HITRUST: i1 or r2 Certification?

A hot topic for conversation recently has to be the HITRUST release of their i1 certification. In this video, we're going to talk about what the i1 certification is and does it make sense for you to go for that one certification or to continue to do the r2 certification that we've all known in the past?

Hi, my name is Ryan Meehan. I'm a director here at Schellman, and I'm one of our healthcare practice leaders. A recent development in the HITRUST world has been the release of the i1 certification standing for implemented one-year certification. It's a static set of requirements of 219 that all organizations could undergo and get a certification that is valid for one year.

The r2 is actually what used to be called the validated assessment. It stands for risk-based 2-year certification, and so that two-year certification, obviously lasting longer than the one year, is a bit more involved.

It looks at:

  1. Policy
  2. Procedure
  3. Implemented
  4. Measure to manage (If those are categories that your organization goes for)

And so when you're trying to think of which one should my organization be doing, it's clear that the i1 is the easier quote, "easier" bar for organizations to go through, right? It's focused just on whether or not you've implemented it and it focuses on a static set of 219 requirements. The risk-based r2. You could have upwards of 1,000 requirements based on your organization's risk factors. Now, at the end of the day, it really comes down to what are your customers going to be willing to accept. If your risk as an organization to that covered entity or to who your customer is as a business associate, if you're deemed low risk, there's a good chance maybe they will accept the i1. But there's also a good chance that some organizations might say no, we view you as higher risk and you need to do an r2.

And so the best thing for you to do, to have this conversation, is actually to first go out and talk to your customers, understand what they're willing to accept and what they're not. And then the next step from there would be to reach out to us here at Schellman, fill out one of our forms, and we'd love to have a conversation with you about what the next steps are. 

About the Author

Ryan Meehan

Ryan is a Senior Manager at Schellman & Company, LLC. He has worked in public accounting since 2007 specializing in compliance auditing, including SOC examinations, ISO certifications, and healthcare audits such as HIPAA and HITRUST. Ryan has serviced clients in a multitude of industries including business process outsourcing, financial services, information technology, and healthcare. Ryan holds certifications including the CISSP, CISA, ISO 27001 Lead Auditor, CIPP/US, CCSFP, and the Advanced SOC certification.

More Content by Ryan Meehan
Previous Video
What is the Value of a Readiness Assessment?
What is the Value of a Readiness Assessment?

Next Video
FedRAMP - What is a 3PAO
FedRAMP - What is a 3PAO