Is the HITRUST i1 Assessment Your Best Option?



In December of 2021, HITRUST announced an expansion of the HITRUST assessment portfolio to help organizations of all sizes demonstrate a commitment to cybersecurity. The portfolio now includes the new HITRUST Implemented, 1-year (i1) Validated Assessment. The i1 Assessment is a Validated Assessment that offers an organization the opportunity to obtain HITRUST Certification with less effort than the traditional Validated Assessment, now referred to as the HITRUST Risk-Based, 2-year (r2) Validated Assessment.

The i1 Assessment has a standard 219 controls based on NIST SP-800, HIPAA Security Rule, GLBA Safeguards, and the US Department of Labor EBSA Cybersecurity Control Best Practices. The 219 controls are standard for all organizations and are not scoped to your organization’s specific environment, as occurs with the r2 Assessment. Additionally, the i1 assesses an organization against only the implementation of these controls and does not require formal policy and procedure documentation to be assessed.

Like the r2, the i1 requires that the organization first have their assessment tested by a HITRUST External Assessor Firm who submits the assessment to HITRUST for final validation and certification. Also, like the r2, HITRUST recommends doing a Readiness Assessment prior to submitting your Validated i1 evidence to HITRUST.

What to keep in mind when considering the i1 Assessment

The i1 is a one-year assessment versus the r2 two-year assessment. While the i1 has a more limited number of controls, the cost savings from testing the more limited controls may be offset by the added expense of doing a full assessment annually instead of bi-annually.

The HITRUST i1 Implemented, 1-year (i1) Validated Assessment appears to be a great steppingstone to the HITRUST Risk-Based 2-year (r2) Validated Assessment. For smaller organizations or start-ups with good security practices, it allows them to certify those practices without requiring extensive policy and procedure documentation that often slows down the certification process. However, organizations will need to have some documented policies and procedures to meet the standards.

Doing the i1 as your first assessment should reduce the time required to perform both your Readiness and Validated Assessments and allow you to have a HITRUST Certification sooner. However, over the long term, continuing to enhance your policy and procedures and controls to obtain the r2 Certification will demonstrate more control maturity to your stakeholders.

If you are seeking to obtain HITRUST Certification to meet a request of your client, you will need to make sure that the i1 will satisfy that requirement.

For either certification, it is vital to do a Readiness Assessment prior to submitting your assessment to HITRUST for certification. Unlike other control frameworks, HITRUST does not allow any remediation after the assessment is submitted. As a result, it’s important to make sure that your controls are functioning as required and do any remediation prior to your validated assessment.

Written by:


CompliancePoint on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.