New HITRUST Assessments Give Companies More Options for Security Reporting

Contributor
David Mills

Mar 14, 2022

After years of hoping for a simpler data security assessment option, organizations' wishes have finally been granted. On January 1, 2022, HITRUST (formerly known as the Healthcare Information Trust Alliance) introduced two new assessments, giving organizations more flexibility in choosing an information assurance option tailored to their specific needs.

The Gold Standard

HITRUST's Risk-Based, 2-Year Validated Assessment—previously called the CSF Validated Assessment and commonly known as the r2—has been the gold standard for organizations that need to prove their data security is top-notch. However, it is time-consuming, and the number of controls often put it out of reach for entities with less specific security reporting requirements.

For some companies, it remains the best option, as it leads to confirmed compliance with HIPAA regulations and the ISO/IEC 27000 series. The r2 assessment works well for organizations dealing with large amounts of sensitive data and significant regulatory scrutiny, giving those entities the highest level of assurance on their security practices.

The New Assessments

Midsize and smaller organizations in the healthcare industry, as well as entities with less complex data systems, have long desired a less rigorous option, and HITRUST has finally delivered. Its new HITRUST Implemented, 1-Year Validated Assessment (called the i1 for short) takes less time and is significantly simpler than the r2, while still offering a moderate level of assurance and confirmation of best practices.

While less robust in coverage than the r2, the i1 still covers NIST SP 800-171, HIPAA Security Rule, GLBA Safeguards Rule, U.S. Department of Labor EBSA Cybersecurity Program Best Practices, and Health Industry Cybersecurity Practices (HICP). Organizations that balked at the effort and expense of the r2 may take a second look at HITRUST assessments due to the i1 release.

In addition to the i1, HITRUST also debuted its Basic, Current-State Assessment (bC) this year. The bC offers organizations a low-level self-assessment of their security strength at the time of the test. Users of the bC access the HITRUST Assurance Intelligence Engine, which calls out omissions, errors, and potential fraud. The bC works best for smaller entities with simpler structures that generate less data to protect.

The table below offers a breakdown of the three assessment options now available through HITRUST:

HITRUST Assessments	Description	Level of Assurance	Coverage
R2 - Risk-Based, 2-Year Validated Assessment	Established gold-standard; validated assessment and risk-based certification	High	NIST SP 800-53, HIPAA, FedRAMP, NIST CSF, AICPA TSC, PCI DSS, GDPR, and 37 others
I1 - Implemented, 1-Year Validated Assessment	NEW; validated assessment and certification	Moderate	NIST SP 800-171, HIPAA Security Rule, GLBA Safeguards Rule, U.S. Department of Labor EBSA Cybersecurity Program Best Practices, HICP
BC - Basic, Current-State Assessment	NEW; self-assessment	Low	NISTIR 7621

HITRUST Assessments

At CRI, our professionals recognize how important it is to assure clients that their data will be kept safe and secure. We can help you find the security assessment that works best for your organization and be there throughout the assessment process. To learn more about HITRUST's assessments and CRI's IT audit services, get in touch with us today!

New HITRUST Assessments Give Companies More Options for Security Reporting

Mar 14, 2022

The Gold Standard

The New Assessments

HITRUST Assessments

Relevant insights

Harvesting Value: The Role of Bonus Depreciation in Enhancing Agricultural Investments

BSA/AML Model Validation: Understanding Expectations and Balancing Reality

At Long Last, GASB Approves Financial Reporting Model Improvements

To Lobby or Not to Lobby: Understanding Your Association’s Rights

Taxable Advertising or Nontaxable Sponsorship?

After the Standards: A Guide to Everything Else in a GASB...

Enhance Your Technology Tool Kit for Improved Productivity

Essential Governance Policies for Effective Associations

Avoid the Shock of a Surprise Tax Bill

It Figures Podcast: S5:E1 – CECL Lessons Learned and Opportunities Ahead

What Is an Internal Audit and Can It Benefit Your Organization?

Don’t Jeopardize Your S Corporation Status

The Critical Role of SOC Reports in Nonprofit Operations

GASB Pronouncement Effective Dates: Post-GASB 95 Revisions

Treasury Urges Congress to Settle 831(b) Captives Issue

Federal Deposit Insurance Corporation Improvement Act (FDICIA) Requirements

Understanding the New Employee vs. Independent Contractor Classifications

Global Internal Audit Standards Resource

Inheritance Unplanned: The Unexpected Impact of Taxes on Families

How Should School Districts Report Charter Schools?

Resource: Identifying and Reporting Charter Schools as Component Units

Are Charter Schools Component Units?

IRS Continues Pursuit of 831(b) Micro-captives in Tax Court Wins

Governmental Accounting & Auditing Omnibus

The Importance of Diversifying Your Customer Base

Discovering Your Business’ Value

Are Your Social Security Benefits Subject to IRS Taxation?

From Red Carpets to Tax Returns: The Versatile Roles of Accounting...

Pooled Income Funds Benefit Both Donor and Charity

Understanding the Implications of the House Committee’s Tax-Exempt Review

Introduction to the Global Internal Audit Standards

How Have Fraud Risks Changed?

5 Things to Remember About Substantiating Charitable Donations

Stay Vigilant to Reduce the Risk of Occupational Fraud

Crafting an Effective Nonprofit Document Retention Strategy

Ensuring Financial Integrity in Church Operations

Nine Questions About GASB Statement 102 on Risk Disclosures

State Tax Considerations for Insurance Companies

How to Be Prepared With a Business Continuity Plan

Real-Time Results: How Dashboards Can Help You Move Your Small Business...

Demystifying Deferrals: Illuminating the Intricacies of State and Local Government Accounting...

Key Discount Factors for 2023 Unpaid Losses in Insurance Companies

Fundamentals of Business Valuation: The Income Approach

Fundamentals of Business Valuation: The Market Approach

Optimizing Tax Benefits in Multi-Family Properties with Cost Segregation

Fundamentals of Business Valuation: The Asset Approach

2024 Cost of Living Adjustments Resource

IRS Issues Standard Mileage Rates for 2024

Loan Modifications Quick Reference Guide

Beneficial Ownership Reporting FAQs

New Beneficial Ownership Reporting Rules for Small Business

More Tips for Translating GASB Standards into English

Recent IRS Update: Postponement of Form 1099-K Reporting Threshold

Don’t Get Ready for Fiscal Year-End. Stay Ready.

Why Should You Consider a Sample Credit Card Agreement?

Key Insights for Employers on the Employee Retention Credit

Adapting to the IRS’s Electronic Filing Requirements

Help Your Business Finish Strong with These 10 Year-End Tasks

Faithful Finances: Crafting Credit Card Policies for Religious Organizations

Understanding the Hospitality Industry Audit Process

Unlocking the Value of Your Business, Part II: Post-Sale Considerations

Unlocking the Value of Your Business, Part I: Pre-Sale Considerations

5 Savvy Black Friday Shopping Tips to Put In Your Bag

EV Tax Credit Eligibility Flow Chart

Energy Tax Credits Table

QBI Deduction Flow Chart

Tax Implications of Debt and Equity Financing

Ensuring Franchise Success through CPA Expertise

Tax Alert: IRS Releases 2024 Inflation Adjustment

Financial Institutions – Year-End Accounting and Risk Management Update

How Does Industry Affect Fraud Risk?

You, Too, Can Set Accounting Standards

Networking for a Cause: Utilizing LinkedIn for Nonprofit Success

Cost-Effective Fraud Protection

Discovering Your Business’ Value  