SecurancePro
Talk to an expert
All field notesHIPAA/HITRUST

HITRUST certification explained: e1, i1, r2, and the honest cost

HITRUST certification primer for SaaS founders: what the CSF is, the e1/i1/r2 levels, who issues the certificate, and how it maps to HIPAA and SOC 2.

7 min read

A hospital procurement team sends you a security questionnaire with one line at the top: "Please attach your current HITRUST certification." You have a SOC 2 Type II, a signed BAA, and a HIPAA risk analysis. None of that is what they asked for.

HITRUST is the framework US healthcare buyers ask for when SOC 2 and a HIPAA program are not enough. This post walks through what HITRUST actually is, the three assessment levels, who issues the certificate, and when spending on it is worth it versus when a well-scoped SOC 2 plus HIPAA program will get the deal done.

What HITRUST is

HITRUST is a framework maintained by the HITRUST Alliance, a private organization. The framework itself is the HITRUST CSF, short for Common Security Framework. Per the HITRUST CSF overview, the CSF is a threat-adaptive control library that harmonizes 60+ authoritative sources — HIPAA, NIST 800-53 and the Cybersecurity Framework, ISO 27001, PCI DSS, GDPR, and several state privacy laws — into a single set of controls with prescriptive implementation requirements.

The selling point is the harmonization. Instead of mapping HIPAA safeguards against ISO Annex A against NIST controls yourself, the CSF has done the crosswalk. A HITRUST certification is the Alliance's attestation that your environment meets the CSF requirements at a given assurance level.

Who issues a HITRUST certification

This is the part most vendors gloss over, so here is the direct answer.

Your HITRUST certificate is not issued by HITRUST and it is not issued by your CPA firm. It is issued by a HITRUST-authorized External Assessor firm that performs the validated assessment and submits it through the MyCSF platform to HITRUST for quality assurance and certification under the HITRUST Assurance Program. HITRUST then issues the letter.

SecurancePro is not a HITRUST-authorized External Assessor. We perform SOC 1, SOC 2, and SOC 3 attestations. We can help a client prepare for a HITRUST assessment, build the control library, map evidence across HIPAA and SOC 2 and the CSF, and coordinate with the External Assessor your buyer accepts. The validated assessment itself goes to an authorized firm.

If a single vendor offers to be your HITRUST consultant, assessor, and certificate issuer, ask which of those three hats they are actually authorized to wear.

The three assessment types: e1, i1, r2

HITRUST used to ship one heavy assessment. It now ships three, stacked by depth and duration. Picking the right one is the most consequential decision you will make in the program.

e1 (Essentials, 1-year). A foundational cybersecurity assessment with 44 controls focused on essential cyber hygiene. One-year certification. Designed for lower-risk vendors or as an on-ramp for companies new to HITRUST. The cheapest and fastest of the three, and the newest of the three levels.

i1 (Implemented, 1-year). A leading-practices assessment with roughly 180 controls, certifying that your program is implemented and operating. One-year certification. The middle tier. Many mid-market healthcare SaaS vendors land here because it satisfies most procurement asks without the r2 price tag.

r2 (Risk-based, 2-year). The full validated assessment. Controls are tailored to your organization's risk factors (regulatory scope, data volume, geography, technology), which typically produces 300 to 500+ controls in scope. Two-year certification with a mandatory interim assessment at month 12. This is what large health systems and payers mean when they say "HITRUST certified" without qualification.

A reasonable path for a growing vendor: e1 in year one to get something on paper, i1 in year two, r2 when a specific buyer requires it and the revenue justifies the effort.

How HITRUST maps to HIPAA

HIPAA is federal law. HITRUST is a private framework. HIPAA does not require HITRUST, and no federal regulator treats HITRUST as a safe harbor. What HITRUST does is give you a prescriptive, testable control set that, if operated and certified, is widely accepted by healthcare buyers as a way to demonstrate that your HIPAA Security Rule program is real.

The r2 assessment in particular maps every applicable HIPAA Security Rule requirement to one or more HITRUST controls, with implementation specifications that are more prescriptive than the rule itself. A clean r2 report is effectively a third-party attestation over your HIPAA Security Rule posture, which is useful precisely because OCR does not certify anyone and HHS does not run a HIPAA stamp program.

None of this is legally required. It is commercially required when a specific buyer asks for it, and not otherwise. Plenty of healthcare SaaS companies sell into hospitals on a SOC 2 plus a documented HIPAA program and never touch HITRUST. See HIPAA compliance for SaaS for the baseline program that every BA should have in place first.

How HITRUST relates to SOC 2

Control overlap between the HITRUST CSF and the SOC 2 compliance requirements is high. Access control, encryption, change management, incident response, vendor oversight, logging, and business continuity all appear in both. The tests are shaped differently but the evidence is largely the same.

HITRUST and the AICPA publish guidance for combined reports, sometimes called HITRUST-inclusive SOC 2 assessments, where a single engagement produces a SOC 2 report and the HITRUST validated assessment submission in parallel. The External Assessor has to be both HITRUST authorized and a CPA firm capable of issuing the SOC 2 opinion. Several large firms offer this; smaller specialized firms do not.

If you are running both programs, insist that the control library, evidence repository, and testing calendar are shared. Teams that run SOC 2 and HITRUST as separate projects with separate auditors pay roughly double for the same evidence. The comparison in SOC 2 vs ISO 27001 applies here in the same shape: one evidence library, two outputs.

When HITRUST is worth the cost

A short test. HITRUST is worth the cost when:

  1. Your target buyers are US hospitals, health systems, or payers.
  2. Those buyers have explicitly asked for HITRUST certification in an RFP, questionnaire, or MSA redline.
  3. The deal value or pipeline justifies a six- to seven-figure program.

If any of those three is missing, a well-scoped SOC 2 Type II plus a documented HIPAA program is usually the right answer. Most healthcare SaaS companies below roughly $20M ARR do not need HITRUST. The ones that do usually know it because a specific named customer is holding up a contract.

European buyers almost never ask for HITRUST. If you sell internationally, ISO 27001 certification is the equivalent commercial ask.

Timeline and cost reality

An r2 engagement, from kickoff to certification letter, typically runs nine to fifteen months for a company that does not already have a mature control library. Break it down roughly like this: two to four months of readiness and remediation, three to six months of validated fieldwork with the External Assessor, and two to three months of HITRUST's own QA and certification review.

Costs vary widely. As a rough order of magnitude, r2 programs for a mid-market SaaS company commonly run a material multiple of what a SOC 2 Type II costs at the same company, with readiness, tooling, and the External Assessor's fees all contributing. i1 is cheaper and faster, e1 cheaper and faster again. Budget the External Assessor fee, the HITRUST subscription and report fees, and the internal time to build and maintain the program. Plan for the interim assessment at month 12 of the r2 cycle, not just the initial.

This is why you do not start a HITRUST program on spec. You start it when a buyer's contract is contingent on it, or when your ICP has uniformly moved to requiring it.

What to do if your buyer demands HITRUST

Before you sign anything:

  1. Confirm which level they actually need. Buyers often ask for "HITRUST" and accept e1 or i1 when pressed. An r2 is not always the requirement.
  2. Ask whether they accept a HITRUST-inclusive SOC 2. If they do, you get two reports out of one engagement.
  3. Shortlist two or three HITRUST-authorized External Assessors. Get quotes and sample work plans. The assessor market is small, the price variance is not.
  4. Do a readiness pass before you contract the External Assessor. Finding a gap in readiness costs a fraction of finding the same gap during validated fieldwork.
  5. Map every HITRUST control to your existing SOC 2 and HIPAA evidence before kickoff. The overlap is high and you should not collect the same artifact three times.

See the homepage services section for what we do and do not cover. If HITRUST is the blocker on a specific deal, we can help with steps 1, 3, 4, and 5.

If a healthcare buyer is asking for HITRUST and you are trying to figure out whether you need r2 or whether your SOC 2 will do, get in touch. We do not issue HITRUST certificates, and we will tell you honestly when paying for one is the right call.

§ Related notes
All field notes →