HITRUST Assessment Readiness

HITRUST is hard. Very hard. That’s why it is the gold standard of certification. Knowing that, which HITRUST Assessment is right for your organization?

  1. Risk-Based, 2-year Validated Assessment (r2)
  2. Implemented, 1-year Validated Assessment (i1)
  3. Basic, Current State (bC)

We’ll begin with the crucial understanding of what each assessment provides. We’ve outlined the essential descriptions below and can help you pave the way to your chosen assessment.

HITRUST Risk-Based, 2-year Validated Assessment (r2)

The HITRUST Risk-Based, 2-year Validated Assessment (r2) provides certification by in-depth, independent examination of policy, process, and implementation evidence of the required controls. The HITRUST Risk-Based (r2) has been around the longest and takes the deepest dive. The number of control requirements ranges from 300 to more than 1,000, with targeted coverage based on the size and scope of your organization; the sensitivity of the data that you handle, and the regulatory factors that you’re subject to.

As you’d expect, achievement of the r2 comes with a high level of assurance, and certification can last for 2 years.

HITRUST Implemented, 1-year Validated Assessment (i1)

By contrast, the HITRUST Implemented, 1-year Validated Assessment (i1) provides certification through more targeted coverage, looking at your organization’s implementation of required controls through evidence. Going for the i1 means that your organization needs to prove that you’ve implemented the required 219 controls by demonstrating that they’re in place.  Policies and procedures are not part of the equation.

HITRUST i1’s certification is based on NIST SP 800-71, the HIPAA Security Rule, and other good security practices. It’s validated by an independent assessor and provides more moderate assurance. Certification is good for 1 year only.

HITRUST Basic, Current State Assessment (bC)

Then there’s the HITRUST Basic, Current State Assessment (bC). As a self-assessment, it does not provide certification. However, it’s still beneficial in that it can provide an organization with a “current state” view prior to preparation for obtaining an i1 or r2.

Two things to keep in mind:

  1. The level of assurance for the bC is considered low.
  2. NIST used the Small Business Administration’s definitions of what constitutes a small business. While a small business is generally considered to be an independently owned for-profit enterprise that employs 500 or fewer persons, there are exceptions for what constitutes a small business in specific industries.

Are you ready to determine which assessment is right for you?
Let’s start with your free discovery session – a complimentary telephone consultation.

As a certified HITRUST Assessment readiness licensee, Apgar & Associates can also support you with:

  • Scoping your HITRUST assessment,
  • Policy and process development to meet the HITRUST requirements of the controls in scope for your chosen assessment, and
  • Identifying evidence that will be required to prove the implementation of each HITRUST control.