HITRUST r2 Assessment Certifications

The Industry-Recognized Gold Standard for Providing the Highest Level of Information Protection and Compliance Assurance

The HITRUST Risk-based, 2-year (r2) Validated Assessment is globally recognized as a high-level validation showing that an organization successfully manages cyber risk by meeting and exceeding industry-defined and accepted information security requirements. The HITRUST r2 Validated Assessment + Certification is considered the gold standard for information protection assurances because of the comprehensiveness of control requirements, depth of quality review, and consistency of oversight.

Earning an r2 Certification puts an organization into an elite group by showing that they meet key compliance requirements included across a wide range of industry standards and frameworks, as well as federal and state regulations. The HITRUST r2 provides a competitive advantage to strengthen existing business relationships and earn new partnerships — especially in situations with significant volumes of PII, ePHI, and other sensitive data that requires the highest levels of assurance.

  • The number of control requirement statements in an r2 Assessment varies from 198 – 2000 (360 average in scope of assessments)
  • Uses a flexible, tailorable, risk-based approach to scale and select controls based on inherent risk factors and targeted authoritative sources
  • While 75 prescribed controls within the HITRUST CSF framework are required for an r2 Certification, organizations have the flexibility to scale and select other controls as needed
  • Relies on proven PRISMA scoring for Policies, Procedures, Implemented, (and optionally) Measured and Managed
  • Offers Assess Once, Report Many™ benefits by meeting multiple requirements and minimizing the need for additional reports

Learn More

r2 Assessments Deliver Highest Level of Assurances

By using a risk-based approach and rigorous evaluation processes, the r2 helps organizations address their most demanding security and data protection challenges

  • A properly scoped and tailored r2 Assessment offers coverage against: NIST SP 800-53, NIST CSF, ISO 27001, HIPAA, FedRAMP, FISMA, FTC Red Flags Rule Compliance, MARS-E Requirements, PCI DSS, CCPA, GDPR, AICPA Trust Services Criteria for Security, Confidentiality and Availability, plus more than 30 other industry-recognized frameworks, standards, and authoritative sources
  • Uses the proven HITRUST CSF framework, which is highly prescriptive and constantly updated, unlike many other frameworks that are vague and remain unchanged for years
  • Assessment and testing through a highly qualified HITRUST Authorized External Assessor firm of your choice and the comprehensive HITRUST QA process for Validation and Certification (if earned)
  • Provides a comprehensive 2-year r2 Certification Report, which helps justify reductions in cyber insurance premiums
  • Leverages the HITRUST Results Distribution System (RDS) online portal to share assurance results with relying parties through a PDF, web browser, and/or API so they can obtain, interpret, and analyze assessments more efficiently
  • Reduces time, effort, and cost by Inheriting prior assessment results along with reliance on sharing cloud controls
  • A separate NIST CSF report is provided with the r2 Validated Assessment Report detailing an organization’s compliance with NIST Cybersecurity Framework-related controls included in the HITRUST CSF framework
  • To assist covered entities and business associates in healthcare, the proprietary HITRUST MyCSF® Compliance and Reporting Pack for HIPAA automatically compiles evidence collected during an r2 Assessment
  • Complementary assessments include the HITRUST r2 Readiness, Interim, and Bridge Assessments


How the r2 Fits into the Full HITRUST Assessment Portfolio

All HITRUST Assessments leverage a single assurance methodology, framework, assessment platform, and the HITRUST Results Distribution System. This approach ensures consistency and efficiency across the assessment portfolio. Compared to other HITRUST Assessments, the HITRUST Risk-based, 2-year (r2) Validated Assessment requires a higher level of effort, which delivers the highest level of assurance. The HITRUST Implemented, 1-year (i1) Validated Assessment is a best practices assessment recommended for situations that present moderate risk. The bC is a self-assessment that delivers relatively easy-to-obtain results with no certification.

Learn More by comparing the HITRUST assessment options side-by-side.

Download the r2 Assessment Datasheet.

For More Information About the r2 Assessment:

Contact your HITRUST Product Specialist
Call: 855-448-7878 or Email: sales@hitrustalliance.net

Download the HITRUST CSF

The HITRUST Approach is built upon the comprehensive and scalable HITRUST CSF framework, which helps organizations of all sizes implement and enhance information risk management and compliance programs. For eligible organizations, the HITRUST CSF is available to download free of charge.


Chat Now

This is where you can start a live chat with a member of our team