HITRUST CSF · e1/i1/r2 certification

§ I · The framework

What HITRUST actually is, in plain English.

HITRUST CSF: the HITRUST Common Security Framework: is a certifiable security and privacy framework published by the HITRUST Alliance, a private organization founded in 2007. It is not a law. It is not a federal program. It is a commercially-operated certification regime that has, through 15+ years of payer adoption, become the de facto vendor-assurance bar in U.S. healthcare. Major payers (UnitedHealth, Anthem, Humana, BCBS plans) and many large health systems require HITRUST certification: or accept it in lieu of their own questionnaires.

The CSF is a harmonized control catalog. HITRUST takes the requirements from ~40 authoritative sources: HIPAA Security Rule, NIST 800-53, ISO 27001, PCI DSS, GDPR, FedRAMP, state breach laws, and others: and synthesizes them into one set of CSF requirement statements. The current version is v11.x, refreshed roughly annually. The catalog is accessed through MyCSF, HITRUST’s SaaS assessment platform: you do not write a HITRUST assessment in Word, you build it inside MyCSF.

Three certification tiers exist. e1: an entry-level “essentials” certification, ~44 requirements, one-year cycle, designed for low-risk vendors. i1: a threat-adaptive intermediate certification, ~182 requirements, one-year cycle, mapped to current threats. r2: the legacy “risk-based, two-year” certification, ~200 to ~370+ requirements depending on the scoping factors, the heaviest assessment in commercial use. r2 is what most payer contracts mean when they say “HITRUST certified.”

Every HITRUST validated assessment is performed by a HITRUST Authorized External Assessor: a firm that has gone through HITRUST’s qualification, employs CCSFP-credentialed practitioners, and signs the validation report. HITRUST itself reviews the assessment and issues the certification letter. The reports are not public; they are shared under NDA with payers and customers.

Senior practitioner's note

HITRUST is the most expensive way to do healthcare security right. And it’s the only one your payer will accept.

The honest read: HITRUST r2 is heavy. It is roughly the union of HIPAA Security Rule + NIST 800-53 Mod-equivalent + ISO 27001 + a privacy overlay, mediated by a SaaS platform that costs five figures a year before you write a single requirement statement. Most teams do not need r2. e1 covers a real share of mid-market vendors; i1 is the right answer when you need certification but not the full r2 catalog. The mistake we see most often is teams chasing r2 because the salesperson said the word “certified,” when their actual contract requires nothing of the sort. Get the requirement in writing from your buyer before you scope the engagement.

§ II · Tier decoder

Which tier do you need: e1, i1, or r2?

Tier choice is set by your buyer’s contract, your data sensitivity, and the scoping factors HITRUST applies in MyCSF. The wrong tier costs you twice: once when you scope it, once when your buyer rejects the certification a year later because it didn’t match the procurement requirement. Get the requirement in writing first.

Interactive · 3 questions

HITRUST tier check

1. What does your buyer require, in writing?

2. Do you process or store PHI, and at what scale?

3. What is the regulatory environment?

Answer above: we’ll tell you the tier that probably matches, where the level is over-scoped or under-scoped, and what to ask your buyer for in writing.

§ III · The 19 control domains

HITRUST CSF v11, tailored: how the 19 domains actually map to assessment work.

HITRUST CSF organizes requirements into 19 control domains. Each domain holds a set of CSF requirement statements; tier and scoping factors decide which apply to your assessment. e1 draws ~44 statements across the domains; i1 draws ~182; r2 draws ~200–370+ depending on factors. We group the domains here as we group them in engagements: five operational clusters the External Assessor walks through. Tap each tab for the heavy-hitter requirements and the artifacts an assessor will demand.

Required01 · 06 · 09 · 10: Information protection, access, comms & network

The technical core. This is where most External Assessors and HITRUST QA reviewers spend their first weeks. If the IPP, access controls, transmission protections, and network architecture diagrams don’t agree with each other: and with the actual cloud and EHR config: everything else gets paused until they do.

Domain 01

Information protection program

Documented information security & privacy program. Roles, responsibilities, governance forum. Risk-based scoping. Annual program review with documented executive approval. Policies + procedures + standards stack: not a single combined document.

Domain 06

Configuration management

Documented baselines (CIS, vendor hardening). Change control with separation of duties. Authorized-software inventory. Drift detection & remediation. Production change records correlate to ticket system + approval.

Domain 09

Transmission protection

TLS 1.2+ (1.3 preferred). Email encryption for PHI in transit. Documented cryptographic standards. Public-network transmission of PHI requires explicit controls and logging. No SMTP-in-the-clear for ePHI.

Domain 10

Password mgmt & access control

Account lifecycle: provisioning, modification, disable, removal. Privileged-access reviews (quarterly+). MFA for remote and privileged access: phishing-resistant where feasible. Service / break-glass accounts inventoried; emergency-access procedures rehearsed.

Domain 09 / Network

Network protections

Documented network architecture. Segmentation between PHI environments and general corporate. Egress filtering. Wireless networks isolated from PHI processing. Firewall rule reviews on a defined cadence with documented justification per rule.

Required07 · 08 · 11: Endpoint, portable media & vulnerability management

Endpoint hygiene, removable-media controls, and the vuln-mgmt cadence. HITRUST is unusually strict on portable media and BYOD. Patch cadence and CVE response are line items every External Assessor walks; remediation SLAs by severity must be in policy and in evidence.

Domain 07

Vulnerability management

Authenticated vuln scans of OS, web app, DB: defined frequency. Severity-based remediation SLAs in policy (typical: critical <15d, high <30d, medium <90d). Risk-acceptance for unremediated findings, with executive sign-off.

Domain 08

Network protection (endpoint & segmentation)

Endpoint protection on every workstation & server touching PHI. EDR / AV with central console & alerting. Disk encryption (AES-256) on every laptop. Boot-up integrity checks where applicable.

Domain 11

Access control / portable media & mobile

Documented portable-media inventory + sanitization. BYOD policy with MDM enforcement if mobile devices touch PHI. USB-port controls. Removable-media encryption with key escrow. Sanitization records (NIST 800-88) for any media leaving the boundary.

Domain 07 / Patch

Patch management

Documented patching cadence by system class. Production patches tested in lower environments. Vendor-EOL inventory tracked separately with risk-acceptance & replacement plan. Emergency-patch procedure exercised.

Domain 08 / Malicious code

Malicious-code protection

Anti-malware on all in-scope endpoints & servers. Signature + behavior detection. Daily definition updates verified centrally. Quarantine + IR linkage tested. Email gateway with attachment + URL inspection.

Required02 · 12 · 04: Audit, incident response, BCDR

Logging, incident response, business continuity. HIPAA breach notification is on a 60-day clock (less for some states); HITRUST expects the IR plan to be tested, not just documented. The BCDR domain asks if you can actually fail over and recover; tabletop + functional exercises are the artifact of choice.

Domain 02 / Logging

Audit logging & monitoring

Auditable events list reviewed annually. Required content per record. Audit generation enabled across all in-scope systems. Centralized SIEM with correlation rules & alerts. Time-sync to authoritative source.

Domain 02 / Review

Audit review & retention

Daily review (automated + sampled human). Retention per policy: typically 6 years for ePHI access logs. Logs of log-system access kept separately. Tamper-evident log storage with documented review trail.

Domain 12

Incident response

Documented IR plan; tested annually (tabletop minimum, functional preferred). HIPAA breach-notification clock: 60 days from discovery. Forensic-readiness procedures. After-action reports with corrective-action tracking. Notification chain (legal, OCR, customers) rehearsed.

Domain 04 / BCDR

Business continuity & DR

Documented BCP & DRP. Annual tabletop + at least one functional test of recovery procedures. Defined RTO / RPO per system. After-action report into corrective-action plan. Critical-vendor BCDR confirmed in writing.

Domain 04 / Backup

Backup & recovery

Backup of user-level + system-level info per defined frequency. Encryption of backups in transit + at rest. Backup integrity testing. Recovery exercises that prove the RTO: not just the procedure. Off-site or cross-region storage.

Required03 · 05 · 13: Risk, governance & privacy

The governance core. Risk management, the formal information security program, and the privacy practices. The artifacts the External Assessor and the HITRUST QA reviewer actually weight heavily. v11 sharpened the privacy requirements (Domain 13) materially: ROPA-equivalent, lawful basis tracking, individual-rights workflows.

Domain 03

Risk management

Documented risk-assessment process, repeated on significant change & annually. Risk register with owners, ratings, treatments, target dates. Acceptance criteria with executive sign-off. Risk methodology aligned to HITRUST’s threat catalog (i1 specifically).

Domain 05

Information security program management

Documented ISP. Security steering committee with documented cadence & minutes. Policy-exception process. Annual program review & metrics report to executive leadership. Defined accountability: a named CISO or equivalent.

Domain 13

Privacy practices

Notice of Privacy Practices (HIPAA NPP) current & published. Individual-rights workflows: access, amendment, accounting of disclosures, restriction. Authorization mgmt for non-TPO uses. Minimum-necessary review. Privacy-impact assessments on new uses of PHI.

Domain 03 / Assessment

Security assessment

Annual security assessment. Validated assessment by Authorized External Assessor every cycle (1y for e1/i1, 2y for r2 with interim). Findings tracked into corrective-action plan. Re-assessment of high-risk findings on remediation.

Domain 05 / Compliance

Regulatory & statutory compliance

Documented compliance inventory: HIPAA, state breach laws, contractual requirements. Mapping from CSF requirements back to specific authoritative sources. Legal review of policies on a defined cadence.

Required14 · 15 · 16 · 17 · 18 · 19: People, physical, third party & education

The domains that catch most readiness teams off guard. Third-party risk (Domain 14) is where r2 engagements consistently overrun: the BAA chain, vendor-questionnaire trails, and inheritance from sub-processors take longer than teams plan. Workforce education (Domain 19) is small in count but heavy in evidence.

Domain 14

Third-party assurance

Vendor inventory with PHI/risk rating. BAA in place for every Business Associate touching PHI: before access. Vendor-security questionnaires on a risk-tiered cadence. Sub-processor mapping. Right-to-audit clauses where applicable. Termination & data-return procedures.

Domain 15

Incident management (workforce-facing)

Workforce reporting channels for suspected incidents. Sanctions for non-reporting documented & applied. Disciplinary action for workforce-caused incidents. Anonymous reporting channel where required by state law.

Domain 16

Business continuity (people-side)

Crisis-communication plan. Pandemic / dispersed-workforce contingencies. Key-person dependencies identified & mitigated. Vendor-crisis communication protocols. Employee-safety procedures.

Domain 17 / HR

Personnel security

Documented background-check policy & records. Confidentiality / NDA agreements signed before access. Termination procedures with access-revocation SLA (typical: 24h). Position-sensitivity classification. Sanctions policy.

Domain 18

Physical & environmental security

Documented physical-access controls for facilities holding PHI. Visitor logs & escort procedures. Environmental controls (fire, water, power) for data centers; inherited from cloud provider via BAA for SaaS architectures: but that inheritance must be documented.

Domain 19

Education, training & awareness

Onboarding training within defined window (typical: 30d). Annual refresher for entire workforce, with completion records. Role-based training for privileged users. Phishing-simulation program with metrics. Documentation that satisfies HIPAA workforce-training requirement directly.

§ IV · Assessment outcome

Validated vs Certified: two outcomes, one of them is what your buyer wants.

A HITRUST validated assessment can result in two outcomes: Validated (you completed a validated assessment by an Authorized External Assessor) or Certified (you completed it and met HITRUST’s scoring threshold across every required domain). Validated-only is not necessarily a failure: for some buyers it is acceptable. But when a payer says “HITRUST certified,” they mean the certification letter, not the validated report. Read your contract before you scope.

Default outcome · what payers want

HITRUST Certified

A validated assessment that meets HITRUST’s scoring criteria across every required domain. HITRUST issues a certification letter alongside the validated report. The certification has a defined validity (1y for e1/i1, 2y for r2 with an interim assessment in year 1). This is what a payer means when they say “must be HITRUST certified.”

OutcomeCertification letter from HITRUST + validated report
Scoring thresholdMaturity scoring per requirement; minimum scores per domain
Validitye1: 1y · i1: 1y · r2: 2y + interim at year 1
External AssessorMandatory, all tiers, with CCSFP credential
QAHITRUST itself reviews the assessment before issuing
SharingUnder NDA: not public; shared with payers / customers
What payers acceptCertification letter (not just the validated report)

Alternative outcome · sometimes acceptable

HITRUST Validated (no cert)

A validated assessment that did not meet the scoring threshold for certification: or where certification was not pursued (rare). The validated report exists; the certification letter does not. Some buyers accept validated-only as a steppingstone; many do not. Don’t assume; ask in writing what your buyer requires.

OutcomeValidated assessment report: no certification letter
Why it happensScore below threshold in 1+ domain; uncovered CAPs
Path to certClose CAPs, re-validate that domain, request certification
Bridge letterHITRUST does not issue traditional bridge letters
Use caseDiagnostic; year-zero readiness; some lower-bar buyers
RiskBuyer rejects validated-only; you redo as certified later
ReadProcurement language carefully: “certified” vs “validated”

§ V · Certification calendar

Engagement to certification letter: realistic.

First-time HITRUST r2 certifications historically run 12–18 months end-to-end; e1 and i1 are materially shorter. The longest single phase is almost always policy & procedure stack alignment to the CSF requirement statements: not the External Assessor’s validated assessment fieldwork itself.

Mo 0 – 2

Scoping & MyCSF setup

Tier decision (e1 / i1 / r2) confirmed in writing with buyer. Scoping factors entered in MyCSF (org size, regulatory, geographic, technical). HITRUST issues the requirement set. Authorized External Assessor selected and contracted: separately from us.

Mo 1 – 7

Readiness & control implementation

Gap analysis against the CSF requirement set. Policy / procedure stack written or updated to match HITRUST’s policy / procedure / implementation maturity model. This is where 60% of the calendar lives. Evidence pre-built in the format the External Assessor will need.

Mo 5 – 9

Self-assessment & remediation

Self-assessment in MyCSF against every applicable requirement. Maturity-score gaps identified; remediation prioritized. Corrective-action plans (CAPs) opened pre-validated assessment. Walk-throughs with control owners.

Mo 8 – 11

Validated assessment fieldwork

External Assessor performs the validated assessment. Maturity scoring per requirement: policy, procedure, implemented, measured, managed. Evidence review, walkthroughs, sampling. Findings + scoring entered in MyCSF.

Mo 11 – 14

HITRUST QA & certification

External Assessor submits the validated assessment to HITRUST. HITRUST QA reviews; may push back on scoring or evidence. CAPs assigned for any gaps. Certification letter issued. Validity period begins (1y for e1/i1, 2y for r2).

§ VI · How Nexurion runs it

Senior partner from day one. Tier-honest from week one.

Most HITRUST programs we inherit were built backwards: someone bought MyCSF, picked r2 because the salesperson said “certified,” and started writing policy text without checking what the actual buyer contract requires. We start somewhere else. The first conversation is with your procurement language: the BAA addendum, the vendor-security exhibit, the email from the payer’s third-party-risk team. If the contract says “HITRUST i1,” we do not scope r2. If it says “HITRUST CSF certified,” we confirm in writing whether i1 or r2 satisfies before we touch MyCSF.

Once tier is locked, we run readiness against the External Assessor’s eventual evidence list. We work shoulder-to-shoulder with engineering on encryption and access controls, with security on logging and IR, with HR on workforce training and personnel screening, with procurement on the BAA chain and Domain 14. We rehearse the harder narratives: risk-management methodology, ISP governance, third-party assurance: before the External Assessor reads them. External Assessors read them very carefully, and HITRUST QA reads them again. Read our methodology.

The External Assessor is hired separately. We are scope & readiness; they are independent assessment. We’ve walked clean engagements with most major HITRUST Authorized External Assessors and will introduce you to firms calibrated to your tier, sector, and engagement temperament. The External Assessor you pick on day one is the firm you’ll work with through interim assessments and re-certification. Choose with that in mind. See engagement outcomes.

Engagement structure

Right tier first. Policy/procedure stack second. Then argue about scoring.

If your buyer requires i1, we do i1: well. If they require r2, we do r2: honestly. We do not over-scope to bill more, and we do not under-scope to win the engagement and discover the gap in month nine. HITRUST’s maturity-scoring model rewards mature operations: policy + procedure + implementation + measurement + management. Score honestly in the self-assessment; the External Assessor and HITRUST QA will catch inflated scoring, and the cost of that catch is months. External Assessors & HITRUST QA »

§ VII · Where engagements stall

Six places HITRUST programs go sideways.

After running these for years, the failure modes are remarkably consistent. The technical ones are easier than the organizational ones.

01 / Wrong tier

r2 scoped when i1 was contractually enough.

A team chases r2 because someone said “certified” without specifying. The buyer’s actual contract requires i1: or HITRUST CSF Validated. The team spends 12 months on the heaviest assessment in commercial use when 4–6 months would have closed the contract. Get the requirement in writing before MyCSF setup.

02 / Inflated maturity scoring

Self-assessment scores the External Assessor cannot defend.

A team scores Implemented + Measured across the board in self-assessment. The External Assessor walks the evidence and the scores collapse to Procedure-only. HITRUST QA catches this and rejects the assessment. Score honestly in self-assessment; score upward by closing CAPs, not by editing cells.

03 / BAA chain gaps

Sub-processors processing PHI without a BAA.

Domain 14 walks the third-party inventory. A sub-processor: an analytics vendor, a backup provider, a managed-service partner: touches PHI but has no BAA in place. Findable in five minutes; remediable in five months. Run the BAA inventory before the External Assessor does.

04 / Policy without procedure

A policy stack that doesn’t operationalize.

HITRUST’s maturity model wants Policy + Procedure + Implemented + Measured + Managed. Most teams have policies; many have implementation. The middle layer: documented procedures that match the actual operational steps: is consistently thin. The External Assessor will mark every requirement that fails this stack.

05 / Interim assessment surprise

r2 year-1 interim treated as optional.

r2 has a 2-year cycle with a mandatory interim assessment in year 1. Teams plan for the validated assessment, forget the interim, and discover in month 11 that there’s another assessment to run. The interim is lighter but not free. Plan ConMon and the interim into the calendar from day one.

06 / MyCSF as a writing surface

Treating MyCSF like a Word doc.

MyCSF is structured: requirements, scoping factors, maturity scores, evidence references, CAPs. Teams paste long narrative blocks into evidence fields without referencing actual artifacts. The External Assessor: and HITRUST QA: want specific evidence with file names, dates, sample sizes. Vague narrative becomes a CAP. Cite the artifact.

§ VIII · External Assessors & HITRUST

HITRUST sets the rules. An External Assessor signs your validated report.

HITRUST is operated by the HITRUST Alliance: a private organization that owns the CSF, runs MyCSF, qualifies External Assessors, and performs QA on every validated assessment. HITRUST itself does not perform assessments. It runs the platform, owns the requirement set, reviews the assessor’s work, and issues (or withholds) the certification letter. Every artifact, every scoping factor, every requirement statement you will fight over lives in MyCSF.

An Authorized External Assessor is a HITRUST-qualified firm authorized to perform validated assessments. Practitioners must hold the CCSFP (Certified CSF Practitioner) credential. Assessors produce the validated assessment report: the artifact HITRUST QA reviews before issuing certification. Picking the right External Assessor matters more than most teams realize: firms vary widely in technical depth, in healthcare-sector experience, in handling of CAPs, and in how they navigate scoring disagreements during fieldwork.

Our role is the inverse of theirs. We do not sign your validated report; we make sure the engagement the External Assessor walks into is one that earns a clean certification letter. We have walked clean engagements with most major Authorized External Assessor firms and will introduce you to two or three calibrated to your tier, your sector, and your buyer profile. The External Assessor you pick on day one is the firm you’ll work with through interim assessments and re-certification: a 3- to 5-year relationship, minimum. Choose with that in mind.

If a security incident occurs after certification, HITRUST may require a Corrective Action Plan or, in severe cases, certification revocation pending re-validation. The External Assessor may be re-engaged for the re-assessment. The day-one certification conversation and the day-after-incident conversation are with the same External Assessor. Do not surprise them.

§ IX · Cross-mapping

HITRUST against the rest of the stack.

HITRUST CSF is built on top of ~40 authoritative sources. Most healthcare vendors run it alongside one or more commercial frameworks; here’s where they overlap and where they don’t.

Framework	Overlap with HITRUST r2	What you still need to do
HIPAA Security Rule	~85%: HIPAA is one of the foundational sources of CSF. Domain 13 is essentially a HIPAA Privacy Rule overlay. HITRUST is HIPAA: and a great deal more.	HIPAA Privacy Rule operationalization (NPP, individual rights), breach-notification specifics, OCR-facing documentation. HITRUST does not replace BAA execution.
SOC 2 Type 2	~50% of evidence carries over: CC6 / CC7 / CC8 map to HITRUST Domains 09 / 10 / 02 / 06. Useful starting point for e1 readiness.	HITRUST’s ~370-statement r2 catalog, MyCSF maturity scoring, External Assessor + HITRUST QA, healthcare-specific privacy & BAA requirements.
ISO 27001 : 2022	~60%: Annex A maps cleanly to most CSF domains. Risk-based approach helps with Domain 03. HITRUST is one of CSF’s authoritative sources.	HITRUST-specific: maturity scoring, healthcare overlay, BAA chain, External Assessor + QA, privacy practices at HIPAA depth.
NIST CSF 2.0	~55%: the CSF Functions (Identify, Protect, Detect, Respond, Recover, Govern) map to HITRUST domains directly. NIST CSF is voluntary; HITRUST is contractual.	NIST CSF doesn’t certify. HITRUST does. Buyers asking for HITRUST will not accept a NIST CSF self-assessment.
PCI DSS 4.0	~40%: some technical controls overlap (encryption, access, logging). PCI is also a CSF authoritative source.	If you also process cardholder data, PCI is its own assessment with its own QSA. HITRUST does not satisfy PCI; PCI does not satisfy HITRUST.
GDPR	~30%: HITRUST Domain 13 covers privacy mechanics; GDPR adds lawful basis, DSAR mechanics, DPIA, transfer restrictions.	If you process EU data subjects’ data: lawful basis, ROPA, DPIA, Schrems II transfer mechanics: entirely separate from HITRUST.

§ X · HITRUST CSF v11 & what changed

The biggest reform since 2007.

HITRUST CSF v11, released in early 2023 with periodic minor refreshes (v11.0.1, v11.1, v11.2, v11.3) through 2024-25, is the most significant overhaul of the framework since the program began. The headline goals are threat-adaptiveness (i1 mapped explicitly to current threat data), privacy depth (Domain 13 modernized for state privacy laws + GDPR alignment), and tier portability (assessment results from a lower tier inform a higher one). Adoption has rolled out through 2024 and 2025; assessments started after a defined cutoff use the current v11.x by default.

Threat-adaptive i1. The i1 requirement set is calibrated to current threat-actor TTPs: ransomware, business-email compromise, supply-chain attacks. HITRUST refreshes the catalog as threats evolve; you assess against today’s threats, not 2018’s.
Privacy depth in Domain 13. Lawful basis, individual-rights workflows (access, amendment, accounting of disclosures), authorization mgmt for non-TPO uses, minimum-necessary review: all sharpened. Aligned with HIPAA Privacy Rule and increasingly with state privacy laws (CCPA/CPRA and the 15-state patchwork).
Inheritance from authoritative sources. v11 maps every requirement statement back to its authoritative sources (HIPAA, NIST, ISO 27001, PCI, etc.) more cleanly. If you hold ISO 27001, you can identify exactly which CSF requirements you’re already covering.
Tier portability. Assessment work for e1 informs i1; i1 informs r2. You don’t fully restart on tier upgrade. An e1-then-i1-within-12-months sequence is a viable readiness path for some teams.
Continuous quality improvement. HITRUST releases periodic v11.x updates between major versions. Assessments started before a refresh complete on the version they began with; new assessments use the current version.
AI overlay (emerging). HITRUST has begun publishing AI-specific assurance overlays for organizations using AI in PHI processing. Expect this to firm up through 2025-26 and to become a buyer ask for AI-enabled healthcare vendors.

Read our deeper take in Field Notes Vol. VII: “HITRUST v11 in the field: what readiness firms should be doing for i1 and r2 in 2025.”

§ XI · Pairs with

HITRUST is rarely the only framework.

A short list of what we typically scope alongside it: in order of how often the question comes up.

Always paired

HIPAA Security & Privacy

HITRUST sits on HIPAA. Even with a clean HITRUST certification, you still operate the BAA chain, NPP, individual-rights workflows, and the OCR-facing breach machinery directly.

→

For non-healthcare buyers

SOC 2 Type 2

When non-payer customers can’t consume your HITRUST report. Material evidence overlap with Domains 02 / 06 / 09 / 10. Often runs alongside.

→

For international

ISO 27001 : 2022

When the customer is non-U.S. or the program is global. ISO 27001 is one of HITRUST’s authoritative sources: meaningful evidence reuse.

→

If EU data subjects

GDPR

Domain 13 covers privacy mechanics; GDPR adds lawful basis, DSARs, DPIA, Schrems II transfer mechanics. Separate work alongside HITRUST.

→

If processing cards

PCI DSS 4.0

Healthcare vendors who also process patient payments. PCI is its own QSA-led assessment; some technical control overlap, separate report.

→

If AI in product

ISO 42001 / HITRUST AI

AI management system: pairs with HITRUST when ML touches PHI. Governance »

→

§ XII · FAQ

Frequently asked.

Are we HITRUST certified after a clean validated assessment? +

Only if you meet the scoring threshold and HITRUST issues a certification letter. Validated and Certified are different outcomes. A validated assessment is the work the External Assessor performs; certification is the letter HITRUST issues if your maturity scores cross the bar across every required domain. Don’t describe yourself as “HITRUST certified” without the letter in hand: payers check the HITRUST Assurance Program directory.

What does a HITRUST engagement cost? +

Three costs to separate. Nexurion readiness: e1 $40–120k · i1 $120–300k · r2 $250–700k for a first-time certification depending on stack complexity, current posture, and scoping factors: senior-led, evidence pre-built. External Assessor fees: e1 ~$30–80k · i1 ~$80–200k · r2 ~$200–500k separately, paid to the assessor firm. HITRUST platform fees: MyCSF subscription + assessment fees: typically $30–100k+ depending on tier and scoping. We do not collect External Assessor fees, and we do not refer to a firm we have a financial relationship with. See pricing structure »

Do we need r2 if our buyer just said “HITRUST”? +

Probably yes, but ask in writing. “HITRUST CSF certified” in a vendor-security exhibit, with no tier specified, almost always means r2. “HITRUST validated” or “HITRUST i1” explicitly will accept i1. The absolute worst answer is to assume i1 and discover at year-end that procurement won’t accept it. Email the procurement contact, get the answer in writing, attach it to the engagement file. This conversation is 30 minutes; the wrong tier costs 12 months.

What is e1 actually for? +

e1 is HITRUST’s entry-level certification: ~44 essential requirements, one-year cycle, designed for low-risk vendors and smaller organizations. It’s aimed at teams that need some healthcare-credible certification but cannot defend i1’s 182 statements or r2’s 300+. Some payers accept e1 from low-risk vendors (no PHI processing, indirect data flows). Many do not. e1 is also a useful steppingstone toward i1 within 12 months: tier portability under v11 reuses some of the work.

Can our cloud provider’s HITRUST inheritance cover us? +

Partially. AWS, Azure, GCP all hold HITRUST inheritance for the IaaS layer they operate: physical security, environmental controls, large parts of network and infrastructure security. Your CSO sits on top and inherits some controls, customer-shares others, and owns the rest. Read the inheritance documentation line-by-line before you scope. Treat inheritance as evidence-saving, not work-eliminating: you still own application-layer access, encryption configuration, logging, and the procedures around all of it.

Does SOC 2 satisfy HITRUST? +

No. They overlap meaningfully on access control, logging, change management: but SOC 2 has no concept of HITRUST tiers, no CSF requirement set, no MyCSF, no maturity scoring, no External Assessor + HITRUST QA, no certification letter. A clean SOC 2 report is good supporting evidence in a HITRUST engagement; it is not a certification. Most healthcare vendors hold both.

What changed under v11? +

Three things, in plain terms. One: i1 is threat-adaptive: calibrated to current threat-actor TTPs and refreshed as threats evolve. Two: Domain 13 (privacy) is materially deeper, aligned with HIPAA Privacy and increasingly with state privacy laws. Three: tier portability: assessment work for a lower tier informs a higher one. The reform is being rolled out in stages through 2025-26, with periodic v11.x updates.

What about continuous monitoring: how heavy is it? +

Lighter than FedRAMP, heavier than SOC 2 between annual audits. Annually for e1 and i1: full validated assessment, recertification. Every two years for r2, with a mandatory interim assessment in year 1: the interim is lighter but real, and teams that forget it scramble. Continuously: incident-response operation on HIPAA breach-notification clocks, third-party-risk monitoring, vulnerability remediation against your published SLAs. CAPs from validated assessment must be tracked & closed; HITRUST QA can audit progress. Plan ConMon as a function with named owners, not a quarterly project.

§ XIII · From the Brief

Field notes on HITRUST.

Pieces from The Field Notes directly relevant to the program.

Coming · Vol. VII

HITRUST v11 in the field: what i1 and r2 actually look like in 2025.

A practitioner read on threat-adaptive i1 scoring, the deepened Domain 13 privacy work, and how tier portability changes the e1-to-i1-to-r2 sequence.

Coming · Vol. VIII

Tier honesty: the conversation that saves 8 months.

Six client patterns where one decision: pushing back on a vague “HITRUST certified” ask: halved the engagement and matched the actual buyer requirement.

Coming · Vol. IX

The day HITRUST QA pushed back.

A reconstructed near-miss at an r2 engagement: how inflated maturity scoring nearly cost the certification letter, what the External Assessor escalation looked like, and how the recovery played out.

HITRUST: the framework payers actually demand.