Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships

HITRUST: i1 or r2 Certification?

Healthcare Assessments

A hot topic for conversation recently has to be the HITRUST release of their i1 certification. In this video, we're going to talk about what the i1 certification is and does it make sense for you to go for that one certification or to continue to do the r2 certification that we've all known in the past?

Hi, my name is Ryan Meehan. I'm a director here at Schellman, and I'm one of our healthcare practice leaders. A recent development in the HITRUST world has been the release of the i1 certification standing for implemented one-year certification. It's a static set of requirements of 219 that all organizations could undergo and get a certification that is valid for one year.

The r2 is actually what used to be called the validated assessment. It stands for risk-based 2-year certification, and so that two-year certification, obviously lasting longer than the one year, is a bit more involved.

It looks at:

  1. Policy
  2. Procedure
  3. Implemented
  4. Measure to manage (If those are categories that your organization goes for)

And so when you're trying to think of which one should my organization be doing, it's clear that the i1 is the easier quote, "easier" bar for organizations to go through, right? It's focused just on whether or not you've implemented it and it focuses on a static set of 219 requirements. The risk-based r2. You could have upwards of 1,000 requirements based on your organization's risk factors. Now, at the end of the day, it really comes down to what are your customers going to be willing to accept. If your risk as an organization to that covered entity or to who your customer is as a business associate, if you're deemed low risk, there's a good chance maybe they will accept the i1. But there's also a good chance that some organizations might say no, we view you as higher risk and you need to do an r2.

And so the best thing for you to do, to have this conversation, is actually to first go out and talk to your customers, understand what they're willing to accept and what they're not. And then the next step from there would be to reach out to us here at Schellman, fill out one of our forms, and we'd love to have a conversation with you about what the next steps are. 

About RYAN MEEHAN

Ryan is a Senior Manager at Schellman. He has worked in public accounting since 2007 specializing in compliance auditing, including SOC examinations, ISO certifications, and healthcare audits such as HIPAA and HITRUST. Ryan has serviced clients in a multitude of industries including business process outsourcing, financial services, information technology, and healthcare. Ryan holds certifications including the CISSP, CISA, ISO 27001 Lead Auditor, CIPP/US, CCSFP, and the Advanced SOC certification.