How to Scope Your HITRUST Assessment: 5 Components to Consider

If you don’t already play, a basic game of darts starts you with a sum of points. The idea is to hit spots on the board worth more points that you’ll subtract from your starting total, with the bullseye being worth the biggest deduction. The player who reaches zero first wins. 

Darts can be a frustrating game for those of us amateurs who just play at the local pub, but admittedly, it’s probably still more fun than a HITRUST certification. Still, when you’re scoping said assessment, the idea is much the same as the game—rather than points, you need to “subtract” the parts of your organization that aren’t in-scope before you can proceed. 

But how to do that? How to know what is in scope for your organization? 

In this article, we’ll try to help you understand exactly that. Scoping is critical for every compliance initiative—when it comes to HITRUST, there are several components you should consider. We’ll outline five of the big ones in detail

As HITRUST assessors ourselves, we’ve helped clients through this process many times, which has given us this insight into these commonalities we now want to share with you. Having read this, you’ll be in a better position to answer a major question and thereby nail a bullseye of certification as you do move forward. 

Five Factors That Can Affect Your HITRUST Scope

So what are these different facets that you should consider when determining what’s in and what’s out? Here’s a bird’s eye view to start:

  1. Type of HITRUST Assessment
  2. Systems/Platforms
  3. Facilities
  4. Outsourced Services
  5. HITRUST Factors 

Let’s go into detail on each of these items. 

1. What Type of HITRUST Assessment Do You Want?

This is one of the most important factors to consider, because other than scope, this is probably the other largest determinant of your process. You have the following options for your assessment: 

  • HITRUST Basic, Current-State (bC) Assessment;
  • HITRUST Implemented, 1-year (i1) Validated Assessment;  or 
  • HITRUST Risk-Based, 2-year (r2) Validated Assessment,

If you haven’t already chosen a direction here, let’s explore each and why your organization might choose one of these specific paths:

HITRUST Basic, Current-State Assessment

This Verified Self-Assessment can help introduce you to the HITRUST CSF, but HITRUST does not offer certification for it. 
Who Should Get This Type of Assessment? The bC focuses on good security hygiene controls in virtually any size of organization. It features a streamlined approach to evaluation, which works for rapid and/or low assurance requirements.

  • The bC Assessment can also help you gauge your preparedness to undergo the i1 Validated or r2 Validated Assessments.
  • Or, if you plan to use the HITRUST CSF as your standard framework, this can strengthen your required “focus on good security hygiene controls.”

HITRUST Implemented, 1-year (i1) Validated Assessment

The i1 Validated assessment type evaluates your organization’s system or platform against a standard set of 219 controls that leverage security best practices and threat intelligence.
(Note: To address emerging cyber threats, the number of requirements included in the i1 Assessment could change over time.)
HITRUST will certify this assessment and, if you do become certified, it’s good for one year. This assessment addresses a need for a continuously relevant cybersecurity assessment that aligns and incorporates best practices. It also leverages the latest threat intelligence to help you stay ahead of information security risks and rising cyber threats, such as ransomware and phishing.
Who Should Get This Type of Assessment? This is a threat-adaptive assessment focused on best security practices with a more rigorous approach to evaluation, so it’ll work for more moderate assurance requirements.

  • If you choose the i1, it may be because you’re contractually obligated to do so; however, organizations that go the i1 route are those seeking an assessment that remains relevant over time with a moderate level of assurance.
  • Your clients will determine whether those “moderate” requirements of the i1 are satisfactory, or if the r2 Assessment is required.

HITRUST Risk-Based, 2-year (r2) Validated Assessment

The r2 Validated assessment type evaluates your organization’s system or platform on a comprehensive risk-based approach.
If this certification is achieved, it’s valid for two years, assuming certain conditions are maintained.
Who Should Get This Type of Assessment? There are several reasons you might undergo this one, which include, but are not limited to:

  • New market offerings by your organization;
  • Contractual obligation; or
  • To obtain a better understanding of the system and organizational risks present in your environment.

The type of report will also affect your eventual scope in different ways:


  • Should you choose a Basic assessment, you’ll have more flexibility. Because this one is not submitted to HITRUST for certification, your scope can even change during your assessment to help you adjust to what you discover.
  • With the i1, you’ll have a static and defined amount and type of controls. The only adjustment you’ll make to your scope will be choosing which systems or platforms are to be certified.
  • In a little reversal, the r2’s requirements are dynamic and depend directly on which systems or platforms you choose. Each application or platform may have different system requirements and inputs, which may impact how many and the difficulty of the requirements in your assessment. 

This is a very high-level overview of all your options, but if you’d like a little more detail, read our separate article for the full deconstruction of the types of HITRUST assessments. HITRUST also offers information on the subject, if you’re interested. 

2. What Systems/Platforms Should Be in Scope for Your HITRUST Assessment?

Now that you know what type of HITRUST assessment you want and need to select, this is your natural next step. 

Importantly, HITRUST only certifies implemented systems and platforms —they will not certify the entire organization or systems in development. 

With that being said, there are a few qualifying questions you can ask when deciding which of your systems to include:

  • Do your clients rely on this system or platform? If so, that system or platform should be in-scope.
  • Is critical client data being stored, transmitted, received, or processed within the system? Again, if so, this system should be in-scope.
  • Is the system or platform critical to the operation of your organization? If so, that doesn’t mean the system should be included. But if it is critical to your operation, it’s definitely worth an extra look. 

One thing we will say about what systems to not include in your HITRUST certification scope—we recommend not adding auxiliary platforms to your assessment. While there may be some benefit to including them, it’s also likely that working with those systems may unnecessarily complicate the work and cause serious delays in your process of getting HITRUST certified. 

3. What Facilities Should Be in Scope for Your HITRUST Assessment?

Typically, this question is much easier to answer than those first two. But you should definitely figure out your assessment type and systems to include before deciding on this. 

Because generally, you should include in your HITRUST scope those facilities that store, process, or transmit data to and from the scoped system(s) or platform(s). That may mean a few different locations, including places like internally-hosted data centers, offices, call centers, processing facilities, or others. 

4. What Outsourced Services Should Be in Scope for Your HITRUST Assessment?

Partnering with third parties is very common these days. Figuring out how they factor into your compliance projects can be complicated, but for HITRUST it works like this:

  • For i1 Validated assessments, you can carve third parties out (meaning, they are not in-scope).
  • For the r2 Validated assessments, however, you must include any third-party services provided to the scoped system or platform and facilities as part of your overall assessment.
    • That includes SaaS providers, cloud providers, shredding services, IT service providers, outsourced development providers, and others. 

It’s important to restate that not every third party you use should be included in the assessment—only those that affect your scoped in systems or platforms. 

So, if your organization outsources the accounting department, but that unit does not have access to the scoped system or platform, you wouldn’t include them in your HITRUST certification assessment. 

5. What HITRUST Factors Are You Including in Your HITRUST Assessment?

If you’re thinking you’ll do the i1 Validated assessment, you can skip this section. 

But if you do opt for the r2 Validated assessment, you’ll also have to select factors from the HITRUST MyCSF application. The factors you choose will affect the magnitude and the amount of the implementation requirements you’ll be assessed against, which will affect your scope. 

The factors include, but are not limited to:

  • Organization type;
  • Number of records held;
  • Records accessible by third-party personnel; and
  • Records accessible from the internet. 

You can select different “Regulatory Factors” as well, such as CMMC, HIPAA, FISMA, and others. HITRUST has developed a MyCSF Help User Guide to help you understand HITRUST’s interpretation of many different factors. 

Next Steps for Your HITRUST Certification

Maybe you’ve seen an opportunity to enter a market through HITRUST certification, or maybe your organization is required to achieve HITRUST certification based upon a contractual obligation. Whatever the reason, the journey to HITRUST certification may seem as daunting as throwing a bullseye at the dartboard. 

But now it’s a little less so since you now have a basic understanding of how to go about scoping your assessment—one of the most critical decisions you’ll need to make. To maintain your momentum on this journey, read our other HITRUST content to simplify your process even further:

About the Author

Michael Seegel

Michael Seegel is a Manager with Schellman. Prior to joining Schellman in August 2018, Michael worked as an IT Audit Manager, specializing in managing SOC 1 & 2 Type II engagements. Michael also has prior experience performing HITRUST assessments, ISO 27002 audits, IT SOX compliance, and ERP implementations. As a manager at Schellman, Michael primarily focuses on performing HITRUST assessments for organizations in or doing business with healthcare organizations. Michael currently holds the CPA, CISSP, CISA, and CCSFP certifications.

More Content by Michael Seegel
Previous Flipbook
HIPAA Risk Analysis and Risk Management Program Considerations: Common Pitfalls
HIPAA Risk Analysis and Risk Management Program Considerations: Common Pitfalls

Next Article
Introducing HIPAA Express: A Risk-Based Assessment Designed Specifically for Healthcare Providers
Introducing HIPAA Express: A Risk-Based Assessment Designed Specifically for Healthcare Providers

Introducing HIPAA Express, a one-of-a-kind, risk-based assessment that can help healthcare providers and sy...