Compliance Glossary

HITRUST requires organizations to follow a step by step process to evaluate their information security posture against its guidelines. The process includes:

• Conduct a readiness assessment: It is a self assessment that helps organizations identify their current status and identify gaps in the control implementation. Doing this helps you understand how well your organization aligns with HITRUST requirements before you proceed for a formal assessment. 

• Select controls: Choose the appropriate control set based on the level of your risk and regulatory requirements. HITRUST offers two primary assessment types: the Implemented 1-Year (i1) assessment and the Risk-Based 2-Year (r2) assessment. The i1 is designed for lower-risk environments, while the r2 is more comprehensive and suited for higher-risk organizations. 

• Undergo the validated assessment: Once you have completed the readiness assessment phase, the next step is to undergo a validated assessment. A HITRUST Authorized External Assessor will review it, followed by an independent third party assessor who evaluates if you have implemented the right controls and if these controls operate as intended. 

• Submit and get certified: Once the external assessor completes their evaluation, they will share the findings to HITRUST. At this stage, they will verify it for consistency and quality. If the standards are met, you will be certified, which is valid for either one year (i1) or two years (r2).