New Additions to the HITRUST Assessment Portfolio



HITRUST held its annual HITRUST Collaborate conference the week of October 4th, 2021. During this conference, HITRUST announced an expansion of the portfolio of HITRUST assessments designed to help provide differing levels of assurance based on an organization’s needs.

HITRUST CSF Basic, Current State (bC) Assessment

The HITRUST CSF Basic, Current State (bC) Assessment is a new product that will allow HITRUST to provide a higher level of assurance than what is currently provided with self-assessments. This assessment will be reviewed by HITRUST using its artificial intelligence tool to help identify potential concerns, instead of simply indicating that the assessment was completed by the organization without any review by HITRUST. However, the bC Asessment is not a HITRUST Certified Assessment. 

HITRUST refers to the bC Assessment as a verified self-assessment. It includes 71 HITRUST control requirement statements that are not tailored based on an organization’s business or size. The bC Assessment is based on NISTIR 7621: Small Business Information Security Fundamentals.  

HITRUST CSF Implemented, 1-Year (i1) Validated Assessment

The HITRUST CSF Implemented, 1-Year (i1) Validated Assessment is a new product designed for medium-sized organizations where there is moderate risk or where a baseline risk assessment is required. This assessment has approximately 200 control requirement statements and is based on NIST SP800-171 and the HIPAA Security Rule. Organizations will be assessed against all controls (no tailoring), and after review by HITRUST, if the controls meet the HITRUST standards, the organization will receive a Validated Assessment with Certification.  

HITRUST CSF Risk-based, 2-Year (r2) Assessment

HITRUST plans to begin offering the bC and i1 Assessments before the end of 2021. These assessments are designed as additions to the HITRUST assessment program and do not replace the HITRUST CSF Validated Assessment, which provides the highest level of assurance. Moving forward, the HITRUST CSF Validated Assessment will be known as the HITRUST CSF Risk-based, 2-Year (r2) Assessment.  

Coming Soon: HITRUST Privacy Assessment

The HITRUST Privacy Officer also provided an update on the new HITRUST Privacy Assessment that they plan to release in 2022. HITRUST indicated that the results of their market surveys indicated an overwhelming expectation that organizations would soon be required to provide certifiable evidence of privacy compliance. The assessment is being developed using a very similar approach to the current Risk-based, 2-Year (r2) Validated Assessment. HITRUST is building the assessment using the NIST Privacy Framework, ISO 27001 Privacy Framework, APEC Framework,  GDPRCCPA, and FIPP. The identified controls will be broken down into eight domains, and organizations will be assessed against those domains.

Written by:


CompliancePoint on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.