When a healthcare provider or tech company says they’re “HITRUST certified,” that statement doesn’t tell the whole story. The reality is more nuanced than a simple yes-or-no badge. HITRUST operates on a three-tier system, and the level a company achieves reveals quite a bit about their security commitment, resources, and the trust their partners should place in them.
Most businesses outside the compliance world don’t realize these distinctions exist. They see the HITRUST logo and assume all certifications carry equal weight. They don’t.
What HITRUST Actually Measures
HITRUST CSF (Common Security Framework) pulls together requirements from multiple standards—HIPAA, NIST, ISO, PCI DSS, and others—into one consolidated assessment. Instead of juggling separate audits for different regulations, organizations can use HITRUST as an umbrella framework that addresses multiple compliance needs simultaneously.
The framework evaluates hundreds of control requirements across security domains. Everything from access controls and encryption standards to incident response procedures and vendor management gets scrutinized. But here’s where it gets interesting: not every organization needs to meet every requirement at the same depth.
That’s where the levels come in.
The Three Tiers Everyone Gets Wrong
HITRUST offers three distinct certification levels, each with different validation requirements and different signals about organizational maturity.
The i1 Assessment (formerly called “self-assessment”) represents the entry point. Companies complete the assessment themselves and submit it directly to HITRUST. There’s no third-party validation at this level. Organizations answer questions about their controls, provide evidence, and HITRUST reviews the submission. No external auditor comes in to verify the claims. For many organizations just starting their compliance journey, exploring the hitrust certification levels helps clarify which tier makes sense based on their current operations and customer requirements.
The i2 Assessment adds a layer of credibility. Here, an authorized external assessor—someone with HITRUST training and credentials—validates the organization’s responses and evidence. This person acts as an independent verifier, reviewing controls and confirming that what the company claims matches reality. The i2 level costs more and takes longer, but it carries more weight with partners and customers who want assurance beyond self-reporting.
The r2 Certified Assessment sits at the top. This is the full certification that most people think of when they hear “HITRUST certified.” It requires the most comprehensive review, the most rigorous evidence collection, and validation by an external assessor. The r2 process typically takes organizations months to complete and requires detailed documentation across all in-scope systems and processes. Companies pursuing r2 certification often have mature security programs already in place.
Why Companies Choose Different Levels
The decision isn’t always about picking the “best” option. Different factors push organizations toward different tiers.
Startups and smaller companies often begin with i1. The cost is lower—sometimes 70-80% less than r2—and the time investment is more manageable. For a company with 20 employees trying to land their first healthcare client, i1 might open the door. It demonstrates they’ve at least mapped their controls to a recognized framework.
Mid-sized organizations with established security programs but limited compliance budgets frequently opt for i2. They want external validation to differentiate themselves from i1 companies, but they’re not ready for the resource commitment that r2 demands. This middle ground satisfies many business requirements without breaking the bank.
Larger enterprises, especially those working with major health systems or health insurance companies, typically need r2. Many contracts explicitly require r2 certification. Some organizations won’t even consider vendors without it. The pharmaceutical industry, major hospital networks, and large payers have all started adding r2 requirements to their vendor agreements.
What Each Level Actually Proves
An i1 assessment proves an organization knows the questions to ask themselves. It shows they’ve inventoried their controls and understand where they stand against the framework. But it doesn’t prove those controls work as described. Think of it as homework that never got checked by a teacher.
An i2 assessment proves someone with expertise looked at the evidence and agreed the controls exist as claimed. The external assessor brings credibility, asking tough questions and pushing back on insufficient documentation. Organizations can’t just say they encrypt data—they need to show configuration files, policy documents, and proof of implementation.
An r2 certification proves an organization runs a mature, documented security program that withstands deep scrutiny. The certification includes continuous monitoring requirements and regular reassessments. Companies can’t just pass once and coast—they need to maintain those controls year-round.
The Problem With Level Shopping
Some companies try to game the system. They’ll pursue i1 when they really need i2, hoping partners won’t notice or care. This strategy backfires more often than it succeeds.
Procurement teams at major organizations have gotten savvy. They know the differences between levels now. Contract templates increasingly specify “r2 certified” rather than just “HITRUST certified.” When a vendor shows up with i1 and the RFP required r2, that vendor gets eliminated regardless of how good their product might be.
There’s also the issue of false confidence. A company that squeaks through i1 might believe their security is solid, but without external validation, gaps remain hidden. Those gaps become expensive problems when breaches occur or real audits uncover deficiencies.
When Moving Up Makes Sense
Organizations shouldn’t stay at one level forever. As companies grow and mature, their certification level should progress with them.
The natural progression often looks like this: start with i1 to learn the framework and get initial certification. Use that year to strengthen controls and build better documentation. Move to i2 the following cycle to add external validation. Finally, pursue r2 when business requirements demand it or when the organization is ready for that level of rigor.
This stair-step approach lets companies build capability gradually rather than trying to jump straight to r2 before they’re ready. Attempting r2 too early leads to failed assessments, wasted money, and demoralized teams.
The Cost-Benefit Reality
Here’s what nobody likes to talk about: HITRUST certification at any level is expensive and time-consuming. Even i1 requires significant effort. Organizations need to budget for assessment fees, potential consulting support, tool purchases, and internal labor.
But the alternative—losing major contracts because you lack the right certification—costs more. Healthcare vendors without appropriate HITRUST levels find themselves shut out of entire market segments. The certification becomes table stakes rather than a competitive advantage.
Smart companies view the investment as business enablement rather than compliance overhead. The right certification level at the right time opens doors that would otherwise remain closed.
What This Means for Security Culture
The certification level a company pursues reflects its security culture. Organizations that aim for r2 from the start tend to have executive buy-in and adequate resources. Companies that resist moving beyond i1 often struggle with security investment decisions across the board.
Partners and customers pick up on these signals. A vendor’s HITRUST level becomes a proxy for how seriously that vendor treats security overall. Fair or not, that perception shapes business relationships and contract negotiations.
The framework’s tiered approach acknowledges that one size doesn’t fit all. But it also creates a transparency mechanism that lets the market separate serious security programs from checkbox compliance.
