HITRUST CSF v11 Certification: e1 vs i1 vs r2 Compared

Why HITRUST Certification Matters for Healthcare and Beyond

HITRUST (the Health Information Trust Alliance) maintains the HITRUST Common Security Framework (CSF), a comprehensive control framework that maps to HIPAA, ISO 27001, NIST 800-53, PCI DSS, GDPR, and many other regulatory and industry frameworks. While originally developed for healthcare, HITRUST CSF is increasingly used across industries that handle sensitive data and want a single comprehensive framework instead of operating against many simultaneously.

HITRUST certification — assessment against the CSF by an authorized external assessor — is widely required in healthcare business associate agreements (BAAs), in insurance carrier security questionnaires, and in many vendor risk programs. For organizations that hold protected health information (PHI), the choice is often not whether to pursue HITRUST but which level of HITRUST assessment to pursue.

HITRUST CSF v11, released in early 2023, introduced a three-tier assessment model: e1, i1, and r2. The tiers replace the prior "validated assessment" model with graduated certifications matched to organizational risk and maturity. The model is designed to provide a structured progression and to make the CSF accessible to smaller organizations that would have struggled to achieve full validated certification.

The Three Certification Pathways

Level Controls Effort Validity Typical use case

e1 (Essentials) 44 controls Limited 1 year Smaller organizations, low-complexity environments, foundational program

i1 (Implemented) 182 controls Moderate 1 year Mid-sized organizations, established programs, mid-tier risk

r2 (Risk-based, two-year) Tailored from 156+ controls High 2 years (with interim review) Mature programs, regulated environments, comprehensive certification

The e1, i1, and r2 progression is intentional. Organizations can start at e1, advance to i1, and ultimately pursue r2 as the program matures. Each level provides demonstrable certification value at its tier, and each is recognized in the marketplace.

e1: Essentials

The e1 assessment evaluates 44 critical security controls. It is the entry-level certification and is designed to be achievable for organizations that lack the resources for full HITRUST certification but want a credible third-party validated baseline.

What the 44 controls cover:

Basic access controls (authentication, account management, MFA)

Foundational logging

Encryption of data in transit and at rest

Vulnerability management basics

Incident response basics

Awareness training

Service provider oversight at a foundational level

The e1 assessment process:

1. Organization completes the e1 assessment within MyCSF, the HITRUST assessment platform

2. Authorized HITRUST assessor validates the implementation

3. HITRUST issues the e1 certification, valid for one year

4. Annual recertification is required to maintain status

The e1 certification is appropriate for organizations early in their security maturity journey, smaller organizations with limited resources, or organizations that need a credible baseline before committing to i1 or r2. Many vendor risk programs accept e1 as a starting point for new vendors.

i1: Implemented

The i1 assessment evaluates 182 controls drawn from a broader subset of the HITRUST CSF. It is the most common HITRUST certification for mid-sized organizations and represents a substantial step up in rigor from e1.

The i1 assessment process:

1. Organization scopes the assessment to its specific environment and data

2. Self-assessment within MyCSF against the 182 controls

3. Authorized assessor performs validation of implementation and operational effectiveness

4. HITRUST review and certification decision

5. Annual recertification required to maintain status

The 182-control set is comprehensive enough to satisfy most healthcare BAAs and most insurance carrier security requirements. For organizations whose customers ask "are you HITRUST certified?" without specifying a tier, i1 is typically the answer.

The validity period is one year. Annual recertification is required, meaning the program must produce evidence continuously, not only in advance of the assessment.

r2: Risk-based Two-year

The r2 assessment is the most comprehensive HITRUST certification. It is risk-tailored: the specific controls in scope are determined by the organization's risk profile, the data it handles, and the regulatory frameworks it must satisfy. Most r2 assessments cover 156 or more controls, depending on the scoping.

The r2 process is substantially more rigorous:

1. Detailed scoping including data flows, system inventory, and regulatory mapping

2. Risk assessment that determines which controls apply and at what maturity level

3. Multi-month evidence collection across all in-scope controls

4. Authorized assessor on-site or remote validation

5. HITRUST review and certification decision

6. Validity period of two years, with an interim review at year one

The r2 certification is appropriate for mature programs operating in highly regulated environments (large healthcare organizations, major insurance carriers, federal contractors handling PHI), organizations whose customer base spans multiple regulatory frameworks (HIPAA, PCI, GDPR simultaneously), and organizations that need the most comprehensive third-party validation available.

How HITRUST Maps to Other Frameworks

The CSF's value beyond healthcare comes from its mapping to other frameworks. A single HITRUST assessment can satisfy or substantially overlap with:

HIPAA Security Rule

ISO 27001:2022

NIST SP 800-53 Rev. 5

NIST SP 800-171

PCI DSS v4.0

SOC 2 Trust Services Criteria

GDPR Article 32

CMMC Level 2

AICPA Trust Services Criteria

FedRAMP Moderate

And dozens of state-level and international frameworks

The mapping is bidirectional. An organization with mature HIPAA Security Rule compliance has implemented most of what the CSF requires for healthcare scope. Conversely, an organization pursuing HITRUST is implementing controls that satisfy most healthcare regulatory expectations simultaneously.

For organizations that operate against many frameworks, HITRUST is often the most efficient unified certification. The CSF's framework mapping engine produces per-framework reports from the same assessment.

What the MyCSF Assessment Platform Does

HITRUST assessments are conducted within MyCSF, HITRUST's assessment platform. The platform structures the assessment:

Organizes the controls into the appropriate scope for the selected pathway

Captures the organization's implementation responses

Documents evidence references for each control

Supports assessor validation activities

Generates the assessment report and certification artifacts

Maintains the official record of certification status

For organizations new to HITRUST, MyCSF is the working environment for the entire engagement. The platform's structure shapes how evidence must be organized and how implementations must be described.

How Continuous Monitoring Supports HITRUST Certification

HITRUST controls evaluate operational effectiveness across the assessment period. For e1 (one year), i1 (one year), and r2 (two years), the controls must operate continuously, not only at the moment of assessment.

The technical controls in the CSF — particularly in the operational, technical, and information security management categories — map directly to configuration management, access control, audit logging, and continuous monitoring practices that CIS benchmark scanning evaluates automatically.

For HITRUST evidence, continuous CIS benchmark scanning produces:

Per-host, per-day baseline compliance evidence mapped to relevant HITRUST controls

Drift detection records showing that configuration controls remain enforced

Access and authentication configuration evidence for the access control control family

Logging and audit policy evidence for audit and accountability controls

Encryption configuration evidence for cryptographic protection controls

Vulnerability assessment integration for vulnerability management controls

Assessors evaluating HITRUST programs increasingly look for the continuous monitoring infrastructure that produces this evidence. Programs that present manual evidence collection routinely receive findings around evidence completeness, sampling validity, and operational consistency.

Common HITRUST Findings

Across HITRUST assessments at all three tiers, recurring findings:

Inconsistent operation across the assessment period. Controls operated at the start of the period but degraded by the assessment date.

Evidence sampling problems. Auditors cannot verify the complete population of in-scope assets or events.

Service provider oversight gaps. Vendor security questionnaires sent at onboarding but never refreshed.

Documentation drift. Policies updated but procedures still reference the prior policy.

Training gaps. Awareness training delivered but completion rates below 100% or refresh cadence not maintained.

Configuration drift. Baselines defined but not enforced; assessor finds inconsistency across hosts of the same class.

Incident response readiness. IR plans exist but have not been exercised.

Patch management lag. Vulnerability remediation beyond the SLA defined in policy.

Most of these findings track to the same root cause: the program is operated as a project, not as ongoing operations. Continuous monitoring tooling shifts the operating model and removes the most common findings as a class.

How CISGuard Supports HITRUST Certification

CISGuard's continuous CIS benchmark scanning produces direct evidence for the technical controls in the HITRUST CSF:

22 CIS benchmarks covering the platforms most PHI and other regulated data lives on

HITRUST control mapping included in framework reporting, with per-control coverage and drill-down to underlying CIS controls

Continuous drift detection demonstrating that controls operate across the full assessment period

MyCSF-compatible reporting with timestamps, sampling support, and per-host evidence

Multi-framework mapping showing simultaneous coverage of HITRUST, HIPAA, ISO 27001, SOC 2, NIST 800-53, and other applicable frameworks

Immutable audit trail of every scan, drift event, and remediation across the certification period

See HITRUST-aligned features in CISGuard or request a HITRUST readiness review.