Home » HITRUST – i1 or R2?

Publication date: October 5, 2022

HITRUST – i1 or R2?

What is HITRUST and why would my organization need it?

Share this content

Written by Angela Polania

Angela Polania, CPA, CISM, CISA, CRISC, HITRUST, CMMC RP. Angela is the Managing Principal at Elevate and board member, and treasurer at the CIO Council of South Florida.

HITRUST CSF is an international compliance standard set for the Healthcare industry. It was developed in 2007 to provide information protection, risk management, and regulatory compliance standards. Holding a HITRUST certification provides your organization with a competitive advantage as it means your organization puts privacy and protection for your business and your customers at the forefront. Whether you work in healthcare directly or provide a cloud-based service, oftentimes, companies that your organization wishes to do business with will require you to become HITRUST certified. This task can become rather burdensome, especially for those who have no prior experience with HITRUST. Elevate will assist with your firm’s readiness and prepare you to pass the HITRUST CSF Validated Assessment, which is the first step to receiving your HITRUST CSF Validated Certification.

Up until the beginning of 2022, there has only been one level of HITRUST certification that an organization must pass to remain HITRUST compliant – the HITRUST CSF Validated Assessment. The HITRUST CSF’s certification is valid for two years, but HITRUST recognized that although the assessment is biennial, it is a “significant undertaking for organizations”, between the effort and cost that this extensive assessment causes organizations to incur, especially those of a smaller size and less risk exposure. As a result, HITRUST stated, “the highest level of information protection assurance is not needed by every organization or vendor relationship.” Starting in January 2022, HITRUST started to offer two types of assessments – a one-year, less-intensive i1, and their “original” 2-year HITRUST CSF, now referred to as R2.

The less-intensive i1 assessment is a derivative of the R2 assessment, so if one is familiar with the R2, it will be a more moderate assessment, but there are some key similarities and differences between the two that are worth noting.

The graphic below compares most of the similarities and differences between the two options, but some key notes worth highlighting are listed below:


  • Both assessments deliver HITRUST’s “Gold Standard”, however, only the R2 assessment can receive a HITRUST-issued certification over the NIST Cybersecurity framework.
  • Both assessments receive a shareable, final report issued by HITRUST.
  • Both require the use of HITRUST CSF and MyCSF.
  • Both require an authorized HITRUST External Assessor Organization to inspect documented evidence.
  • Both utilize the HITRUST Control Maturity Scoring Rubric (although the i1 only uses a portion of the rubric).
  • Final reports from both can be shared through HITRUST Assessment XChange and final assessments from both can be shared through HITRUST Results Distribution System.
  • Both have a 90-day limit on the external assessor’s fieldwork window.
  • Both assessments are composed of the same quality of deliverables through HITRUST’s QA process, including the HITRUST Assurance Intelligence Engine.
  • QA review for both assessments must be scheduled using the HITRUST QA Reservation System.


  • An R2 assessment considers 75 HITRUST CSF control references and determines the inherent risk, creating a scope of 219 to 2,000 requirements. The i1 assessment is industry-agnostic, designed to adapt and evolve in a constantly changing environment. The controls for an i1 are based on threat intelligence and best practice controls determined by HITRUST, which may change as HITRUST actively reviews cyber threat intelligence data. Changes are made on a quarterly basis and requirement updates are made through a major/minor release of the HITRUST CSF.
  • The R2 assessment will provide the highest level for information protection, whereas the i1 is a more moderate level with a focus on security hygiene and cybersecurity best practices (best practices are updated quarterly as a major/minor release in CSF.)
  • The assessments have various feature differences amongst a chosen certification path. All i1 assessments will have HITRUST’s enhanced Assessment Workflows, Webforms, and Kanban-style status tracking boards.
i1R2 Comparison Chart

Depending on the size and scope of your corporation, a full R2 assessment may no longer be necessary to remain HITRUST CSF compliant; You may be eligible to conduct the new i1 assessment instead where you will save sufficient time and money. Not sure which route to take? Our experienced consultants will be able to help you determine which assessment would be the most appropriate for your organization. If your goal is to become HITRUST compliant, our readiness assessment is a great first step.

Related posts

Contact Elevate today to learn more about Elevate Insights

Elevate // +1 (888) 601-5351 // Monday to Friday 9am-6pm