Skip to content


HITRUST r2 - 2-year Validated Assessment provides the highest level of information protection and compliance assurance.

r2 is best suited for organizations that need to demonstrate regulatory compliance with authoritative sources like HIPAA, the NIST Cybersecurity Framework, and dozens of others or require expanded control tailoring based on other identified risk factors. It is the most comprehensive and robust HITRUST certification.

Benefits of the r2 Assessment

Ensures Robust Cybersecurity Practices
Ensures Robust Cybersecurity Practices

Maps to each authoritative source to deliver more precise and comprehensive cybersecurity

Tailors Approach Based On Risk
Tailors Approach Based On Risk

Provides tailoring to precisely select the prescriptive controls that cover the risk and compliance factors an organization needs

Adds Efficiency
Adds Efficiency

Saves time and effort by leveraging work from previous HITRUST assessments

Proves Highest Level Of Assurance
Proves Highest Level Of Assurance

Puts organizations into an elite group by demonstrating that they meet the most demanding information risk requirements

Use Cases for the r2 Assessment

An r2 assessment can provide the highest level of information protection and compliance assurance
  • When assurances are needed over specific authoritative sources or international requirements such as GDPR, PCI DSS, HIPAA, and more.
  • For organizations processing large amounts of sensitive data and personal information, including PHI.
  • For organizations that need to share reports with multiple entities.
  • When an organization's customer has adopted HITRUST as the required assurance mechanism for doing business.
  • To gain a competitive advantage by strengthening business relationships.
  • To show justification for more favorable cyber insurance premiums.
An r2 assessment can generate a supplemental report
  • When a NIST Scorecard Report is needed to demonstrate compliance with NIST Cybersecurity Framework controls.
  • When a HITRUST Insights Report for HIPAA is desired as an add-on report from MyCSF®. 
  • During an r2 certification, the MyCSF Compliance and Reporting Pack for HIPAA automatically compiles HIPAA compliance evidence.
An r2 assessment can be used for third-party risk management
  • To request from service providers that handle PII, ePHI, and other sensitive data requiring the highest assurance levels.
  • For third-party vendors that present high levels of risk due to data volumes, regulatory compliance, or other risk factors.
  • When your organization needs added confidence that a business partner provides rigorous cybersecurity protection and compliance.

Regulatory Assistance Center

HITRUST created the Regulatory Assistance Center to provide free guidance to organizations that have a HITRUST r2 certification and are preparing for or undergoing a regulatory audit.

Ready to take your information security program to the next level?


Chat Now

This is where you can start a live chat with a member of our team