Compliance · Certifiable framework

HITRUST CSF — certifiable security for healthcare and beyond

The certification your healthcare customers actually accept.

HITRUST CSF is a certifiable framework that harmonizes dozens of authoritative sources — HIPAA, ISO 27001, NIST, PCI DSS and more — into one prescriptive, scored control set. Because HIPAA has no certification, HITRUST has become the proof health plans, systems, and partners demand from their vendors.

e1 · i1 · r2

Assessment types

40+

Sources harmonized

1–2 yr

Certification validity

How HITRUST certification works

HITRUST is prescriptive where HIPAA is vague — it tells you the control, and it scores how well you actually perform it.

Three assessment types

e1 is the essentials assessment for foundational cyber hygiene. i1 is a moderate, threat-adaptive assessment for leading practices. r2 is the risk-based, tailored assessment — the most rigorous, and the one large healthcare buyers usually mean when they say 'HITRUST certified'.

Scored, not pass/fail

Requirements are scored on maturity — policy, procedure, implementation, and beyond. It isn't enough to do the thing; you must show it's documented, consistently performed, and measured. This is what surprises teams coming from SOC 2.

Inheritance & tailoring

Scope is tailored by your organizational, system, and regulatory risk factors, so the control set fits your environment. You can also inherit controls from certified cloud providers, which meaningfully reduces the work if you're on AWS or Azure.

Who needs HITRUST

Anyone whose customers handle health data — and increasingly, anyone selling into regulated enterprises.

  • Health tech and digital health platforms
  • Business associates serving providers and health plans
  • Payers, TPAs, and claims processors
  • Vendors whose contracts explicitly name HITRUST certification
  • Organizations wanting one certification that covers HIPAA, NIST, and ISO expectations

How intSignal gets you there

We do the readiness, build and run the controls, and support you through the audit — we are not the auditor, and we keep that separation deliberate.

Assessment selection

We help you choose between e1, i1, and r2 honestly — going straight to r2 when a contract demands it, and not when it doesn't.

Scoping in MyCSF

We work the risk factors that determine your requirement set, so your scope is defensible and no larger than it needs to be.

Readiness & gap

We run a readiness assessment against the scored requirements and give you a prioritized, costed remediation plan.

Control implementation

We close gaps across policy, process, and technology — and build the maturity evidence the scoring model actually rewards.

Inheritance

We maximize what you can legitimately inherit from your cloud provider's certification instead of rebuilding it.

External Assessor support

We prepare your evidence, coordinate with your Authorized External Assessor, and manage the validation through to HITRUST's review.

How the engagement runs

1

Choose the assessment

Pick e1, i1, or r2 based on what your customers and contracts actually require.

2

Scope

Set the risk factors and system boundary in MyCSF to generate your requirement set.

3

Readiness

Assess against scored requirements and produce a remediation plan.

4

Remediate

Implement controls and build maturity evidence — policy, procedure, and proof of performance.

5

Validate & certify

Your Authorized External Assessor validates; HITRUST performs quality assurance and issues the certification.

Frequently asked questions

What's the difference between e1, i1, and r2?

e1 covers foundational cyber hygiene and is the lightest entry point. i1 is a moderate-assurance, threat-adaptive assessment aimed at leading security practices. r2 is risk-based and tailored to your environment — the most rigorous and the most widely demanded by large healthcare buyers. e1 and i1 certifications are valid for one year; r2 runs two years with an interim assessment.

Does intSignal issue the HITRUST certification?

No. Validated assessments must be performed by a HITRUST Authorized External Assessor, and HITRUST itself performs quality assurance and issues the certification. intSignal is your readiness and remediation partner — we scope, close the gaps, build the evidence, and manage the process alongside your assessor. We keep that separation clean on purpose.

We already have SOC 2 — do we still need HITRUST?

If your customers are in healthcare, very likely. SOC 2 lets you define your own controls; HITRUST prescribes them and scores your maturity, which is why healthcare buyers trust it as evidence of HIPAA alignment. The good news is that SOC 2 work transfers — we reuse the overlapping controls and evidence rather than starting over.

How long does HITRUST take, and why is it more work than SOC 2?

e1 can move in a few months; i1 typically takes several; r2 commonly runs 9–18 months for a first certification. It's heavier because the scoring model grades maturity — you must show the policy exists, the procedure exists, it's implemented, and it's measured. Documentation that would pass a SOC 2 often scores poorly in HITRUST without that depth.

Can we inherit controls from AWS or Azure?

Yes, and you should. HITRUST supports inheritance from certified service providers, so controls your cloud provider already demonstrates don't have to be rebuilt and re-evidenced by you. Getting inheritance right is one of the biggest levers on cost and timeline — we map it deliberately during scoping.

Is HITRUST only for healthcare?

It started there and that's still where it's mandated most, but the CSF is industry-agnostic and harmonizes ISO, NIST, PCI DSS and others. Organizations outside healthcare adopt it when they want one certifiable framework that answers many regulatory questions at once.

Other frameworks we support

Most of the work transfers. Once controls are mapped and evidenced, a second framework costs a fraction of the first.

HITRUST for your environment

Tell us where you are and who’s asking for it — we’ll come back with scope, gaps, and a realistic timeline.