Once focused on cybersecurity within the healthcare industry, HITRUST is quickly becoming the most sought-after and comprehensive security framework across many sectors.

HITRUST was once considered by many small and medium-sized businesses to be out of reach due to an exorbitant price tag. But HITRUST is evolving. There are new cost-effective options that small and medium-sized companies can leverage to increase their transparency, integrity, and reliability.

Maybe you have a client or prospect who requires HITRUST certification in order to continue or to begin building a business relationship. Or perhaps you’re wondering what HITRUST certification involves and whether it’s worth all the effort.

If you’re a decision-maker for one of the many companies wondering, “Should I be getting HITRUST certification?” we’ve written this article for you.

Key Takeaways

  • Not every organization needs the extremely high level of assurance and data protection associated with HITRUST’s most expensive assessment option.
  • HITRUST’s new assessment options present small and medium-sized organizations with a cost-effective opportunity to prove they have the proper security controls in place.


Founded in 2007, HITRUST Alliance is a privately held company that has established a cybersecurity framework that now enables companies across many industries to mitigate and manage risks associated with data, information, and compliance.

With HITRUST, processes are “normalized,” enabling companies and vendors to speak the same language while meeting the requirements of multiple compliance initiatives, managing risk, and improving data protection.

Although the acronym originally stood for “Health Information Trust Alliance,” the company now calls itself “industry-agnostic.”

The Original HITRUST Assessment

The original version of HITRUST included a predetermined set of requirements (based on your size, records, transactions, and other risk factors) to assess your organization. You would audit against all applicable requirements prescribed by HITRUST in order to achieve certification.

It wouldn’t be uncommon to have hundreds of requirements that would each need detailed evidence to demonstrate compliance.

For this reason, HITRUST certification costs have always been a concern.

The costs add up quickly – from dedicating internal resources and purchasing a HITRUST’s MyCSF® subscription option to the hidden costs associated with discovering you don’t own the proper equipment to comply with a certain requirement (and then needing to purchase said equipment).

HITRUST Changes: What You Need to Know

To provide varying degrees of assurance based on an organization’s specific needs, HITRUST rolled out some changes in 2021.

Fast forward to 2022:

  • HITRUST now offers two new assessment options. In addition to helping organizations determine control efficacy, the solutions support companies with cyber preparedness and resilience.
  • HITRUST has released a new HITRUST CSF® version, also known as the HITRUST Risk-based, 2-year (r2) Validated assessment. The r2 caters to situations associated with high-risk exposure concerning data quantities, regulatory compliance, or other risk considerations.


Source: https://hitrustalliance.net/product-tool/hitrust-assessments/

What These Changes Mean for You

The names bC and i1 may sound overly technical, but the new options don’t actually add a long list of new features or complexity. What these options don’t include is what’s important.

For small- and medium-sized businesses, these changes could mean a more cost-effective way to develop and implement practices that can secure sensitive data and comply with regulatory requirements.

We see many small- and medium-sized organizations shying away from the r2 validated assessment due to the high cost, which can be upwards of $100K. Now, smaller companies can benefit from HITRUST Basic or HITRUST Implemented.

Additional Benefits of the New HITRUST Assessment Options

With its proven and consistent reputation, a HITRUST assessment is like a stamp of approval that your organization knows how to handle data.

If your organization plays in the healthcare field, HITRUST is well known and highly regarded. Plus, the assessment provides provable HIPAA compliance.

In addition to ensuring that your organization is compliant with multiple regulations, an assessment advertises that compliance. This can attract customers who have elevated concerns about protecting sensitive data.

More and more contracts and Requests for Proposals are now requiring HITRUST assessments. So take care of it now, and you’ll be glad you did later.

Frequently Asked Questions about HITRUST

What is HITRUST bC?

A tuned-up remix of the original HITRUST self-assessment, the bC leverages the HITRUST Assurance Intelligence Engine™ (AI Engine) to “identify errors, omissions, and deceit.” 71 static controls are tested during what many call a “good hygiene assessment.”

What is HITRUST i1?

Essentially a leaner version of the current r2, the i1 is less expensive and more manageable. 200 controls are tested in this option.

Here’s the thing: the program demands and the rigorous control requirements of the r2 provide an unusually high level of assurance. But such an extensive security framework isn’t necessary for every organization.

Which one is right for my organization?

Pros of HITRUST bC

  • Although the bC does not result in certification, you might want the bC if it’s likely you’ll be contractually obligated to get the i1 or the r2 certification in the future.
  • By pursuing the bC self-assessment, you’ll understand the baseline controls involved in the process.
  • An external assessor firm can provide guidance and drive efficiency for you as you pave the road toward certification.

Pros of HITRUST i1

  • The i1 can take the form of a “readiness” assessment, which produces a readiness report. Starting here can help organizations identify and remedy any gaps before moving on to the next option, the validated assessment.
  • The i1 can also be performed as a “validated” assessment, produce a HITRUST validated report, and lead to official certification.
  • Because a validated i1 must undergo a rigorous quality assurance review performed by HITRUST’s QA team, some compliance experts have said this makes the i1 equally — or in some cases more — reliable than other security assessments like ISO 27001 or SOC 2.

Learn More

PBMares leverages a streamlined methodology to assist small and medium-sized companies as they deploy cyber risk programs that align with HITRUST certification requirements.

Our services help you gain clarity about HITRUST, so you minimize time, resources, and money spent as you manage compliance and generate a return on this investment with new marketable services.

Contact a specialist in HITRUST certification today.