Question 1

What is the difference between e1, i1, and r2?

Accepted Answer

e1 (essentials, ~44 controls) is a 1-year cyber-hygiene assessment for low-risk organizations. i1 (~182 controls) is a moderate-assurance, 1-year validated assessment scoped for cyber threat resistance. r2 (~156–350+ tailored controls) is the flagship 2-year risk-based certification used by healthcare and payer organizations.

Question 2

How does HITRUST relate to HIPAA?

Accepted Answer

HITRUST CSF maps to HIPAA Security and Privacy Rules and is widely accepted by U.S. healthcare buyers as evidence of HIPAA-aligned controls. A HITRUST r2 certification typically satisfies HIPAA security questionnaires from large payers and health systems, though it does not replace BAA execution.

Question 3

How much does HITRUST certification cost?

Accepted Answer

r2 certifications typically run $60,000–$200,000+ for the assessor engagement, plus internal readiness costs. i1 assessments run $30,000–$80,000. Costs scale with control scope, environment complexity, and chosen Authorized External Assessor.

HITRUST CSF

Key controls