Is HITRUST i1 the right fit for my organization?

HITRUST High Growth Tech Blog

What is HITRUST i1?

The HITRUST i1 Assessment is an Implemented One-Year Validated Assessment, aligned to be fully included in an r2 assessment as part of a HITRUST compliance program roadmap. The i1 Validated Assessment is best suited for organizations that need a moderate level of information security assurance.

The i1 Validated assessment has 182 Pre-Set Requirement Statements across 19 security and privacy domains. The assessment covers a 1-year period and with eligibility only requires a Rapid Recertification of ~60 Requirement Statements in Year 2. The assessment measures the implementation of controls with light reliance on policies and processes.

The HITRUST i1 controls are based on NITST SP 800=171, HIPAA Security Rule, and HICP. This Assessment type was released by HITRUST Assurance Program in early 2022, and the latest version is v11. HITRUST Alliance describes three use cases for an i1 assessment, including a Final Destination Certification, a Stepping-Stone to r2, or for third-party risk management.


HITRUST i1 Assessment Overview

A HITRUST assessment is a comprehensive evaluation of an organization’s information security controls and practices. It is based on the HITRUST CSF framework, which is a set of security controls and requirements specifically designed for healthcare organizations. There are no significant differences in the overall process of becoming HITRUST certified for i1 versus other HITRUST certification offerings. The primary difference is discussed above with the number of fixed requirements and the length of certification.

The HITRUST assessment process typically involves the following steps: 

Who should get HITRUST i1 certified?

HITRUST certification is typically pursued by organizations in the healthcare industry that handle sensitive health information. This includes healthcare providers, health plans, healthcare clearinghouses, and business associates (including healthcare technology software companies) that handle or have access to protected health information (PHI).

While the HITRUST framework was initially designed for the healthcare industry, it can also be beneficial for companies outside the healthcare space. The HITRUST i1 provides a comprehensive and fixed set of security controls and requirements (182 Requirement Statements) that can be leveraged by any organization looking to enhance and certify their data protection and security practices.

Here are some reasons why companies outside the healthcare space may find value in pursuing HITRUST certification:

  1. Strong Security Framework: Based on various industry-recognized security standards and frameworks.
  2. Regulatory Alignment: Incorporates multiple regulatory requirements, including HIPAA, FFIEC and GDPR.
  3. Third-Party Assurance: Provides a level of assurance to customers, partners, and stakeholders that an organization has implemented appropriate security measures.
  4. Risk Management: Helps organizations identify and mitigate security risks more effectively.
  5. Competitive Advantage: Attaining HITRUST certification can serve as a competitive differentiator for companies operating outside the healthcare space. It demonstrates a commitment to data protection and security, which can be appealing to customers and partners.

However, it’s important to note that the HITRUST framework has been specifically tailored for the healthcare industry. While it can be adapted to other sectors, organizations outside healthcare may need to consider the applicability and relevance of certain requirements within their specific context.

If a company outside the healthcare space is considering pursuing HITRUST i1 certification, it’s advisable to engage with a HITRUST assessor or consulting firm such as risk3sixty to assess the framework’s suitability and tailor it to their industry and organizational needs.

Share to


Share to

Like our content? Subscribe and stay informed.