The HITRUST r2 Validated Assessment is considered the gold standard for information protection assurances because of the comprehensiveness of control requirements, depth of review, and consistency of oversight. The r2 offers flexible, tailorable, risk-based control selection to meet the most stringent risk and compliance factors. With a proactive Expanded Practices approach to cybersecurity and more requirement statements than an e1 or i1, the r2 Assessment consistently provides the highest level of assurance for organizations with the greatest risk exposure.

Use Cases for the r2 Assessment

r2 as the Final Destination

• When assurances are needed over specific authoritative sources or international requirements.
• For organizations processing large amounts of sensitive data and personal information, including PHI.
• To Assess Once, Report Many™ for enterprises working in multiple industries with complex regulations such as NIST, PCI DSS, HIPAA, and more.
• During an r2, the MyCSF® Compliance and Reporting Pack for HIPAA automatically compiles HIPAA compliance evidence.
• When a NIST Scorecard Report is needed to demonstrate compliance with NIST Cybersecurity Framework controls.
• When an organization’s customer has adopted HITRUST as the required assurance mechanism for doing business.
• To gain a competitive advantage by strengthening business relationships.
• To show justification for more favorable cyber insurance premiums.

r2 for Third-Party Risk Management

• To request from service providers that handle PII, ePHI, and other sensitive data that requires the highest levels of assurance.
• For third-party vendors that present high levels of risk due to data volumes, regulatory compliance, or other risk factors.
• When your organization needs added confidence that a business partner provides rigorous cybersecurity protection and compliance.