Skip to content

Are Your Vendors Exposing
You to Risk?

The powerful HITRUST Assessment XChange provides greater confidence that your organization is doing everything possible to enhance data protection and minimize third-party risk. Our best-in-class Assessment XChange streamlines Third-Party Risk Management (TPRM) while helping you make better-informed risk decisions.

HITRUST Assessment XChange

The HITRUST Assessment XChange is a fully managed service offered by HITRUST.
It enables your organization to augment or completely outsource your vendor risk management. The XChange provides a consistent, transparent assessment mechanism backed by HITRUST’s TPRM methodology.

Designed to improve TPRM efficiency and security and reduce costs, the XChange:

  • Facilitates streamlined inherent risk tiering and scoring methodology
  • Delivers automated classification of third-party vendors and suppliers, with recommendations for which assurance to request
  • Provides reliable validation of third-party information practices against continuously updated controls
  • Enables easier and more comprehensive comparison of your vendor population, facilitating risk remediation as needed

The XChange employs a six-step process to recommend the appropriate assurances to request from your vendors.



Review vendor data access and assess impact.


Risk Triage

Evaluate and classify third parties based on risk factors.


Risk Assessment

Obtain and review assurance reports to accurately assess security and privacy risk.


Risk Mitigation

Identify gaps and implement Corrective Action Plans (CAPs) to reduce risk to an acceptable level.


Risk Evaluation

Determine remaining risk and prepare appropriate vendor qualification recommendations.


Third-Party Qualification

Based on risk tolerance, engage management to accept or reject any known third-party risk.

Inherent Risk Assessment

HITRUST's Inherent Risk Module enables organizations to assess risks in business relationships, segment vendors, and determine appropriate assurance levels.

This process is particularly useful for:

  • Assessing new third parties with unknown risk profiles, such as potential vendors from an RFP or onboarding process
  • Validating or challenging current vendors' risk tiers against an unbiased metric
  • Ensuring risk assessment requests are thorough yet not burdensome
  • Aligning risk factors between internal and external parties
  • Obtaining additional data from vendors through customized questions

Risk Assurance Portfolio

HITRUST’s scalable, flexible portfolio offers multiple assessment levels of assurance aligned with the risk profile, maturity, resources, and budget of your vendors.

e1 Self-Assessment

Your organization will determine the final assurance level for each vendor, but many start with an e1 Self-Assessment. This assessment focuses on essential information security controls curated by HITRUST from sources like CISA Cyber Essentials, Health Industry Cybersecurity Practices (HICP) for Small Healthcare Organizations, NIST 171’s Basic Requirements, and NIST IR 7621.


The e1 Self-Assessment is ideal for:

  • Organizations with lower risk profiles
  • Service providers and organizations with limited PII business processes (e.g., sales/marketing, call centers, brokers, auditors)
  • Vendors in the RFP or onboarding process
  • Third parties expanding services
  • Business partners taking the first step toward higher certification levels

Higher Levels of Assurance

In addition to the e1 Self-Assessment, HITRUST offers e1, i1 or r2 Readiness or Validated Assessment (+Certification).


Which assessment type is
right for your organization?

e1, 1-year Validated Assessment

The e1 Validated Assessment allows for an entry-level validated assessment based on critical, foundational security controls. The e1 can be used by organizations with a lower risk profile, or by organizations looking to demonstrate trustworthiness while working toward a higher level of cybersecurity certification.

i1, 1-year Validated Assessment

The i1 is an innovative, threat-adaptive, broad-based assessment used to demonstrate leading security practices. The i1 is more comprehensive than the e1 and work performed during this process can be applied toward r2 Certification.

r2, 2-year Validated Assessment

The r2 Validated Assessment + Certification uses an expanded practices approach that is globally recognized as a high-level validation showing that an organization successfully manages cyber risk by meeting and exceeding industry-defined and accepted information security requirements.


Chat Now

This is where you can start a live chat with a member of our team