HITRUST CSF assessment is reviewed by HITRUST to ensure consistent quality before the final certification is issued.

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed in 1996 that is designed to protect patient health data. The legislation includes a provision known as the HIPAA Security Rule, which requires all covered entities—including healthcare providers, health insurance companies, healthcare clearinghouses, and their business associates—to ensure the security, confidentiality, integrity, and availability of electronic protected health information (PHI), to detect and protect against security threats, impermissible uses, and disclosures, and to certify compliance within their workforce.

While HIPAA is a federal law, the HITRUST CSF is a framework that is used to help covered entities achieve HIPAA compliance as well as compliance with other security standards like PCI DSS and NIST. It might be helpful to think of HITRUST CSF as a response to HIPAA requirements and other healthcare security regulations. Healthcare organizations are required by law to comply with HIPAA, and the HITRUST CSF framework allows them to do so by providing standardized controls that should be implemented for compliance.

HITRUST CSF is a standard that organizations can use effectively across any industry — not just healthcare. HITRUST compliance provides a consensus-driven standard of due care and diligence for protecting information. This includes electronic protected health information (ePHI), personally identifiable information (PII), payment card data, proprietary information, or other sensitive information. Because HITRUST offers a portfolio of validated assessment options based on complexity and risk profile, it also can be used for organizations of any size.

When it comes to HITRUST assessments, the level of effort each assessment takes directly correlates to the level of assurance it provides. For example, while the e1 Assessment is low effort, it provides only basic assurance. The r2 Assessment requires significantly more effort, but a higher level of risk assurance. Learn more about the different types of HITRUST certifications.

The timeline for the HITRUST assessment process can vary depending on the type of HITRUST certification. On average, the e1 Assessment takes 3 months, the i1 Assessment takes 6-12 months, and the r2 Assessment takes 18-24 months.

In addition to safeguarding your organization’s data, obtaining a HITRUST certification can demonstrate a commitment to the security and privacy of your customers. A HITRUST assessment and resulting certification can also convey assurances over other authoritative sources like HIPAA and ISO.

The HITRUST e1 and i1 Assessments remain valid for one year after the issuance date. After that year, we recommend building on the established cybersecurity foundation with a higher-level HITRUST certification. The HITRUST r2 Assessment is valid for two years with an interim period in between.

HITRUST certification is a globally recognized standard that verifies an organization’s compliance with data security and privacy requirements. The Health Information Trust Alliance (HITRUST) created the HITRUST Common Security Framework (CSF) to help organizations manage the risks of handling sensitive data, such as healthcare information. HITRUST certification demonstrates that an organization’s systems meet the CSF’s standards and regulations.

HIPAA (Health Insurance Portability and Accountability Act) is a US law that sets standards for how healthcare organizations handle patient health information (PHI). HITRUST (Health Information Trust Alliance) is a global framework that helps organizations manage information risk and secure sensitive data, including compliance with HIPAA.

When starting the HITRUST CSF process, it can be helpful to conduct a readiness assessment, formerly known as the self assessment. The readiness assessment happens prior to the validation assessment and provides your organization with a clear understanding of the controls you have in place and any security challenges that might occur. During this phase, your organization evaluates itself under HITRUST CSF requirements. Read our blog post for more information.

HITRUST Level 1 (i1) and Level 2 (r2) certifications are both part of the HITRUST CSF (Common Security Framework), which helps organizations in healthcare manage security, privacy, and regulatory challenges. The main differences between the two levels are the number of controls required, the length of the certification, and the maturity levels evaluated. We explain the differences in this blog post.

Whether you’re a healthcare organization navigating the complex landscape of patient data or a service provider working to process and store data in a secure manner, HITRUST e1 Assessments and SOC 2 reports play a pivotal role in assuring clients, stakeholders, and partners that you’re taking information security measures seriously. Learn the difference between the two in our blog post.

As a HITRUST Authorized External Assessor, BARR Advisory has extensive experience in the HITRUST process. We serve as your trusted partner every step of the way through our two-phase, five-step HITRUST roadmap to certification. Check out our simplified overview.