HITRUST Introduces e1 and i1 Combined Assessments
HITRUST introduced a “combined assessment” option for e1 and i1 assessments. This option allows organizations to have authoritative source requirements included in their validated assessments along with their assessment of the “core” e1 or i1 HITRUST requirement statements.
HIPAA (including the security, privacy, and breach notification rules) and the NIST AI Risk Management Framework (AI RMF) are the two authoritative sources currently eligible for the combined assessment. HITRUST says additional frameworks could soon be eligible for the combined assessments, including GDPR, StateRAMP, and NIST 800-53. If your organization would like other authoritative sources to be considered for eligibility, let HITRUST know through this forum.
How HITRUST Combined Assessments Work
When companies combine their e1 or i1 validated assessment with the HITRUST CSF requirements mapping to an authoritative source, they receive an Insights Report for the authoritative source in addition to their HITRUST CSF Report. Insights Reports focus on the additional framework requirements included in the HITRUST assessment. Businesses can share these reports with stakeholders, customers, and prospects to demonstrate a level of compliance with HIPAA, AI RMF, or other frameworks that become eligible for combined assessments.
Here is a sample HIPAA Insight Report.
There are additional costs for HITRUST combined assessments, each included compliance factor requires the purchase of an Insights Report credit.
Choosing a combined assessment does not change the e1 and i1 certification criteria. Only the scores for the core e1 or i1 requirement statements are included in the score calculation. The average score in each domain must be greater than or equal to 83 for certification.
CompliancePoint is an authorized HITRUST CSF Assessor. Our experienced team of healthcare and cybersecurity professionals can guide you through every step of your HITRUST certification. We also help organizations comply with all HIPAA and MARS-E requirements. Contact us at connect@compliancepoint.com to learn more.
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.