You’ve got questions about HITRUST. Let’s clear them up. We’re taking a practical look at what’s changed, who it’s for now, and how assessment really works.
____
When organizations start exploring HITRUST, the same questions tend to surface. Is it too complex? Is it only for healthcare? Is it realistic for a small team?
These are fair questions. But the answers are different than they used to be.
____
HITRUST has expanded. Today it supports a wide range of industries and risk levels with certification pathways designed to meet organizations where they are. Edwards works with companies across various sectors. Some just starting their cybersecurity journey and others with systems already in place. The goal is always the same. We help your organization identify the right assessment level and prepare with clarity and focus.
Most teams come in expecting the full scale version of HITRUST. Which makes sense, because the framework has a reputation for being extensive. But once we walk through the certification levels and clarify what actually applies, the process becomes more approachable. “HITRUST isn’t a fixed path,” says Ryan Clarke. “It’s a flexible framework that can be applied to your systems, your risk profile, and your capacity. Once we establish that, the rest starts to move.”
We also see teams that weren’t even thinking about HITRUST until a client or vendor mentioned it. Maybe it showed up in a contract. Maybe a procurement checklist included it. These aren’t giant enterprises. They are startups, analytics firms, and health tech companies trying to meet expectations. That’s where we come in.
___
There are three main certification levels. Each serves a different purpose and requires a different commitment.
The e1 is the lightest. It focuses on fundamental cybersecurity practices through a set of 44 core controls. For small businesses or low risk vendors this is usually the right place to get started. Last year more than 50 percent of all HITRUST certifications issued were e1. That shift is important. It shows HITRUST is no longer a gated system reserved solely for large enterprises. It’s being used successfully by growing tech companies, small healthcare providers, and business service firms.
The i1 certification includes 182 controls and is built for modern threat environments and moderate risk. It works well for companies with recurring vendor assessments or those looking to scale over time. These are often teams with internal security measures but want outside validation before going further through the certification process. The r2 is the most comprehensive and continues to serve organizations with large volumes of sensitive data.
All three levels are built upon the HITRUST CSF, which means work done at one level carries forward, making it easier to scale up if your risk profile changes.
____
HITRUST experts at Edwards help organizations figure out where to start, how to move forward, and how to keep the process efficient. We offer readiness assessments, gap analysis, and advisory support throughout remediation. Our job is to give you a clear view of where you stand and what needs to happen next. No guesswork. No wasted effort.
“It really comes down to understanding your environment, knowing what applies to you, and documenting it clearly,” Ryan says. “HITRUST is looking for proof that your security practices are in place and make sense for the kind of data you handle. You don’t need to overdo it. You just need to show that you’re doing the right things in a consistent way. We help make sure nothing important gets missed.”
____
Certification builds trust. When it reflects real decisions, real controls, and a clear understanding of risk, it carries weight. HITRUST is structured, scalable, and achievable. With the right partner, the process becomes a whole lot clearer.
Not sure which certification level fits your organization? Let’s figure it out together.