PCI DSS 4.0 - Are You Ready? Get a Discount on a Readiness Assessment - Learn More
HITRUST CSF Certification
Author Picture

New HITRUST Assessment Options for 2022

There are some big changes on the horizon for HITRUST. We can expect to see some new assessment options and the release of the most up-to-date HITRUST CSF® version—which will also be renamed the HITRUST Risk-based, 2-year (“r2”) Validated assessment–by the end of 2021. 

The HITRUST Collaborate conference was held recently, during the week of October 4th, 2021. HITRUST used this opportunity to announce an extension of its portfolio of HITRUST assessments geared to provide varying degrees of assurance based on an organization’s needs. 

At the conference event, HITRUST unveiled two new assessment options that were developed in response to the growing demand for different levels of assurance and greater ‘rely-ability’. Similar to the HITRUST CSF Validated Assessment, these new solutions will guide organizations in determining control efficacy as well as cyber preparedness and resilience.  

What HITRUST Assessment Options Are Being Introduced? 

Starting later this year, the expanded HITRUST assessment portfolio will also include: 

Verified Self-Assessment  

Termed the Basic, Current-State (bC) Evaluation, this assessment is considered a “good hygiene” check for organizations of virtually any size. It provides a great degree of reliability than a regular self-assessment or questionnaire because it is validated with the assistance of the HITRUST Assurance Intelligence Engine™ (AI Engine).  

Validated Assessment + Certification 

The Implemented, 1-Year (i1) Validated Assessment is a “best practices” assessment meant for medium- to large-sized businesses and situations involving moderate risk or the necessity for a baseline risk assessment. With the equivalent time, effort, and expense, the i1 achieves the goal of increasing transparency, integrity, and reliability than the moderate assurance reports currently available.  

The i1 Validated Assessments will be validated by HITRUST Authorized External Assessors. This has two main benefits for the assessed entity that were not previously possible together; it’s certifiable and provides a moderate level of assurance.  

Validated Assessment + Risk-Based Certification 

The HITRUST CSF Validated Assessment continues to be the most comprehensive standard for multiple industries as a risk-based and customizable assessment. It will represent the highest degree of assurance going forward as well, although it will go by a new name: HITRUST Risk-Based, 2-Year (r2) Validated Assessment. The r2 is designed for situations with high-risk exposure owing to data quantities, regulatory compliance, or other risk considerations. 

Current-State Assessment (bC)
HITRUST Implemented,
1-Year (i1) Validated Assessment
HITRUST Risk-Based,
2-Year (r2) Validated Assessment
(Formerly: HITRUST CSF Validated Assessment)
DescriptionVerified Self-AssessmentValidated Assessment + CertificationValidated Assessment + Risk-Based Certification
Purpose (Use Case)Focus on good security hygiene controls in virtually any size organization with a simple approach to evaluation, which is suitable for rapid and/or low assurance requirementsFocus on security best practices in medium-sized and larger organizations with a more rigorous approach to evaluation, which is suitable for moderate assurance requirementsFocus on a comprehensive risk-based specification of controls suitable for most organizations with a very rigorous approach to evaluation, which is suitable for high assurance requirements
Number of Control Requirement Statements71 StaticApproximately 200 Static2000+ based on tailoring; (360 average in scope of assessments)
Flexibility of Control SelectionNo TailoringNo TailoringTailoring
Targeted CoverageNISTIR 7621: Small Business Information Security FundamentalsNIST SP 800-171, HIPAA Security RuleNIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and 37 others
Level of AssuranceLowModerateHigh
Certifiable AssessmentNoYes, 1-YearYes, 2-Year
Complementary AssessmentsNoneReadinessReadiness, Interim, Bridge
*Source: HITRUST. 

Risk-Based Readiness Assessment 

HITRUST’s Risk-Based, 2-year (“r2”) Readiness Assessment is specifically to help organizations as they prepare for a future HITRUST assessment. It’s a self-attested assessment that is designed to establish their security posture and identify any necessary remediation measures. This self-assessment is available for organizations that are approaching the r2 Validated Assessment and the i1 Validated Assessment. 

Interim Assessment 

To maintain HITRUST r2 Certification, each organization must complete an interim engagement 12 months after certification. The HITRUST Interim Assessment allows organizations to keep their certification valid for the full 24 months, when re-certification is required.  

Bridge Assessment 

 The HITRUST Bridge Assessment enables organizations to maintain their HITRUST r2 Certification report for an extra 90 days. This certificate extends the period for which the report is valid even if the re-certification submission due date has lapsed. 

When Will the Expanded HITRUST Assessment Portfolio Be Released? 

HITRUST is expected to officially roll out these new assessment options before the end of 2021. And that is just around the corner! 

What Other Changes Can We Anticipate from HITRUST Going Towards 2022? 

That’s not all! HITRUST has more than hinted at a few additional upcoming changes. 

Increased Efficiency and Accuracy 

The HITRUST Assurance Intelligence Engine will leverage AI to make the assessment process faster and more precise for all three types of assessment options. This automated tool provides real-time feedback to external assessors and directly to assessed entities. It works to discover mistakes and omissions in order to increase the accuracy of the information submitted and, in turn, decreasing the turnaround time needed for HITRUST’s centralized oversight body to issue official assessment reports. 

The new HITRUST Results Distribution System (RDS) will also be available for all HITRUST assessment types. The RDS streamlines the lengthy process of collecting, analyzing, and evaluating assessment data from third-party vendors. It also replaces the clunky and unsecure practice of sharing third-party attested security and privacy assessment reports as PDFs between the attestation body, the assessed entity, and their relying parties. Rather than requiring customers, trading partners, and regulators to manually review the report and look for the information they need, businesses can share assessment findings with interested parties through a secure web portal or API. This makes it faster and easier to glean the information needed to make risk-related decisions.  

Updated HITRUST Framework 

We have been anticipating the release of HITRUST CSF v10.0 that had been scheduled for release in 2020. This would be the first update since HITRUST CSF v9.3 took affect at the beginning of 2020. Experts predicted that this newer version would further expand the cybersecurity framework to be more easily applicable for businesses working in industries outside of healthcare

At this point, we are anxiously waiting to hear what new improvements will be ushered in with HITRUST r2This will likely take the place of the scheduled CSF version and is slated for release before the end of this year. 

Overview of HITRUST CSF Versions 

Here’s a quick overview of how HITRUST has changed over time and shaped the current risk management and compliance environment. 

HITRUST CSF v8 (2016) 

The updates for HITRUST Version 8 included “a more granular support for cybersecurity, AICPA SOC2 reporting, contextual data de-identification, cloud services, and expanded requirement details.” 

  • It integrates the AICPA’s Trust Principles and Criteria for security, confidentiality and availability. The closer ties to this auditing principle – associated with SOC 2 reporting – makes applying regulations and compliance standards easier for busy IT teams. 
  • It allows for contextual data de-identification when necessary, according to HITRUST De-Identification Framework’s assessment protocol. A set of 12 characteristics help assess controls, risks and potential outcomes to guide IT professionals in data de-identification. 
  • It incorporates CIS CSC protections related to emerging digital security threats, recent cybersecurity guidance from the Precision Medicine Initiative, and key controls from the NIST Cybersecurity Framework. 
  • It has updates to improve practices related to PCI and cloud security. 

HITRUST CSF v9.1 (2018) 

This version introduced substantial modifications with far-reaching implications for businesses working with clients nationally and internationally. 

  • It incorporates standards set by the European Union GDPR and the New York State Cybersecurity Requirements for Financial Services Companies (NY-CRFSC). 

HITRUST CSF v9.2 (2019) 

There are two key changes in this update, and they focus on the shift to an agnostic framework, along with the integration of international regulatory requirements. 

  • It removes healthcare-specific regulatory requirements from all three implementation levels and places them in a different industry control segment. This change ensures that non-healthcare entities are not required to address these particular requirements in their assessment. 
  • For greater clarity, it provides plain-language versions of the EU’s General Data Protection Regulation (GDPR) requirements, as well as Singapore’s Personal Data Protection Act (PDPA). 

HITRUST CSF v9.3 (2020) 

The most recent version went into effect on January 1, 2020. HITRUST CSF v9.3 added new and updated requirements adopted from: 

Are You Ready for the New HITRUST Certification Requirements? 

That’s where I.S. Partners comes in; fill out our contact form for an initial consultation and free estimate. 

Get a Quote Try our Compliance Checker

About The Author

Get Hassle-free Pricing in 3 Easy Steps

Request a quote using the form below
Allow us to create a customized plan
We'll get you an accurate, no-obligation quote
Untitled-1 Asset 1 Request a Quote Background

Request a Quote

Please fill out the form below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235 or book a meeting with one of our experts.

Request a Quote (Keep)

I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


Great companies think alike!

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal