HITRUST Assessments and the Differences Between Them

October 4, 2022 by Brent Goedel
Information Systems, Technology Solutions

HITRUST has three assessments that can help companies define and understand their security posture.  We will preview each of these assessments and associated benefits to help decide which is best for your entity.

HITRUST Basic, Current state (bC) Verified Self-Assessment

The HITRUST bC is a self-assessment that uses the HITRUST Assurance Intelligence Engine (AIE) to deliver automated quality assurance and greater reliability with less time and effort.  The AIE analyzes and verifies bC Assessment documentation for oversights, inconsistencies, and errors. Using the HITRUST MyCSF® platform, the AIE performs an automated, real-time analysis against thousands of data points to proactively identify potential quality issues and provide detailed recommendations for remedial actions.

HITRUST bC is a starting point for companies to self-assess their security posture before investing in the more rigorous HITRUST i1 or R2 assessments.  HITRUST bC covers 71 Control Requirement Statements, which is built from the NISTIR 7621:Small Business Information Security Fundamentals.

HITRUST Implemented, 1-year (i1) Validated Assessment

HITRUST i1 is a threat-adaptive assessment focused on best security practices with a more rigorous approach to evaluation, which is suitable for moderate assurance requirements and will be updated regularly to address new threats in the future.  HITRUST used NIST SP 800-171, HIPAA Security Rule, GLBA Safeguards Rule, U.S. Department of Labor EBSA Cybersecurity Program Best Practices, and Health Industry Cybersecurity Practices (HICP) to build on the 219 pre-set controls that leverage security best practices and threat intelligence.

HITRUST i1 is the next step for companies that need a Security Assessment without the complexity of the HITRUST r2, but will still satisfy stakeholders, vendors, and clients with reporting and validation.

HITRUST Risk-based, 2-year (r2) Validated Assessment

HITRUST Risk-based, 2-year (r2) Validated Assessment (formerly named the HITRUST CSF Validated Assessment) demonstrates that an organization is taking the most proactive approach to data protection and information risk mitigation. The r2 is globally recognized as a high-level validation that an organization successfully manages risk by meeting and exceeding industry-defined and accepted information security requirements.  The HITRUST r2 Validated Assessment + Certification is considered the gold standard for information protection assurance due to the comprehensive control requirements, depth of quality review, and consistency of oversight

HITRUST r2 is customizable to different factors that pertain to your line of business such as HIPAA, GDPR, PCI, and more.  HITRUST r2 starts with a readiness before going through the assessment with a CSF Assessor Firm.  When certified, the certification is good for two years with an Interim Assessment after year one to confirm nothing has changed in the environment and then a full re-certification at the end of year two.

Now that you have learned about all three of the HITRUST assessments and what value they have in a business, contact Copeland Buhl to get started with any of these assessments or for help with your current assessment or readiness needs.