What is the difference between HITRUST e1, i1, and r2?

HITRUST e1 is the Essential 1-Year assessment covering 44 implemented controls, costing approximately $35,000–$50,000 all-in with a 3–4 month timeline. HITRUST i1 is the Implemented 1-Year assessment covering approximately 182 controls, costing $70,000–$120,000 all-in with a 6–9 month timeline — the most common tier required in health plan vendor contracts. HITRUST r2 is the Risk-Based 2-Year assessment covering 200+ controls with full five-level PRISMA maturity scoring, costing $100,000–$500,000+ with a 12–15 month timeline — required for the most demanding health plans, federal contractors, and PBMs subject to CAA 2026 mandates. The fundamental difference beyond control count is scoring depth: e1 and i1 evaluate only 'implemented' maturity, while r2 requires demonstrating that controls are also measured and managed as ongoing operational processes.

Which HITRUST tier — e1, i1, or r2 — do most health plans require?

Most health plan and hospital system vendor contracts specify i1 or above. If a contract says 'HITRUST certification required' without specifying level, the practical expectation is i1. Federal contractor work, PBM supply chains under CAA 2026 enforcement, and large health system integrations handling significant PHI volumes are increasingly specifying r2. e1 is accepted for lower-risk vendor relationships where the customer wants a HITRUST credential but the data exposure does not warrant i1 or r2. IHS reviews specific contract language to confirm which tier satisfies each customer's requirements.

Can I upgrade from HITRUST e1 to i1 later?

Yes, but upgrading from e1 to i1 requires a new full Validated Assessment — you cannot extend an existing e1 certification. The additional controls (~138 beyond e1's 44), new evidence requirements, and broader scope mean that an i1 engagement is substantially more work than just the delta from e1. If your customers will eventually require i1, starting at i1 is more cost-efficient than certifying at e1 and then re-doing the work. IHS analyzes your customer requirements before recommending a starting tier to avoid this avoidable cost pattern.

What is HITRUST PRISMA scoring and why does it only apply to r2?

HITRUST PRISMA (Program Review for Information Security Management Assistance) is a five-level maturity scoring model: Policy (level 1), Procedure (level 2), Implemented (level 3), Measured (level 4), and Managed (level 5). r2 applies full PRISMA scoring across all applicable controls — organizations must demonstrate not just that controls exist and are implemented (levels 1–3), but that they are actively measured and managed as ongoing operational processes (levels 4–5). e1 and i1 evaluate only level 3 (Implemented) — controls must exist and be in operation, but formal measurement and management processes are not scored. The PRISMA depth is the primary reason r2 is materially more expensive and time-consuming than e1 or i1.

How does HITRUST Inheritance affect e1, i1, and r2 differently?

HITRUST Inheritance is available for all three tiers but has the greatest impact on i1 and r2. In 2024, HITRUST Inheritance reduced external assessor billable hours by 23.4% on i1 and 14% on r2. For e1, the 44-control scope is already limited, so Inheritance savings are proportionally smaller. The cloud providers with the broadest HITRUST Inheritance authorization are AWS and Microsoft Azure — organizations with significant deployments on these platforms capture the most benefit. IHS maps your infrastructure to Inheritance eligibility before scoping any engagement.

HITRUST Cybersecurity Assessment Comparison — IHS

Overview: The Three HITRUST Assessment Types

All three HITRUST assessment types share the same fundamental structure: a Validated Assessment conducted through the MyCSF portal by a HITRUST Authorized External Assessor, followed by HITRUST Quality Review and a certification award listed in the HITRUST Registry. What differs across tiers is control count, maturity scoring depth, certification validity, cost, and what each credential signals to health plan and hospital system customers.

The three tiers are not simply "small, medium, large." They reflect different assessment philosophies:

e1 — answers the question: "Does this organization have the most critical cybersecurity controls in place?" (44 controls, implemented level only)
i1 — answers the question: "Does this organization have a comprehensive implemented cybersecurity program?" (~182 controls, implemented level only)
r2 — answers the question: "Does this organization operate a mature, measurable, and continuously managed cybersecurity program?" (200+ controls, full 5-level PRISMA scoring)

Side-by-Side Comparison: e1 vs. i1 vs. r2

Dimension	e1 (Essential)	i1 (Implemented 1-Year)	r2 (Risk-Based 2-Year)
Control Count	44 controls	~182 controls	200+ controls (scope-dependent)
Maturity Scoring	Implemented level only (Level 3)	Implemented level only (Level 3)	Full 5-level PRISMA: Policy, Procedure, Implemented, Measured, Managed
Certification Validity	1 year	1 year (Bridge Assessment available)	2 years (with interim CAP monitoring)
All-In Cost	~$35,000–$50,000	~$70,000–$120,000	~$100,000–$500,000+
HITRUST MyCSF Report Credits	~$6,000	~$7,000	~$9,000
External Assessor Fees	$20,000–$35,000	$40,000–$80,000	$75,000–$400,000+
Timeline (first certification)	3–4 months	6–9 months	12–15 months
Internal FTE Hours	150–300 hours	250–500 hours	300–600+ hours
HITRUST Inheritance Impact	Available; limited scope savings	Available; 23.4% reduction in assessor hours (2024)	Available; 14% reduction in assessor hours (2024)
Assessment Platform	MyCSF portal	MyCSF portal	MyCSF portal
External Assessor Required?	Yes	Yes	Yes
Bridge Assessment Available?	No	Yes	No (CAP monitoring during 2-year period)
Renewal Frequency	Annual	Annual (or Bridge)	Every 2 years
Publicly Listed in HITRUST Registry?	Yes	Yes	Yes
Typical Customer Requirement Context	Entry-level vendor credentialing; lower-risk vendor relationships	Health plan and hospital system vendor contracts (most common)	High-risk PHI vendors; federal contracts; PBMs (CAA 2026); large health system integrations
GRC Automation Value	Low — limited evidence volume	High — 60% labor reduction possible	High — 60% labor reduction possible; essential for renewal efficiency

Sources: HITRUST Alliance pricing guide; 2025 HITRUST Trust Report (hitrustalliance.net/trust-report); Sprinto HITRUST Certification Cost 2026; Cloudticity 2024 cost analysis.

HITRUST e1: When to Choose It

What e1 Covers

e1 covers 44 implemented controls representing the highest-priority security requirements across the HITRUST CSF. The control set focuses on: identity and access management (MFA, role-based access), encryption of data at rest and in transit, patch management and vulnerability remediation, endpoint protection, incident response basics, and key governance documentation. These 44 controls represent the controls HITRUST identified as most directly preventing the most common breach vectors.

e1 does not require PRISMA maturity scoring — assessors evaluate only whether controls are implemented (Level 3). This makes evidence preparation significantly simpler than r2 and allows the shorter 3–4 month timeline.

When e1 Is the Right Choice

Your current health plan or hospital system contracts specifically accept e1 — confirmed in writing, not assumed
You need a HITRUST credential on a short timeline (contract deadline within 4 months) and cannot complete i1 in time
You are pursuing HITRUST for the first time and your primary customer base does not yet require i1 — building internal familiarity before scaling up
You handle limited PHI in a low-risk capacity and your customer's VRM program treats you as a lower-risk vendor tier

When e1 Is Not Sufficient

e1 will not satisfy most health plan vendor credentialing requirements. If your customer contract says "HITRUST certification required" without specifying e1 explicitly, assume i1 is expected. Starting at e1 when your customers require i1 means paying for two certification cycles — the total cost of the e1 engagement plus the subsequent i1 engagement exceeds what a direct i1 engagement would have cost.

e1 Timeline Detail

Month 1: Scoping, readiness assessment, gap analysis against 44 controls
Month 2: Remediation of identified gaps; policy development; evidence preparation
Month 3: Internal readiness validation; MyCSF evidence submission; external assessor engagement
Month 3–4: Validated Assessment; HITRUST Quality Review; certification award

HITRUST i1: When to Choose It

What i1 Covers

i1 covers approximately 182 implemented controls — the 44 e1 controls plus an additional set addressing threat intelligence, advanced access control, comprehensive vendor risk management, detailed logging and monitoring, and expanded incident response requirements. Like e1, i1 evaluates only the "implemented" maturity level — controls must be in operation, but formal measurement and management processes are not scored.

The expanded control set reflects a more comprehensive view of cybersecurity program implementation: not just the highest-priority controls, but a full-coverage assessment of whether the organization has implemented a complete security program. HITRUST Inheritance has the greatest proportional impact on i1 — reducing external assessor billable hours by 23.4% in 2024. For cloud-native organizations on AWS or Azure, this translates to $10,000–$20,000 in avoided assessor fees.

When i1 Is the Right Choice

Your health plan or hospital system customers require HITRUST certification and have not specified r2 — i1 is the practical minimum for most health plan vendor contracts
You handle PHI in production systems and need a credential that satisfies health plan VRM programs comprehensively
You want a certification that simultaneously satisfies multiple customers with different VRM requirements — i1 is broadly accepted across health plan, hospital system, and government health program vendor credentialing programs
You are a SaaS vendor entering healthcare for the first time — i1 gives you a credential that will open most health plan vendor relationships
You are subject to New York SHIN-NY requirements or NYDFS 23 NYCRR Part 500 expectations

i1 Timeline Detail

Months 1–2: Scoping, readiness assessment, formal gap analysis against ~182 controls; Inheritance mapping
Months 2–5: Remediation — policy development across all applicable control categories; technical control implementation; risk assessment; BAA audit; tabletop exercise
Month 5–6: Internal readiness validation (mock assessment); evidence package preparation for MyCSF
Months 6–8: External assessor engagement; Validated Assessment; CAR remediation if required
Month 8–9: HITRUST Quality Review; certification award

i1 Annual Renewal: Bridge Assessment Option

i1's 1-year validity requires annual recertification. Organizations with mature, continuously maintained compliance programs can use the Bridge Assessment for annual renewal — a streamlined re-assessment verifying controls remain implemented and scope is unchanged. Bridge Assessments cost substantially less than full Validated Assessments. IHS structures initial i1 engagements to position clients for Bridge Assessment eligibility from year one.

HITRUST r2: When to Choose It

What r2 Covers

r2 covers 200+ controls with full five-level PRISMA maturity scoring. The PRISMA model evaluates:

Level 1 — Policy: Documented, approved, and distributed security policies covering the control domain
Level 2 — Procedure: Documented procedures implementing the policy, with assigned ownership
Level 3 — Implemented: Controls are operational and evidence demonstrates active implementation
Level 4 — Measured: Controls are monitored with defined metrics; management receives regular reporting on control effectiveness
Level 5 — Managed: Control performance is continuously improved based on measurement data; formal risk-based decisions govern control investment

The PRISMA requirement for Levels 4 and 5 is what fundamentally distinguishes r2 from e1 and i1. An organization can achieve i1 with well-documented, implemented controls. Achieving r2 requires demonstrating that those controls are actively measured, reported on, and continuously improved — an operational maturity standard, not just a documentation standard.

When r2 Is Required

Your health plan or hospital system customer contract explicitly specifies r2 (increasingly common for large health system integrations and federal health program contractors)
You are a PBM subject to CAA 2026 enforcement — $10,000/day civil monetary penalties for non-compliance are driving PBMs into r2 certification cycles
You handle extremely high PHI volumes or particularly sensitive data categories (behavioral health, substance abuse treatment, HIV status) where health plan VRM programs impose higher certification requirements
You are a health information exchange (HIE) — New York SHIN-NY and North Carolina NC HealthConnex impose HITRUST requirements on Qualified Entities and data exchange partners
You want the 2-year certification validity rather than annual renewal — r2's 2-year cycle can be more cost-efficient for large organizations where annual Validated Assessments are expensive
You are pursuing HITRUST as evidence of compliance with multiple regulatory frameworks simultaneously (HIPAA, NIST 800-53, ISO 27001) — r2's depth provides the most comprehensive cross-framework coverage

r2 Timeline Detail

Months 1–2: Scoping (complex — includes Inheritance mapping, carve-out analysis, scope boundary definition); initial readiness assessment
Months 2–4: Formal gap analysis against 200+ controls at PRISMA Level 4–5 maturity; remediation roadmap development
Months 4–10: Remediation — policy and procedure development; technical control implementation; measurement and reporting framework development; GRC tooling configuration if applicable
Months 10–11: Internal readiness validation (full mock PRISMA assessment); evidence package preparation
Months 11–13: External assessor engagement; Validated Assessment; CAR identification
Months 13–15: CAR remediation (if required); HITRUST Quality Review; certification award

r2 Internal Resource Requirements

r2 requires dedicated internal resources at a level qualitatively different from e1 or i1. Per Sprinto's 2026 cost guide:

Primary PM: 300–400 hours dedicated to HITRUST program management, assessor coordination, and evidence oversight
IT/DevOps SME(s): 150–200 hours covering technical controls across infrastructure, cloud, and application environments
HR SME: 150–200 hours covering personnel security, background checks, termination procedures, and security training documentation
Legal/Compliance SME: 150–200 hours covering BAA management, vendor risk management, privacy practices, and regulatory mapping
Executive/CISO: 50–100 hours for governance documentation, board-level security program charters, and management reporting

Organizations without a dedicated security program lead (CISO, Security Officer, or equivalent) typically struggle with r2 timelines. The PM role cannot be assigned to an engineer already running infrastructure — it requires someone who can own the compliance program across all 14 control categories for 12–15 months.

The Upgrade Path: e1 → i1 → r2

Organizations sometimes ask whether they can start at e1 and upgrade incrementally. The answer is yes — but the economics rarely favor it. Here is the practical analysis:

Scenario	Total Cost	Total Timeline	Recommendation
e1 now, upgrade to i1 in year 2	~$35K–$50K + ~$70K–$120K = ~$105K–$170K	3–4 months + 6–9 months = 9–13 months	Only if customers genuinely accept e1 in year 1
i1 directly	~$70K–$120K	6–9 months	Preferred if customers require i1
i1 now, upgrade to r2 later	~$70K–$120K + ~$100K–$500K+ = ~$170K–$620K+	6–9 months + 12–15 months	Reasonable staging if r2 is future-state, not current requirement
r2 directly	~$100K–$500K+	12–15 months	Preferred if r2 is current or near-term customer requirement

The key principle: if you know your customers will eventually require a higher tier, start there. Each certification is a full Validated Assessment — there is no credit for prior tier work when upgrading. The only scenario where staging makes sense is when you have a genuine, confirmed customer acceptance of the lower tier for a defined period while you scale your internal program to support the higher tier.

Frequently Asked Questions

Can I switch from e1 to i1 mid-assessment?

No. Assessment tier is established at the time of MyCSF scope setup and cannot be changed mid-engagement without starting over. This is another reason accurate tier determination at the outset is critical — a mid-assessment tier upgrade means beginning again, with the prior work sunk.

Does i1 include all e1 controls?

Yes. The i1 control set includes all 44 e1 controls plus approximately 138 additional controls. An i1-certified organization has satisfied all e1 requirements by definition. Some organizations that initially certify at i1 find they over-prepared for certain e1 controls — this is preferable to under-preparing for i1 controls.

Is the r2 two-year validity worth the higher cost?

For large organizations where annual Validated Assessments are expensive (assessor fees of $100,000+ annually), the r2 two-year validity period represents genuine cost savings versus two i1 annual cycles. For smaller organizations where assessor fees are moderate, the cost difference between r2 and two i1 cycles is less compelling — the decision should be driven by what customers require rather than by cycle economics alone.

What happens to my e1 or i1 certification when I upgrade to r2?

Your prior e1 or i1 certification remains valid until its expiration — it is not revoked when you begin an r2 engagement. During an r2 engagement that spans 12–15 months, you would typically maintain your existing i1 certification by renewing it annually, then transition to r2 certification upon award. The two certifications coexist during the transition period.

How does HITRUST Inheritance affect each tier differently?

HITRUST Inheritance is available for all three tiers but has the greatest proportional impact on i1. In 2024, Inheritance reduced assessor billable hours by 23.4% on i1 and 14% on r2 (2025 HITRUST Trust Report). For e1, the 44-control scope limits the absolute Inheritance savings. Cloud-native organizations on AWS or Azure with extensive Inheritance eligibility should prioritize Inheritance mapping as the first step of any scoping engagement — before the external assessor is engaged and their scope is set.

Does the CSF version matter for tier selection?

The current standard is HITRUST CSF v11.7.0 (released December 18, 2025, HAA 2025-005). All three tiers use v11.7.0. New e1 and i1 assessments on legacy v11.6.0 are disabled after March 31, 2026; all submission on v11.6.0 is disabled after June 30, 2026. Tier selection is independent of CSF version — v11.7.0 applies to e1, i1, and r2 alike.

Work With IHS on Your HITRUST Assessment Selection

IHS helps healthcare vendors determine the correct certification tier based on what their specific customers require — not what is cheapest or fastest. We review your contracts, map your customer VRM requirements, assess your current control environment, and recommend a tier with a specific rationale. We do not recommend r2 to organizations whose customers accept i1, and we do not recommend e1 to organizations whose health plan contracts require i1.

Request a Tier Assessment Consultation

HITRUST e1 vs. i1 vs. r2: Full Assessment Comparison for Healthcare Vendors