The news about eVero achieving HITRUST r2 certification leads to one common question: what exactly does that mean?
Healthcare providers are entrusted with some of the most sensitive data imaginable: patient medical records, insurance details, and confidential personal information. They increasingly rely on technology to collect, store, manage, and send this sensitive information, and as a result, they are continually under pressure to address current and emerging security threats and meet complex compliance, information protection, and privacy requirements. Among the wide variety of compliance certifications and guidelines available, HITRUST is a framework developed in response to HIPAA for companies looking to prove their commitment to safeguarding patient data.
What, or Who, is HITRUST?
HITRUST, an acronym for Health Information Trust Alliance, is a comprehensive framework established in 2007 in response to the increasing number of data breaches in the healthcare sector and the resulting legal cases under HIPAA. HITRUST was jointly developed by healthcare and information security professionals to map out a detailed approach to managing security risks and protecting sensitive data. Over the years, HITRUST has evolved into a widely recognized compliance standard adopted by healthcare organizations of all sizes. According to HITRUST 81 % of US hospitals, 83% of US healthcare plans, and 75% of US Fortune 500 tune 500 companies use, recommend, and accept HITRUST certification. (Source: HITRUST) 
HITRUST offers the flexibility to customize and adjust controls to keep system integrity and ensure consistency across applications. With a versatile framework designed for organizations of all sizes, systems, and regulatory needs, HITRUST certification enables organizations to assess their compliance status with a high degree of assurance. Moreover, it provides assessors with the tools and resources they need to measure how well an organization mitigates its risks.
Types of HITRUST Assessments
HITRUST offers a variety of certification options based on an organization’s size and industry.
- HITRUST Essentials 1-Year (e1) Assessment is a self-assessment performed by an organization. With 44 standardized controls, this assessment offers assurance for organizations with low-level information security risks, making it an excellent choice for small businesses or startups with limited resources.
- ITRUST Implemented 1-Year (i1) Assessment is a validated assessment conducted by a HITRUST assessor firm or HITRUST-approved assessor. The current version (v11) includes a standardized set of 182 requirement statements that apply to all organizations seeking this certification.
- HITRUST Risk-based, 2-Year (r2) Assessment is the most comprehensive validated assessment, based on more than 40 security frameworks, including NIST, ISO, and PCI DSS, making it highly regarded in the healthcare industry. It requires large amounts of policy and process documentation and potentially the implementation of new tools and processes. Scoring for r2 controls is based on 5 maturity levels, policy, process, implementation, measured, and managed. Like the i1, r2 requires a HITRUST External Assessor Firm, and assessments are sent to HITRUST for a Quality Assurance Review. r2 certification is a fit for organizations that want to show the highest level of commitment to data security.
eVero’s platform achieved HITRUST r2 certification. The assessment process took over a year and included a review of 271 of our policies and procedures, meeting 236 requirements, and submitting 235 samples and 334 specific pieces of evidence to the independent auditor.
The HITRUST i1 certification is valid for one year. The HITRUST r2 certification is valid for two years and an organization must complete an interim assessment successfully after the first year.
Our next blog post will discuss the differences between HITRUST and HIPAA certifications. Stay tuned!
