HITRUST: What’s e1 got to do with it?

Cristina's Compliance Corner

HITRUST has gained a lot of traction in the industry in the last decade. More and more, healthcare institutions, providers, and clearinghouses require it—and it’s not limited to them! But what exactly are they demanding?

If you dig into additional details around HITRUST, you’ll  quickly discover that there are three different types of HITRUST Certification you can pursue:

  1. r2 (risk-based two-year certification)
  2. i1 (implementation one-year certification)
  3. e1 (essentials one-year certification)

The world of compliance and HITRUST can feel like navigating a foreign land. So, it can be challenging to understand which certification is best suited for your business. That’s why I called on Thoropass’s resident HITRUST expert, Jason Kor, to help unpack the nuances of each certification and help you determine the right fit for your business.

If you’ve tuned in before, you may have seen Jason break down the differences between HIPAA and HITRUST in a previous episode. While we touched on the history of HITRUST and the markets it carries the most weight in, we spent most of our time discussing the differences between the three certifications.

I’ve recapped the most critical points of the discussion for you below. And, as always, you can access the video of our discussion on-demand at any time here.

Since appearing on the security, privacy, and compliance scene, HITRUST has made a name for itself as the highest level of assurance an organization can achieve. It’s considered the best practice standard. It’s also scoped specifically for a company’s environment, data, processes, and procedures.

While HITRUST now boasts itself as industry agnostic, it still has a resounding presence in the health and insurance industry. With this level of detail, big-name companies have gained comfort in sharing, using, and processing even the most sensitive data. It also can be used to close massive deals.

“The market dynamic is fascinating. We’ve got hundreds of tech startups a year trying to improve insurance and then five big insurance plans, so negotiating power is lopsided,” explains Kor.  “It is a  game changer for tech startups can get a leg up on their competitors [through achieving HITRUST]. And suddenly, you land one customer, and that’s 20% market share across the insurance players. They are massive, massive deals.”

Questions to ask 

Nonetheless, understanding which level of certification is required when embarking on your HITRUST journey can be complicated. It can feel overwhelming, especially if you’re a resource-constrained team. So, some of the questions to consider are:

  • Am I contractually obligated to achieve a certain level of certification?
  • Do I have a dedicated individual to run point on the project? And if not, who can I assign to assist? 
  • Is budget a constraining factor?

This list of considerations is all things that should help drive the conversation when you reach out to potential partners to help you through the process. As always, we here are Thoropass are happy to assist.


Is HITRUST right for your business?
Take the quiz
Find out which HITRUST assessment is right for you
Take the quiz icon-arrow-long

R2 Certification: A risk-based approach

Historically speaking, r2 is the HITRUST certification. It is the original and most all-encompassing certification designed for enterprise customers. However, since its creation, the r2 has been adopted by many companies, regardless of size. It is representative of the deep care, consideration, and adherence to even the most stringent requirements.

But, with that level of scrutiny and detail comes significant challenges, especially for resource-strapped companies. Generally speaking, the r2 certification is:

  1. Expensive;
  2. Extensive; and,
  3. Intensive! 

Adding additional context, Jason said, “If you have a 10,000-person company with hundreds of systems, this is the right framework for you. I think, generally, what the market found was that it was, although a very high level of assurance, it was very cumbersome to implement and incredibly expensive to audit. If you have 800 controls with subparts for each of them, and you’re going to test them each for policy, procedure, and implementation, it gets costly really quick.”

Keeping that in mind, if you’re an early-stage startup with limited resources, we recommend considering one of the other more entry-level HITRUST certifications unless an r2 is specifically required based on contractual obligations.

If seeking the gold standard of r2 is on your roadmap, don’t fret! There is always the opportunity to mature your HITRUST program to r2, especially if you work on the certifications outlined below. 

i1 Certification: Laying the implementation groundwork

Once the HITRUST organization realized that enterprise-level customers weren’t their only market and most others had difficulty justifying the burden of an r2 certification, they developed the i1. 

“[HITRUST said] We’re going to simplify it. We’re going to make it fewer requirement statements. Today, it’s around 188 requirement statements. And it’ll be easier, and cheaper, which is good… A significant portion of the market does an i1 assessment every year.” says Jason. 

The i1 was developed as the gateway to r2, meaning that a company could show its excellent and extensive compliance posture without the cumbersome and somewhat ancillary controls required by the r2. It also serves as the stepping stone for companies who want to undertake the r2 eventually but are still waiting for the appropriate time or requirement. 

At Thoropass, the i1 certification tends to be the most commonly recommended certification of the three. It perfectly toes the line between being proactive as well as being considerate of the current situation a company might find itself in. It’s unnecessary for a company that isn’t explicitly being asked for an r2 to undergo the complexity of that certification. It also recognizes that if you’re in a space where HITRUST may eventually be necessary, you can proactively show your high level of compliance.  

e1 Certification: The essentials

If HITRUST is on your radar (meaning you work in the healthcare space, process/touch any PHI, or partner with customers in a regulated area), this is the certification path for you! The e1 helps provide the essentials of security and compliance in a streamlined manner. It is also significantly cheaper than the other two certifications and requires the most minor work. 

Providing just the essentials is an excellent option for someone who hasn’t been asked about HITRUST yet but knows that compliance and security are vital. It’s also worth pursuing if you’re a smaller organization trying to build your business. 

“It specifically addresses the part of the market that hasn’t grown into this big enterprise yet. If you’re a tech startup, you don’t have many employees. You’re like, I want to go to market, I want to have the credentials, and I also want to have a framework that’s going to grow with my business so that when I’m higher risk, I have more data, I have more people, I’m more complicated, I can start on my i1 because I already have my e1.” says Jason.

Additionally, if a company is looking to show its compliance with other frameworks, such as SOC2, ISO27001, or HIPAA, this is a great avenue to pursue. 

Given that it’s the “essentials,” a company can meet requirements and adhere to those other frameworks while working alongside their HITRUST e1 certification. 

The e1 is a building block for future compliance needs and is a proactive first step. By having a solid foundation without the pressure of a contract impacting your business, you can work through the requirements carefully. 

HITRUST guidance you can trust 

Considering stage appropriateness and market fit will always be critical when choosing which certification path is right for you. Given that HITRUST is an investment of time, effort, and money, it’s necessary to ensure you’re making the right choice for your business. 

As Jason Kor explains, “We don’t decide to do HITRUST for the sake of doing HITRUST. You decide to do HITRUST because you will have a monetary return on your investment.” 

Let the experts at Thoropass guide you through the process.  Thoropass will provide a consultative conversation with dedicated HITRUST-certified professionals so you can feel 100% confident in your path to HITRUST success. 

Plus, if you use Amazon Cloud Services, like many of our customers, you can easily renew your Thoropass subscription within the AWS Marketplace and earn 5% back. Speak to a member of our team today to see if your organization is eligible!


Share this post with your network:

LinkedIn