Compliance · Certifiable framework
The certification your healthcare customers actually accept.
HITRUST CSF is a certifiable framework that harmonizes dozens of authoritative sources — HIPAA, ISO 27001, NIST, PCI DSS and more — into one prescriptive, scored control set. Because HIPAA has no certification, HITRUST has become the proof health plans, systems, and partners demand from their vendors.
e1 · i1 · r2
Assessment types
40+
Sources harmonized
1–2 yr
Certification validity
HITRUST is prescriptive where HIPAA is vague — it tells you the control, and it scores how well you actually perform it.
e1 is the essentials assessment for foundational cyber hygiene. i1 is a moderate, threat-adaptive assessment for leading practices. r2 is the risk-based, tailored assessment — the most rigorous, and the one large healthcare buyers usually mean when they say 'HITRUST certified'.
Requirements are scored on maturity — policy, procedure, implementation, and beyond. It isn't enough to do the thing; you must show it's documented, consistently performed, and measured. This is what surprises teams coming from SOC 2.
Scope is tailored by your organizational, system, and regulatory risk factors, so the control set fits your environment. You can also inherit controls from certified cloud providers, which meaningfully reduces the work if you're on AWS or Azure.
Anyone whose customers handle health data — and increasingly, anyone selling into regulated enterprises.
We do the readiness, build and run the controls, and support you through the audit — we are not the auditor, and we keep that separation deliberate.
We help you choose between e1, i1, and r2 honestly — going straight to r2 when a contract demands it, and not when it doesn't.
We work the risk factors that determine your requirement set, so your scope is defensible and no larger than it needs to be.
We run a readiness assessment against the scored requirements and give you a prioritized, costed remediation plan.
We close gaps across policy, process, and technology — and build the maturity evidence the scoring model actually rewards.
We maximize what you can legitimately inherit from your cloud provider's certification instead of rebuilding it.
We prepare your evidence, coordinate with your Authorized External Assessor, and manage the validation through to HITRUST's review.
Pick e1, i1, or r2 based on what your customers and contracts actually require.
Set the risk factors and system boundary in MyCSF to generate your requirement set.
Assess against scored requirements and produce a remediation plan.
Implement controls and build maturity evidence — policy, procedure, and proof of performance.
Your Authorized External Assessor validates; HITRUST performs quality assurance and issues the certification.
e1 covers foundational cyber hygiene and is the lightest entry point. i1 is a moderate-assurance, threat-adaptive assessment aimed at leading security practices. r2 is risk-based and tailored to your environment — the most rigorous and the most widely demanded by large healthcare buyers. e1 and i1 certifications are valid for one year; r2 runs two years with an interim assessment.
No. Validated assessments must be performed by a HITRUST Authorized External Assessor, and HITRUST itself performs quality assurance and issues the certification. intSignal is your readiness and remediation partner — we scope, close the gaps, build the evidence, and manage the process alongside your assessor. We keep that separation clean on purpose.
If your customers are in healthcare, very likely. SOC 2 lets you define your own controls; HITRUST prescribes them and scores your maturity, which is why healthcare buyers trust it as evidence of HIPAA alignment. The good news is that SOC 2 work transfers — we reuse the overlapping controls and evidence rather than starting over.
e1 can move in a few months; i1 typically takes several; r2 commonly runs 9–18 months for a first certification. It's heavier because the scoring model grades maturity — you must show the policy exists, the procedure exists, it's implemented, and it's measured. Documentation that would pass a SOC 2 often scores poorly in HITRUST without that depth.
Yes, and you should. HITRUST supports inheritance from certified service providers, so controls your cloud provider already demonstrates don't have to be rebuilt and re-evidenced by you. Getting inheritance right is one of the biggest levers on cost and timeline — we map it deliberately during scoping.
It started there and that's still where it's mandated most, but the CSF is industry-agnostic and harmonizes ISO, NIST, PCI DSS and others. Organizations outside healthcare adopt it when they want one certifiable framework that answers many regulatory questions at once.
Most of the work transfers. Once controls are mapped and evidenced, a second framework costs a fraction of the first.
Tell us where you are and who’s asking for it — we’ll come back with scope, gaps, and a realistic timeline.