HITRUST Certification Levels: e1, i1, and r2 Explained
HITRUST introduced a tiered certification structure in recent years to make HITRUST accessible to more organizations while preserving the rigorous r2 certification for high-risk environments. Understanding the differences between e1, i1, and r2 is essential for choosing the right certification path.
Overview of the Three Levels
| Feature | e1 | i1 | r2 |
|---|---|---|---|
| Number of requirements | 44 | ~182 | 200+ (risk-tailored) |
| Validity period | 1 year | 1 year | 2 years |
| Interim assessment | No | No | Yes (year 1) |
| Focus | Essential controls | Leading practices | Comprehensive, risk-based |
| Typical assessment timeline | 2–4 months | 3–6 months | 6–12 months |
| Typical total cost (first time) | $50K–$150K | $100K–$300K | $200K–$600K+ |
| Market acceptance | Growing | Growing | Widely accepted |
e1: Essential, 1-Year
The e1 certification covers 44 mandatory requirements representing the most essential cybersecurity practices. It was designed to be a meaningful but achievable certification for smaller or lower-risk organizations that are earlier in their compliance journey.
e1 is appropriate when:
- Your customer requires HITRUST but accepts e1 (becoming more common)
- You’re newer to formal compliance and want to build a foundation
- Your organization handles lower-risk PHI
- You want to demonstrate baseline cybersecurity hygiene quickly
e1 limitations:
- Not accepted by all health systems (some specifically require r2 or i1)
- Covers fewer controls than i1 or r2
- Must renew annually
What e1 requires: The 44 requirements span all 19 HITRUST domains and focus on the most fundamental controls: multi-factor authentication, encryption, vulnerability patching, access controls, antivirus/EDR, and basic policies. Every organization that holds any HITRUST certification must meet all 44 e1 requirements — they are a subset of i1 and r2.
i1: Implemented, 1-Year
The i1 certification covers approximately 182 requirements based on leading cybersecurity practices across the healthcare sector. It is designed for organizations that have implemented meaningful security controls and want a more rigorous certification than e1 without the full complexity of r2.
i1 is appropriate when:
- Your customer accepts i1 and you’re not yet ready for r2
- You want a more rigorous certification than e1 as a stepping stone to r2
- Your organization handles moderate-risk PHI in a well-defined scope
- You want annual certification with a faster turnaround than r2
i1 versus e1: The i1 adds approximately 138 requirements beyond e1’s 44, covering areas like detailed configuration management baselines, more rigorous access control, network segmentation, and more formal risk management and third-party oversight processes.
r2: Risk-Based, 2-Year
The r2 is the flagship HITRUST certification and the most widely recognized in the market. It covers 200+ requirements tailored to your organization’s specific risk factors, determined through a scoping process that considers your organization’s size, regulatory environment, and the sensitivity of the data you handle.
r2 is appropriate when:
- Your customer specifically requires r2 (common for large health system contracts)
- You handle high-sensitivity PHI at scale
- You want the most defensible and widely recognized HITRUST certification
- You are seeking a 2-year certification (vs. annual renewal for e1/i1)
The r2 scoping process: Before the r2 assessment begins, HITRUST uses a scoring tool to determine which controls apply to your organization based on risk factors. Factors that increase the number of requirements include:
- Larger organization size
- Regulated industries (handling PHI subject to HIPAA, HITECH)
- More complex IT environments (on-premises data centers, many systems in scope)
- Higher data sensitivity levels
r2 Interim Assessment: r2 certification is valid for 2 years. At the midpoint (year 1), organizations must complete an interim assessment that validates the continued effectiveness of approximately 40% of the r2 controls. Passing the interim assessment maintains certification through year 2; failing triggers a remediation and possible reassessment.
Choosing the Right Level
The decision primarily comes down to what your customers require:
Ask your customer specifically what HITRUST level they require. Many organizations that say “we require HITRUST” will accept i1 or even e1.
Match your level to your risk profile. If you’re a small health tech company with a well-defined scope and a solid existing security program, i1 may be the right starting point. If you’re a large enterprise health IT vendor, r2 is likely expected.
Plan your roadmap. Many organizations start with e1 to establish the foundation, then progress to i1, then r2 as their program matures. HITRUST is designed to support this progression.
How Espresso Labs Helps
Espresso Labs helps organizations achieve HITRUST certification at any level by implementing and maintaining the required technical controls as a managed service. We also help you navigate the certification level decision, scope the assessment appropriately, and work with a HITRUST-authorized assessor. Contact us to discuss your HITRUST certification path and get a timeline and cost estimate.