HITRUST Certification: 2026 Complete Guide

HITRUST certification is a third-party-validated attestation that an organization's security and privacy controls meet the HITRUST Common Security Framework (CSF). It is the certification most enterprise health buyers ask for when they want to trust a vendor with protected health information.

This guide is for security leads, compliance managers, and founders at healthcare SaaS, business associates, MSPs handling PHI, and any vendor that just received a procurement request mentioning HITRUST. It covers what HITRUST is, the three tiers (e1, i1, r2), realistic cost and timeline ranges, the assessment process, and how the framework lines up against HIPAA, SOC 2, NIST, and ISO 27001.

💡 Pro Tip

HITRUST is not a substitute for HIPAA. HIPAA is the United States federal regulation that compels you to protect PHI. HITRUST is one of the most rigorous voluntary ways to prove that you do. A HITRUST certificate is supporting evidence in front of regulators, hospital systems, and enterprise procurement teams. It is not legal immunity.

If you are still mapping the territory between HIPAA the law and HITRUST the certification, start with the HIPAA vs HITRUST comparison and the HIPAA compliance guide. For the security control side, the SOC 2 compliance guide and the NIST Cybersecurity Framework guide give you the surrounding context.

What HITRUST certification actually is

HITRUST is a private organization, the HITRUST Alliance, founded in 2007. It publishes the HITRUST CSF, an integrated control framework that consolidates requirements from HIPAA, the NIST Cybersecurity Framework, NIST SP 800-53, ISO/IEC 27001, PCI DSS, GDPR, and roughly 40 other authoritative sources into one rationalized set of controls.

The framework is the substance. The certification is the proof. When an organization is "HITRUST certified," a HITRUST-authorized External Assessor has reviewed its controls against the relevant CSF requirements and HITRUST has validated the report. Three things separate HITRUST from most other compliance schemes:

Prescriptive controls, not principles. Where SOC 2 leaves much of the control language up to the auditor and the service organization, HITRUST defines specific implementation requirements. You either meet the requirement or you do not.
Maturity scoring. Each in-scope control is scored on a 5-point model: Policy, Procedure, Implemented, Measured, Managed. A policy on the shelf does not pass. Documented evidence that the control is operating and being reviewed does.
One audit, many frameworks. A single HITRUST r2 engagement can satisfy customer requests for HIPAA evidence, NIST mapping, ISO 27001 readiness, and several state privacy laws at once. That is the value proposition.

Who HITRUST is for

HITRUST is built for organizations that handle PHI and sell into large regulated buyers. The most common candidates: healthcare SaaS vendors selling to hospital systems and payers, business associates handling PHI at scale, pharma and life sciences technology vendors, MSPs supporting healthcare clients, payer-side analytics and claims vendors, and AI companies processing PHI.

It is generally not the right first move for pre-revenue startups, vendors selling only to small clinics and dental practices, companies whose buyers have never mentioned HITRUST, or organizations without a working HIPAA program. Get a HIPAA program in place first, layer SOC 2 if your buyers ask for it, and only escalate to HITRUST when a specific deal demands the certificate.

The HITRUST CSF: what is actually in the framework

The HITRUST CSF is organized into 14 control categories and 49 control objectives, with control specifications that vary by certification tier and risk profile. Categories cover the full security and privacy stack: information security management, access control, human resources, risk management, security policy, asset management, physical security, operations, system development, incident management, business continuity, and privacy practices.

Each control specification maps to authoritative source citations. A single HITRUST control on access reviews may map to HIPAA Security Rule administrative safeguards, NIST 800-53 AC-2, ISO 27001 Annex A 5.18, and PCI DSS requirement 7. Cross-walks are documented inside the MyCSF platform, the tool HITRUST sells for managing assessments. HITRUST CSF v11 was released in early 2023, with subsequent point releases adding controls for AI risk and refreshed mappings against NIST Cybersecurity Framework 2.0.

Risk factors and tailoring

HITRUST controls are tailored through organizational, regulatory, and system-level risk factors. The risk factors expand or contract the control set. A 30-person SaaS storing 10,000 patient records faces a smaller control set than a 5,000-person clearinghouse processing 100 million claims a year, at the same certification tier. This is why cost estimates vary so widely: the same r2 certification can produce a 250-control audit for one company and a 2,000-control audit for another.

HITRUST e1 vs i1 vs r2: choosing the right tier

HITRUST offers three certification levels as of the current CSF version. They are different products, not different difficulty levels of the same product. Each is appropriate for a different organizational risk profile and buyer expectation.

Attribute	HITRUST e1	HITRUST i1	HITRUST r2
Full name	Essentials, 1-year	Implemented, 1-year	Risk-based, 2-year
Validity period	1 year	1 year	2 years (interim review in year 2)
Control count (typical)	44	182	200 to 2,000+ (risk-tailored)
Maturity scoring	Implemented only	Implemented only	Full 5-level (Policy through Managed)
Target user	Low-risk vendors, early-stage SaaS	Mid-risk SaaS, growth stage	High-risk vendors, enterprise health
First-year cost range	$25,000 to $40,000	$60,000 to $90,000	$100,000 to $250,000+
Timeline (prepared org)	3 to 6 months	6 to 12 months	12 to 18 months
Buyer recognition	Limited (newer tier)	Strong for mid-market	Strongest, enterprise standard
Reusable evidence for HIPAA	Partial	Strong	Comprehensive

When e1 is the right call

The e1 (Essentials) certification covers 44 foundational controls as a 1-year, lower-cost entry point. It is appropriate for vendors handling a limited amount of PHI, selling into smaller buyers, or needing a baseline third-party attestation while building toward i1 or r2. E1 is roughly comparable in effort to a SOC 2 Type 1, with heavier emphasis on prescriptive controls. The trade-off is buyer recognition: many large hospital systems will not accept an e1 in lieu of an i1 or r2 for high-risk vendor categories. Ask the specific buyer before investing.

When i1 is the right call

The i1 (Implemented) certification covers a fixed 182 controls with no risk-factor expansion. Every i1 audit assesses the same control set. Validity is 1 year. I1 has become the workhorse certification for growth-stage healthcare SaaS because scope is predictable, cost is predictable, and buyer recognition is meaningful.

For most companies with a working HIPAA program and a SOC 2 Type 2 already in place, i1 is the natural next step. Roughly 70 percent of i1 controls overlap with a properly scoped SOC 2 Type 2 audit, which materially shortens preparation time.

When r2 is the right call

The r2 (Risk-based, 2-year) certification is the flagship. It is what enterprise health buyers usually mean when they say "HITRUST" without further qualification. The control set is risk-tailored, validity is 2 years with an interim review, and the audit produces a full 5-level maturity score on every applicable control.

Pursue r2 when a specific enterprise contract requires it in writing, the contract value justifies the $100,000 to $250,000+ first-year cost, you already have SOC 2 Type 2 or equivalent control documentation, and you can dedicate 1 to 2 FTEs for 12 to 18 months. Do not pursue r2 as your first compliance certification. Companies that try this typically pay 2 to 3 times what they should because they have not built the underlying documentation the audit consumes.

HITRUST certification cost and timeline

Cost is the question almost every buyer-facing security lead asks first. The honest answer is that cost varies more than for any other major certification, because HITRUST scope is risk-tailored. The ranges below are realistic 2026 estimates for a 25-to-100-person healthcare SaaS, sourced from public assessor quotes and industry reporting. Verify against actual quotes from a HITRUST-authorized External Assessor before budgeting.

Cost component	HITRUST e1	HITRUST i1	HITRUST r2
External Assessor fees (year 1)	$15,000 to $25,000	$40,000 to $65,000	$75,000 to $200,000+
HITRUST fees (MyCSF subscription, certification, QA)	$10,000 to $15,000	$20,000 to $25,000	$25,000 to $50,000
Internal labor (FTE time)	0.25 to 0.5 FTE for 4 months	0.5 to 1.0 FTE for 9 months	1 to 2 FTE for 15 months
Compliance automation platform	$15,000 to $30,000/year	$25,000 to $50,000/year	$40,000 to $80,000/year
Total year 1, all-in	$25,000 to $40,000 (audit-only)	$60,000 to $90,000 (audit-only)	$100,000 to $250,000+ (audit-only)
Year 2 ongoing	Re-cert, similar to year 1	Re-cert, similar to year 1	Interim review, $40,000 to $80,000

A few honest notes: audit-only totals exclude internal labor and platform spend, often already budgeted for other reasons. R2 quotes for organizations above 500 employees frequently exceed $300,000 in year 1. The MyCSF platform is required (no self-certification path), and an External Assessor is required for i1 and r2.

Realistic timeline by tier

For an organization with an existing HIPAA program and a SOC 2 Type 2 report:

e1: 3 to 6 months from kickoff to certificate.
i1: 6 to 12 months from kickoff to certificate.
r2: 12 to 18 months from kickoff to certificate.

For an organization starting without a SOC 2 or working HIPAA documentation, add 6 to 12 months to each estimate. The bulk of that added time is policy authoring, evidence collection, and remediation of control gaps that the assessor surfaces during the readiness phase.

The HITRUST assessment process, step by step

Every HITRUST engagement runs through roughly the same eight steps. Depth and duration scale with certification tier.

Scope definition. Decide what systems, products, and locations are in scope. Scope determines risk factors, which determine the control set. For r2 this alone can take 4 to 6 weeks of discussion with the assessor.
Risk factor entry in MyCSF. Enter organizational, regulatory, and system-level risk factors. MyCSF generates the tailored control set.
Readiness assessment. A self-conducted gap analysis or a paid readiness performed by the External Assessor. Most organizations find 15 to 40 percent of controls have gaps at this stage.
Remediation. Close every gap: author missing policies, deploy missing controls, fix monitoring. This is the phase that takes 6 to 12 months for a first-time r2 candidate.
Validated assessment fieldwork. The External Assessor reviews every in-scope control, samples evidence, interviews control owners, scores maturity. Typical window: 6 to 12 weeks.
HITRUST QA. HITRUST itself reviews the assessor's work before certifying. Most teams underestimate this step. Plan for 4 to 12 weeks.
Certification issuance. HITRUST issues the report and certificate. Shareable with buyers under NDA.
Continuous compliance. Quarterly reviews of high-frequency controls, annual evidence refresh, and (for r2) the interim assessment in year 2.

Scoring: the part that surprises people

Every in-scope control on r2 (and many controls on i1) is scored across five maturity levels:

Policy: A formal, approved, distributed policy exists for this control.
Procedure: A documented procedure operationalizes the policy.
Implemented: The control is actually in place and operating.
Measured: Metrics or logs are produced and reviewed.
Managed: The control is continuously improved based on those measurements.

A control passes only if it scores adequately across all relevant levels. A policy on the shelf with no implementation evidence will fail. An implemented control with no measurement or review will fail at higher tiers. This is the single biggest difference between HITRUST and a SOC 2 Type 2 audit, where the auditor primarily asks whether the control exists and operated during the audit window.

HITRUST vs HIPAA: the relationship

The most common HITRUST confusion is the relationship to HIPAA. The two are not alternatives. HIPAA is the federal law. HITRUST is one of several ways to demonstrate that you comply with HIPAA's Security Rule and (in part) its Privacy Rule.

HHS publishes NIST SP 800-66 Rev 2 as the official implementation guide for the HIPAA Security Rule. HITRUST CSF controls map back to the same Security Rule requirements that NIST SP 800-66 addresses, plus a great deal more. A HITRUST r2 audit produces evidence that satisfies most HIPAA Security Rule requirements as a side effect.

Three things HITRUST does not replace:

The legal obligation. You remain subject to HIPAA enforcement by the HHS Office for Civil Rights. HITRUST certification is supporting evidence in an OCR investigation, not legal immunity.
Business Associate Agreements. HITRUST does not negotiate or sign your BAAs. You still need executed BAAs with every subcontractor that touches PHI.
Breach Notification. The HIPAA Breach Notification Rule still applies. HITRUST controls help reduce breach risk and improve detection, but the notification timelines and obligations live in federal regulation.

For a deeper comparison of the two from a buyer perspective, see HIPAA vs HITRUST. For the BAA mechanics specifically, see HIPAA documentation templates.

HITRUST vs SOC 2

The HITRUST vs SOC 2 comparison comes up because both are voluntary third-party attestations and both are sold by similar assessor firms. They are not interchangeable.

Dimension	HITRUST r2	SOC 2 Type 2
Governing body	HITRUST Alliance	AICPA
Framework basis	HITRUST CSF (prescriptive)	Trust Services Criteria (principles)
Control count	200 to 2,000+	~60 to 200 depending on scope
Scoring model	5-level maturity per control	Pass/fail per control with auditor narrative
Validity	2 years (interim in year 2)	12-month audit window, refreshed annually
Typical cost (first year, audit-only)	$100,000 to $250,000+	$20,000 to $60,000
Typical timeline	12 to 18 months	6 to 12 months
Frameworks covered in one audit	40+ via cross-walks	Trust Services Criteria only
Buyer recognition	Strong in healthcare; growing elsewhere	De facto standard for B2B SaaS
Public summary available?	Certificate listed on hitrustalliance.net	Report shared under NDA

The AICPA Trust Services Criteria that govern SOC 2 are principles-based: the auditor and the service organization agree on the controls that satisfy each criterion. HITRUST is prescriptive: control language and testing requirements are defined by the framework, not negotiated.

For most B2B SaaS the path is SOC 2 Type 2 first (every B2B buyer asks for it), HITRUST i1 or r2 second (when healthcare and enterprise buyers escalate). See the SOC 2 compliance guide and the broader cybersecurity compliance guide for the stacking pattern.

HITRUST vs ISO 27001 and NIST CSF

HITRUST overlaps heavily with both ISO/IEC 27001 and the NIST Cybersecurity Framework. The CSF cross-walks to both. A working ISO 27001 ISMS gives you a head start on roughly 60 percent of HITRUST CSF controls. A mature NIST CSF program gives a similar head start at the framework level, though NIST CSF is functions and categories rather than prescriptive controls, so the mapping is looser.

Decision rules that hold for most companies: if your buyers are primarily United States healthcare, HITRUST is the highest-impact certificate. If buyers are primarily international, ISO 27001 is more universally recognized. If you sell into United States federal government, NIST 800-53 and FedRAMP are the relevant standards. If you sell into both healthcare and international markets, the stack is usually SOC 2 + ISO 27001 + HITRUST r2. For the standalone paths, see the ISO 27001 certification guide and the NIST Cybersecurity Framework guide.

Who needs HITRUST in 2026

HITRUST has moved past its "healthcare only" framing. The CSF is increasingly cited in vendor risk assessments in financial services, life sciences, and government contracting. The buyer pull is still strongest in healthcare. Clear indicators you actually need HITRUST: a hospital system or large payer has requested it in writing, your contract template includes a HITRUST clause as a precondition for renewal, you are processing PHI for multiple large health plans, a pharma buyer is asking for it on a master services agreement, or you are answering RFPs that score HITRUST in their rubric.

You probably do not need HITRUST yet if no buyer has asked, you are under $1M ARR, your healthcare buyers are small clinics that accept a BAA plus self-attestation, or you have no SOC 2 and no working HIPAA documentation. Build those first.

Common pitfalls on the first HITRUST audit

Patterns that repeat on first-time engagements:

Underscoping then overshooting. Teams scope narrowly to control costs, then the assessor expands scope during fieldwork because the boundary diagram does not match the systems actually handling PHI. Fix: spend real time on the scope diagram in readiness.
Maturity-level surprise. Teams pass on Implemented but fail on Measured because no one is reviewing the logs the control produces. Fix: build review cadence into control design from the start.
Policy without procedure. Policies exist but procedures are missing or stale. Fix: treat procedure docs as a first-class artifact.
Training records that cannot be proven. Workforce training exists but cannot be tied to specific employees and dates. Fix: export completion reports monthly to a controlled location.
BAAs missing for subcontractors. Fix: a single source-of-truth vendor inventory tied to BAA status.
Risk assessment over a year old. Fix: run it on a fixed calendar date each year.
Vulnerability findings without remediation tracking. Fix: treat the tracker as a control artifact, not a tooling output.

A working SOC 2 Type 2 program closes most of these in advance. Going for HITRUST without that foundation is the most expensive sequencing mistake teams make.

Frequently Asked Questions

What is HITRUST certification?

HITRUST certification is a third-party-validated attestation that an organization's controls meet the HITRUST Common Security Framework (CSF). The CSF consolidates requirements from HIPAA, NIST, ISO 27001, PCI DSS, GDPR, and 40 other authoritative sources. Certification is performed by a HITRUST-authorized External Assessor and validated by the HITRUST Alliance. Three tiers exist: e1, i1, and r2.

What is the difference between HIPAA and HITRUST certification?

HIPAA is United States federal law. Every covered entity and business associate handling PHI must comply regardless of size. HITRUST is a voluntary certification. There is no official HIPAA certificate, so organizations use HITRUST (or SOC 2 with a HIPAA mapping) to prove their HIPAA Security Rule implementation to buyers. HITRUST is built on top of HIPAA, not instead of it.

How long does it take to get HITRUST certification?

For an organization with a HIPAA program and a SOC 2 Type 2 report, e1 takes 3 to 6 months, i1 takes 6 to 12 months, and r2 takes 12 to 18 months. Starting from zero adds another 6 to 12 months. The bulk of the time is policy work, evidence collection, and remediation, not audit fieldwork.

How much does HITRUST certification cost?

Realistic 2026 first-year ranges for a 25-to-100-person healthcare SaaS: e1 around $25,000 to $40,000, i1 around $60,000 to $90,000, r2 around $100,000 to $250,000 or more. These cover External Assessor fees, MyCSF subscription, and HITRUST certification fees. Internal labor and compliance automation platforms are additional. Larger organizations can push r2 above $300,000.

What is the difference between HITRUST e1, i1, and r2?

E1 (Essentials) covers 44 controls, valid for 1 year, for lower-risk vendors. I1 (Implemented) covers a fixed 182 controls, valid for 1 year, the standard mid-tier choice. R2 (Risk-based) is the flagship: 200 to 2,000+ controls scoped by risk factors, valid 2 years with an interim review, scored on the full 5-level maturity model. R2 is what enterprise health buyers typically mean by "HITRUST."

Do I need HITRUST if I already have SOC 2?

Only if a specific buyer asks for it. SOC 2 Type 2 satisfies most B2B SaaS buyers. HITRUST is the escalation when a hospital system, payer, or pharma company requires more than SOC 2 in vendor risk. A scoped SOC 2 Type 2 makes HITRUST i1 roughly 30 percent cheaper and faster than starting cold.

Is HITRUST recognized outside healthcare?

Increasingly, yes. The CSF is being adopted in financial services, life sciences, and federal contracting. The strongest buyer pull remains healthcare. Outside healthcare, ISO 27001 and SOC 2 remain the more common certifications buyers ask for.

Bottom line

HITRUST is the most rigorous voluntary certification path for organizations handling PHI in the United States, and the most credible single attestation in front of enterprise health buyers. The CSF consolidates requirements from HIPAA, NIST, ISO 27001, PCI DSS, and 40-plus other sources into one prescriptive, maturity-scored framework with three tiers (e1, i1, r2). Pursue it when a specific buyer or contract requires it, sequence it after a working HIPAA program and a SOC 2 Type 2 to control cost, and budget honestly: $25,000 to $250,000+ in audit fees and 3 to 18 months of preparation depending on tier.

Primary Sources

HHS HIPAA Security Rule. United States Department of Health and Human Services.
HHS HIPAA Privacy Rule. United States Department of Health and Human Services.
HHS Office for Civil Rights. HIPAA enforcement authority.
HHS Sample Business Associate Agreement Provisions.
NIST SP 800-66 Rev 2: Implementing the HIPAA Security Rule. National Institute of Standards and Technology.
NIST SP 800-53 Rev 5: Security and Privacy Controls. National Institute of Standards and Technology.
NIST Cybersecurity Framework. National Institute of Standards and Technology.
AICPA SOC Suite of Services and Trust Services Criteria. American Institute of Certified Public Accountants.
ISO/IEC 27001 Information Security Management Systems. International Organization for Standardization.