HITRUST announced several big changes aimed at helping organizations achieve different levels of assurance.
The biggest change is there are now two different validated assessments: the r2 and the i1. The good news for many organizations? The i1 is quicker, more affordable and less complex.
What is the HITRUST r2 assessment?
If you’ve already achieved HITRUST certification, the r2 assessment is going to be familiar to you. HITRUST has renamed the HITRUST CSF Validated Assessment to the HITRUST Risk-Based, 2-Year (r2) Validated Assessment, or the r2 for short.
The r2 will continue to provide the highest level of assurance — being most appropriate for organizations with greater risk exposure — and will be valid for two years after an organization achieves certification.
What is the HITRUST i1 assessment?
New is the HITRUST Implemented, 1-Year (i1) Validated Assessment, or i1 for short. HITRUST calls it a “best practices” assessment intended for situations of more moderate risk that wouldn’t necessarily require the r2 assessment.
The i1 is meant to be continuously relevant and adaptive to ever-evolving cybersecurity threats, with a control set that evolves over time. As such, it’s only valid for one year, not two. Fortunately, while it will still provide high levels of transparency, integrity and reliability, it won’t actually be as time- and effort-intensive, or as expensive to complete, as the r2.
What are the main differences between r2 and i1?
The i1 is simpler than the r2, but how so? There are really three main differences:
Maturity levels: The first difference is in the maturity levels. The r2 assessment will continue to evaluate each of your organization’s security controls against the five levels of the HITRUST maturity model: policy, procedures, implemented, measured and managed.
The i1 assessment, however, will only test “implemented” to ensure controls are in place and operating as intended.
This makes sense when you consider the scoring changes HITRUST made in 2020. Before, policy, process and implementation each accounted for 25% of the final score. With the 2020 change, policy was lowered to 15%, process was lowered to 20% and implementation was raised to 40%. Implementation has been growing in importance for HITRUST, and this is reflected in the new i1 assessment.
Requirements: The second difference is the amount of control requirements. The r2 has over 2,000 possible requirements, with an average of 360 included in the scope of assessments. In contrast, the i1 has 219 static requirements, meaning they’re the same for all organizations undergoing the i1. These 219 requirements are based on NIST SP 800-171 and the HIPAA Security Rule, while the r2 is based on NIST, HIPAA, FedRAMP, GDPR, the AICPA, and dozens more.
Note that, as part of its commitment to making i1 a continuously relevant and threat-adaptive assessment, HITRUST will evaluate i1 requirements on a quarterly basis to ensure they remain relevant to current threat intelligence. If you get certified under i1, you won’t have to certify against the new requirements until your next i1 assessment.
Timing: The last main difference is that the r2 is valid for two years, while i1 is valid for one year. As with the HITRUST CSF Validated Assessment, if you undergo r2, a year after achieving certification, you’ll go through the interim assessment that randomly selects different controls to ensure they are still operating effectively and/or that you’ve taken steps to close identified Corrective Action Plan items (CAPs).
Should you choose r2 or i1?
Which validated assessment you choose will largely depend on your risk exposure. The r2 is more comprehensive and suited for organizations with high assurance requirements, while the i1 is focused on best security practices and more moderate assurance requirements.
You might also look into i1 if your organization is looking to get HITRUST Certified for the very first time, as it will be faster and less complex than the r2. Once you have the experience of i1 under your belt and your risk exposure warrants higher assurance, you can undergo the much more complex r2 the following year.
Lastly, larger organizations that are looking to roll new acquired business units into their r2 certification may choose to undergo an i1 assessment in the first year for the new business unit and can then sync up the business unit with the larger validated assessment when they recertify.
Wipfli can help you get certified
Whether you choose the i1 or the r2, Wipfli can help you achieve HITRUST Certification. We can guide you through a readiness assessment to identify and close gaps and prepare you for the validated assessment. As an Authorized HITRUST External Assessor, we can also work with you on your validated assessment.
We’ve been helping organizations achieve HITRUST Certification since 2013, when we were one of the first firms to become an Authorized HITRUST External Assessor. Click here to learn how Wipfli can help you with your certification.