The HITRUST Compliance Readiness Checklist

Getting HITRUST certified is a big investment. Compared to other security frameworks, HITRUST is significantly more expensive, time-consuming, and resource-intensive. The process can take anywhere from 6 to 18 months to complete, requiring deep documentation, detailed security assessments, and ongoing coordination across teams.
‍

But with that extra rigor comes serious credibility.
‍

HITRUST holds more weight in the market than many other certifications because it’s so thorough. For organizations in highly regulated industries—particularly in healthcare, where handling sensitive patient data is core to the business—HITRUST isn’t simply a report you share as a part of procurement. It’s a competitive differentiator and a signal of security maturity.
‍

At Workstreet, a Vanta partner, we bring over a decade of experience navigating the complexities of HITRUST certification. As former founders of one of the first startups to achieve HITRUST certification, our experience has shaped our approach to guiding companies through this rigorous process. Our founders have spoken at the HITRUST conference five times, and we are founding members of the HITRUST Third-Party Assurance Council. We also wrote and open-sourced HITRUST-aligned policies and procedures used by 100s of companies. Currently supporting over 20 customers with their HITRUST certifications, we understand the nuances that make the difference between success and frustration.
‍

This readiness checklist is designed to help you lay the groundwork before diving into the certification process. By getting your controls, documentation, and stakeholders aligned early, you’ll be in a much stronger position when it’s time to work with a HITRUST assessor or submit to the HITRUST MyCSF.

‍

Choosing the right HITRUST assessment type

HITRUST offers three types of assessments to meet organizations at different maturity and assurance needs. We recommend building a high-level HITRUST roadmap to target and progress through the different maturity levels.
‍

e1 (Essential 1)

The e1 assessment is HITRUST's entry-level offering, providing a streamlined path to demonstrate basic security controls. This is ideal for companies just beginning their compliance journey, startups looking to establish baseline security credibility, or companies that need to show foundational security measures without the full rigor of more advanced assessments. We recommend starting here unless contractual obligations require a higher level.
‍

i1 (Implemented 1)

The i1 assessment offers a middle ground, with more thorough requirements than e1 but less complexity than r2. This level is suitable for companies that need to demonstrate stronger assurance to customers and partners but aren't yet ready for the comprehensive r2 assessment. While some organizations benefit from this intermediate step, we often recommend progressing directly from e1 to r2 when possible, depending on your scope and business needs.
‍

r2 (Risk-based 2)

The r2 assessment is HITRUST's most comprehensive option, delivering the highest level of assurance. The r2 is fully scoped to your company, meaning the number of controls, level of effort, and cost depends on your company, data, and risk. This rigorous assessment is necessary for organizations handling sensitive data, serving enterprise clients with strict security requirements, or operating in heavily regulated industries like healthcare. While r2 requires significant resources and preparation, it offers the strongest market differentiation and compliance coverage.

‍

HITRUST compliance-readiness checklist:

{{hitrust-readiness="/checklists"}}