What Are the New HITRUST bC and i1 Assessments?

What is FedRAMP and Why Does My Organization Need It?

HITRUST certification just got quicker, more affordable, and less complex. Learn more about HITRUST i1 and why it could be a gamechanger for your organization.

The HITRUST Alliance has announced the HITRUST Basic Current State (bC) Assessment and the HITRUST Implemented One-Year (i1) Assessment, two new additions to their portfolio of assessment services that will be released at the end of 2021. While the names bC and i1 may call to mind sleek sports cars or high-powered computer chips, they actually won’t add on a host of new features or added complexity.

In fact, it’s what’s not included in these assessments when compared to the standard HITRUST Risk-Based, Two-Year (r2) Assessment (formerly known as the HITRUST CSF Validated Assessment) that makes them appealing. HITRUST i1, in particular, will be a game-changer for compliance. Before you can decide if either of these new assessments are a good fit for your organization, let’s take a look at what they are and how they compare to HITRUST r2.


HITRUST bC is essentially a refreshed version of the HITRUST self-assessment that has been around for several years. Much like the other assessments in the HITRUST portfolio, it leverages the HITRUST Assurance Intelligence Engine™ (AI Engine) to “identify errors, omissions, and deceit.” The 71 static controls covered by this “good hygiene” assessment are grounded in the National Institute of Standards and Technology Internal Report (NISTIR) 7621: Small Business Information Security Fundamentals.

You may be wondering if your organization should pursue this self-assessment, which does not result in certification. One reason why you might investigate HITRUST bC is if you are contractually obligated to obtain i1 or r2 certification several years down the line, and you want to get a feel for some of the baseline controls that will be involved. Or, perhaps your business partner stipulates in a contract a timeline toward HITRUST certification that describes an initial first step as taking the self-assessment within six months.

While HITRUST bC could potentially prove useful in these scenarios, it’s important that you first talk with an external assessor firm to receive more guidance on the most efficient path to certification.

What Is HITRUST i1?

HITRUST i1 is a leaner version of the current HITRUST CSF Validated Assessment (rebranded r2) that is cheaper and easier to pass — yes, you read that correctly. HITRUST r2 assessments provide an extremely high level of assurance due to their extensive control requirements and program demands, but such a comprehensive security framework is not always necessary for every organization.

A HITRUST r2 assessment evaluates each security control against all five levels of the HITRUST maturity model:

  • Policy – Are security expectations clearly documented, communicated, and approved by key stakeholders?
  • Procedures – Are the operational elements of each control clearly defined and documented?
  • Implemented – Is each control in the correct place and is it operating as it should?
  • Measured – Is there a way for the organization to continuously monitor the control and determine when it isn’t operating correctly?
  • Managed – Is the organization effectively responding to identified risks and taking action to address any problem areas?

A HITRUST i1 assessment, on the other hand, only tests the “implemented” maturity level from the list above. For this reason, HITRUST i1 requires less exertion and cost than the r2 assessment that most organizations are familiar with. Don’t let this fool you though; HITRUST i1 still lives up to the supreme quality standard for which HITRUST is known.

Similar to HITRUST r2, HITRUST i1 can be done either as a “readiness” assessment (results in a readiness report) or a “validated” assessment (results in a HITRUST validated report and, if scoring requirements are met, official certification). I recommend the majority of organizations start with a readiness assessment. This will help identify gaps and take steps toward remediation before pursuing the validated assessment.

Much like a validated HITRUST r2 assessment, a validated HITRUST i1 assessment must go through a thorough quality assurance review conducted by the HITRUST organization’s QA team before the certification is issued. Some compliance experts believe this rigorous QA process makes HITRUST i1 equally or even more reliable than other security assessments with similar objectives, such as SOC 2 or ISO 27001.

Key Differences Between HITRUST i1 and HITRUST r2

Now that you have an idea of the ways in which HITRUST i1 and HITRUST r2 are similar, let’s take a look at some of the key differences that separate the two.

Fewer control requirements – Featuring approximately 200 controls targeting NIST 800-171 and the HIPAA Security Rule, HITRUST i1 contains fewer control requirements than the average of 360 (out of a possible 2,000+) involved with HITRUST r2.

Static control requirements – For HITRUST r2, the actual number of individual control requirements an organization must implement depends on the applicability of control specifications, among other factors. With HITRUST i1, there is a fixed set of requirements, which makes comparison across reports much easier.

Evaluation approach – The HITRUST i1 will only be a test of the Implemented maturity level while the HITRUST r2 will be a test of the Policy, Process and Implemented maturities at minimum with Measured and Managed maturities optional.

One year certification duration – A HITRUST i1 certification is valid for one year; the HITRUST r2 certification is valid for two years.

These are the primary factors that make HITRUST i1 easier and more affordable than HITRUST r2 without sacrificing reliability.

Who Should Pursue HITRUST i1 Certification?

Now that you understand the biggest differentiators between HITRUST i1 and HITRUST r2, let’s take a look at a few scenarios that demonstrate an ideal use case for the i1 certification.

The healthcare industry is vast and varied. Several years ago, every major healthcare payer began requiring every organization involved in their supply chain to obtain HITRUST certification. The cost and effort associated with HITRUST r2 certification have been a burden for some organizations, especially smaller, less digitally-oriented organizations that don’t pose high levels of risk.

For example, imagine a printing company that is technically involved in the supply chain of a major payer, but their involvement is completely limited to printing Explanation of Benefits (EOB) letters. They don’t use cloud-based services and their digital footprint is very small. Because of their comparatively low level of security risk, a HITRUST r2 certification is time-consuming and expensive for the limited benefit the organization would receive. Instead, this type of organization would be a perfect candidate for HITRUST i1 certification.

I predict that HITRUST i1 will quickly be recognized as a trustworthy assessment that delivers a high level of reliability and consistency. Of course, some payers may update the language of their contracts to mandate HITRUST r2 and many large, household names like AWS will stick with this existing certification because they want to prove the highest level of cybersecurity excellence. That being said, I think a significant number of organizations that currently hold or are pursuing r2 certification will switch over to HITRUST i1, and many payers will embrace this new assessment, as well.

Lastly, there are organizations that want (or need) to eventually obtain HITRUST r2 certification, but they are starting from a place of low control maturity. HITRUST i1 would be a great stepping stone for them to quickly and affordably achieve moderate security assurance before moving on to the undertaking of HITRUST r2.

Key Takeaways

If your organization is part of the healthcare supply chain and is required to be HITRUST certified, HITRUST i1 presents an appealing way to prove that you have the proper security controls in place. After all, not every organization needs to deliver the extremely high level of information protection assurance involved with HITRUST r2.

As an experienced and certified HITRUST Assessor firm, A-LIGN can help guide your organization along the path to accelerated HITRUST certification.

Learn More

If you have any questions or if you would like to learn more about undergoing a cybersecurity or compliance assessment, please reach out to one of A-LIGN’s experienced assessors today.