Compliance Glossary

The HITRUST Risk-Based, 2-Year (r2) Validated Assessment is a comprehensive certification program that offers a set of assessments that are customized to offer an in-depth evaluation of an entity’s Information security and Risk management practices. 

The r2 is centered on the assessment of implemented security controls as well as their levels of maturity, which makes this framework appropriate to higher risk areas, which need additional and more profound approaches towards threats protection.

All of the security and privacy controls in the r2 assessment are divided according to numerous regulatory frameworks, including HIPAA, NIST, and ISO; this helps simplify the overall compliance process, as an organization can attain compliance in all these areas at once with a single assessment. 

While HITRUST i1 provides assessment against baseline controls, the assessment for r2 provides the extent to which an organization’s controls are designed specifically for the organization’s risk appetite.

The process of assessment starts with readiness assessment where an organization surveys the security deficiencies it has. An external expert performs the Validated Assessment to assess the strength and the complexity of the organization’s controls. This process involves consideration of control implementation, checking on the operations of the control and an evaluation of the risks by the existing controls.

When the assessment is done, the results are compiled and submitted to HITRUST. After completing the assessment, the organization gets this HITRUST r2 certification for two years. The organization must undertake an Interim Assessment, after one year in order to verify that controls are working as planned and that new risks are properly addressed.