Skip to content

Get Started

Getting Started with HITRUST

Questions about getting started on your HITRUST journey?
Ryan Patrick, HITRUST's VP of Adoption, breaks down the essential steps in this video. 


Your organization may have been told by a customer or other key stakeholder organization that you need to attain HITRUST certification. You may even be contractually required to get HITRUST certified. Or perhaps your leadership team has decided that it’s important to build trust with your customers, vendors, shareholders, and others by demonstrating that you meet the highest standards in information protection.  Whatever the reason, we are here to help you learn more and get started.

What is HITRUST certification?

HITRUST is an information protection standards organization and certifying body that enables organizations to demonstrate that they are taking the most proactive approach to cybersecurity, data protection, and risk mitigation. Thousands of companies across industries safeguard their sensitive information using the HITRUST framework, assurance program, and assessment tools. HITRUST also helps organizations manage and mitigate cybersecurity threats, address and comply with applicable regulations, and be proactive with risk management.

Why do some organizations require HITRUST certification?

It is of growing importance to organizations that their vendors and others with whom they do business are committed to the most proactive approach to data protection, risk mitigation, and that they adhere to the highest information security standards. Once your organization completes the required certification, HITRUST will be able to electronically share data related to your certification with organizations you designate, streamlining and simplifying information risk management communication.

What assessment do I need?

HITRUST offers three types of certifications, which vary based on levels of assurance. Your organization’s risk profile will dictate which certification we recommend that you pursue. Because each certification builds on a common framework, you may be able to start with a less comprehensive assessment and move up to a more comprehensive one, without losing your work or starting over.

HITRUST Essentials, 1-year (e1) Validated Assessment - The basic e1 is ideal for startups and companies with limited risk, and/or high levels of risk maturity. It also allows for an entry-level validated assessment based on 44 foundational security controls that can be built upon as a step toward attaining the more comprehensive i1 or r2.

HITRUST Implemented, 1-year (i1) Validated Assessment - i1 is a good fit for organizations with robust information security programs already in place, who are ready to demonstrate established practices. It could be good for mid-level organizations and offers a more comprehensive level of assurance than the e1, with more controls in scope. Work done to attain an active i1 certification can be applied toward attaining an r2.  

HITRUST Risk-Based, 2-year (r2) Validated Assessment - r2 is best suited for organizations who need to demonstrate regulatory compliance with authoritative sources like HIPAA, the NIST Cybersecurity Framework, and dozens of others, or who require expanded tailoring of controls, based on other, identified risk factors. It is the most comprehensive and robust assurance offering.

How does my organization benefit from HITRUST certification?

  • Provides assurance to customers, vendors, shareholders, and other third parties that your organization meets the highest standards in information protection
  • Differentiates your organization as a trusted vendor during competitive proposal and contracting reviews
  • Reduces time and resources required to respond to third-party questionnaires
  • Increases awareness of your organization’s relative exposure, inherent risk, current security posture, and the maturity of your information risk management program
  • Could lead to savings on cybersecurity insurance premiums

Who uses, recommends, and accepts HITRUST Certification?

  • 81% of US hospitals and health systems
  • 83% of US health plans
  • 75% of Fortune 20 Companies