AuditXYZ

Lesson 3 of 5

HITRUST Assessment Types: Choosing the Right One

10 min readIntermediate

HITRUST Assessment Types

HITRUST offers three assessment types designed for different organizational needs and maturity levels. Understanding the differences helps you choose the right starting point and plan your HITRUST journey effectively.

e1 Assessment (Essentials)

The e1 is HITRUST's entry-level assessment, covering approximately 44 foundational security controls. It is designed for organizations with lower risk profiles or those beginning their HITRUST journey. The e1 results in a one-year certification.

Best for: Smaller organizations, lower-risk environments, or companies starting their HITRUST journey. Timeline: 3 to 6 months. Cost: $20,000 to $50,000 including assessor fees.

i1 Assessment (Implemented)

The i1 is a moderate assessment covering approximately 182 controls focused on leading security practices. It verifies that controls are implemented but does not require the maturity depth of the r2. The i1 results in a one-year certification.

Best for: Mid-sized organizations or those needing more assurance than e1 but not ready for r2. Timeline: 4 to 8 months. Cost: $30,000 to $80,000 including assessor fees.

r2 Assessment (Risk-Based)

The r2 is the comprehensive HITRUST assessment, covering the full set of risk-based controls (often 300+ depending on scoping). It evaluates both implementation and maturity across all five levels. The r2 results in a two-year certification with an interim assessment in year one.

Best for: Organizations whose customers explicitly require HITRUST r2 certification, or those wanting the most comprehensive assurance. Timeline: 6 to 18 months. Cost: $50,000 to $200,000+ including assessor fees.

Choosing Your Assessment

Start with what your customers require. If healthcare customers specifically ask for HITRUST r2, that is your target. If they accept lighter assessments, start with e1 or i1 and progress over time. Many organizations start with i1 and move to r2 as their program matures.

The Progression Path

HITRUST designed the assessments as a progression path. Start with e1 to establish foundational controls, move to i1 to demonstrate broader implementation, and achieve r2 for comprehensive certification. Each step builds on the previous one, making the progression efficient.

In the next lesson, we will cover HITRUST control categories in detail.