Someone on your team just flagged it. A prospect, a partner, or a new enterprise customer has asked for HITRUST certification. Maybe the ask was vague — "we require HITRUST" — or maybe it was specific: "we need your R2 certificate before we can proceed."
Either way, you're now in the position of deciding: which tier?
This post gives you the full picture: what each assessment level actually measures, what it costs, how long it takes, and — critically — which types of buyers, regulators, and industries are asking for each one. By the end, you'll know which tier fits your situation and what the upgrade path looks like if you need to grow into a higher level later.
The Three HITRUST Tiers: What They're Actually Testing
The HITRUST CSF (Common Security Framework) offers three assessment types, each representing a meaningfully different standard of rigor:
| E1 — Essentials | I1 — Implemented | R2 — Risk-Based | |
|---|---|---|---|
| Controls | ~44 | ~182 | 200+ (scoped to your environment) |
| What it tests | Foundational cyber hygiene | Active implementation of security practices | Risk-based maturity across 19 domains |
| Assessment duration | 2–4 weeks | 6–10 weeks | 14–22 weeks |
| Total timeline (first cert) | 1–2 months | 3–5 months | 8–14 months |
| Certificate validity | 1 year | 1 year | 2 years |
| Interim assessment | None | None | At month 12 (~60 controls retested) |
| External assessor required | Yes | Yes | Yes |
| Cost (assessment + remediation) | $25,000–$60,000 | $65,000–$120,000 | $150,000–$350,000+ |
| Framework mappings | Basic | HIPAA, NIST CSF, ISO 27001 (partial) | HIPAA, NIST 800-53, ISO 27001, PCI DSS, GDPR, SOC 2, FedRAMP, 40+ others |
One important nuance: these costs include the assessor fees and a realistic estimate of remediation effort for a first-time certification. A company with SOC 2 Type II already in place, strong identity infrastructure, and an active incident response program will land toward the lower end of each range. Starting from scratch lands toward the upper end.
E1: What It Is and Who Actually Asks for It
E1 is HITRUST's foundational tier. The 44 controls cover the non-negotiable basics: multi-factor authentication, endpoint protection, patch management, access controls, incident response, and a handful of others that represent table-stakes hygiene.
E1 was introduced in 2021 specifically because the industry needed a fast, low-cost on-ramp for vendors who weren't yet ready for the full assessment but whose customers needed some validated baseline.
Who asks for E1?
- Mid-market SaaS companies running vendor security reviews — procurement teams at companies with 200–2,000 employees that have started formalizing their vendor risk programs often ask for E1 as a minimum threshold.
- Regional health systems doing light vendor assessments — smaller community hospitals and physician group networks increasingly use E1 as a baseline check before contracting with digital health vendors.
- Insurance carriers doing annual vendor recertification — some carriers have shifted their vendor security questionnaires to accept E1 in place of a full security review for lower-risk vendors.
- State and local government contractors — some state agencies, especially in healthcare administration and benefits management, accept E1 for lower-risk system integrations.
The honest E1 verdict
E1 is useful in two scenarios. First, you genuinely need to get something in hand quickly while a larger deal is moving through procurement. Second, your product has limited data scope — you're a workflow tool that touches some regulated data but isn't the system of record — and E1 accurately reflects your risk surface.
What E1 is not: a stepping stone most companies actually use. In practice, many organizations that could start at E1 skip it and go straight to I1. The incremental cost isn't large enough to justify a second assessment cycle, and most enterprise buyers who care about HITRUST want to see I1 or R2 anyway.
I1: What It Is and Who Actually Asks for It
I1 tests 182 controls across the same 19 domains as R2. The key word is implemented — the assessment isn't asking whether you have a policy, it's asking whether the control is actively operating in your environment. I1 also includes threat-adaptive requirements: HITRUST updates the I1 control set quarterly based on the current threat landscape, which means certification isn't a static achievement.
For most growing companies in regulated industries, I1 is the practical entry point to serious HITRUST compliance.
Who asks for I1?
- Regional and national health insurers and payers — Blue Cross / Blue Shield regional plans, Medicaid managed care organizations, and regional insurance carriers commonly specify I1 as the minimum for digital health vendors handling PHI.
- Mid-market digital health companies — Companies in the 100–1,000 employee range that are selling into hospital procurement and revenue-cycle management buyers encounter I1 requirements regularly.
- Financial services companies with HIPAA-adjacent data — Benefits administrators, FSA/HSA platforms, and health-focused fintech companies frequently face I1 requirements from their insurance and employer partners.
- Life sciences and clinical research organizations — CROs, site management organizations, and specialty pharma vendors managing trial data increasingly encounter I1 as a partner requirement.
- State behavioral health and substance use disorder programs — Federal and state behavioral health contracts (42 CFR Part 2 and HIPAA together) have elevated the security bar; I1 satisfies most of these requirements.
- Government health IT contractors at the state level — Medicaid management information systems (MMIS) vendors and state health exchange contractors commonly face I1 requirements.
The honest I1 verdict
I1 is the right answer for the majority of growth-stage companies that have been asked for HITRUST by a meaningful customer. The 182-control scope is real work — but it's achievable in 3–5 months with the right tooling, and the certification satisfies most regulated-industry procurement requirements below the major national payer and federal contractor tier.
The threat-adaptive updates are worth understanding. Unlike E1 and R2, the I1 control set changes quarterly. That means you're maintaining a living program, not a snapshot. Companies that automate evidence collection adapt easily; companies running manual programs find recertification painful.
R2: What It Is and Who Actually Asks for It
R2 is the full HITRUST assessment. The control set is scoped to your specific risk environment — your geography, industry, data types, and regulatory factors combine to generate a tailored control catalog that can exceed 200 controls. Controls are scored across five maturity levels: policy, procedure, implementation, measured, and managed. Every domain needs to achieve a passing score across all five tiers.
R2's 2-year validity with a mid-cycle interim assessment is the result of that rigor: the certification is worth more, so it lasts longer.
Who asks for R2?
- Large national health systems and IDNs — Integrated delivery networks like CommonSpirit, HCA, Ascension, and regional flagship health systems commonly require R2 from vendors accessing their clinical and operational data.
- National payers and managed care organizations — Aetna, Cigna, Humana, UnitedHealth Group, and their subsidiaries increasingly specify R2 for vendors in their data ecosystems.
- Federal health agencies and their contractors — HHS, CMS, VA, and DoD health programs frequently require R2 for technology vendors. FedRAMP covers cloud services; HITRUST R2 covers health-adjacent vendors that aren't subject to FedRAMP.
- Large financial institutions with health benefit responsibilities — Major banks, custodians, and insurance holding companies dealing with employee benefit data at scale expect R2.
- Pharma and medical device companies at enterprise scale — Large pharma companies and their clinical data partners (CROs, labs, specialty distributors) increasingly specify R2 as part of their vendor due diligence for regulated data environments.
- Private equity-backed healthcare rollups — PE firms in health services, dental, and behavioral health have started standardizing R2 across their portfolio companies as a portfolio-level risk management practice.
- Organizations being acquired by HITRUST-certified entities — If your acquirer holds R2, expect R2 to become a condition of close or post-close integration.
The honest R2 verdict
R2 is the right answer when your customer base is concentrated in large healthcare or regulated financial services, when you're handling PHI at scale, or when a specific customer has explicitly told you R2 is required to proceed. It's a substantial investment — 8–14 months for a first certification — but the 2-year validity and multi-framework coverage make the ROI calculation real.
The single most important thing to understand about R2: companies that hold SOC 2 Type II already complete significantly faster. The control overlap is roughly 80%, and the evidence collection habits from a mature SOC 2 program translate directly. If you're targeting R2 within the next 18 months, starting with SOC 2 Type II is the right sequencing.
The Upgrade Path: How to Think About Moving Up
These tiers aren't parallel options you pick once and hold forever. They're a ladder.
E1 → I1: The gap is roughly 138 additional controls and a more rigorous implementation standard. Most companies can bridge it in one additional certification cycle, especially if the E1 assessment surfaced the gaps. Timeline from E1 to I1 certification: 4–6 months for companies in active remediation.
I1 → R2: The jump from I1 to R2 is more significant — it's not just more controls, it's a different scoring model (five maturity tiers per control, not just pass/fail), a scoped environment, and a longer assessment timeline. Timeline from I1 to R2: 6–10 months for companies with strong program foundations.
Skipping E1 entirely: As mentioned above, many companies skip E1 altogether and start at I1. This is often the right call if your first HITRUST-asking customer is a regional payer or health system (I1) rather than a mid-market vendor security team (E1). There is no penalty for skipping a tier — you don't need E1 before I1, and you don't need I1 before R2.
Reading the Room: Which Tier Does This Deal Actually Require?
If you're trying to close a specific deal and you're not sure what the customer is actually asking for, here's how to find out without guessing:
- Ask for the security questionnaire or vendor assessment form directly. Many customers use HITRUST-specific questionnaire language that specifies the tier. "HITRUST certified" without a tier usually means I1 minimum.
- Check their business associate agreement (BAA). Large health systems often reference their minimum security certification requirements in the BAA addendum.
- Look at their approved vendor list requirements. Many large payers and health systems publish their vendor security requirements. They're worth reading before starting an assessment.
- Ask your assessor. An experienced HITRUST External Assessor will know what their clients' customers typically require. This is local knowledge that's hard to get any other way.
The Bottom Line
| Situation | Right choice |
|---|---|
| First compliance milestone, limited data scope, deal moving fast | E1 |
| Regional health system, payer, or digital health buyer asking for HITRUST | I1 |
| Large national health system, major payer, federal contractor, enterprise pharma | R2 |
| Not sure yet, but preparing proactively | SOC 2 Type II first, then I1 |
| Acquired by or selling to a HITRUST-certified entity | R2 |
| Multiple enterprise regulated buyers across different tiers | Start at I1, roadmap to R2 |
The worst outcome isn't choosing the "wrong" tier — it's delaying the choice until a deal is at risk. Even E1 is significantly better than no certification when a customer is waiting.
If you're not sure where to start, we can help. We've guided companies from first HITRUST conversation to certified in every tier, and we know what your specific customer base is actually asking for. The conversation is free.