Why HITRUST matters for healthcare SaaS in 2026
If you're building software for US healthcare — EHR integrations, telehealth platforms, revenue cycle management tools, population health analytics, or anything that touches Protected Health Information (PHI) — you will eventually hit a HITRUST requirement. Not a HIPAA requirement. A HITRUST requirement. Enterprise healthcare buyers — health systems, payers, large physician groups — increasingly require HITRUST certification as a condition of doing business, not just HIPAA attestation.
The reason is straightforward: HIPAA compliance is self-assessed. Any vendor can say they're HIPAA compliant with no independent verification. HITRUST CSF (Common Security Framework) certification is third-party validated — an accredited external assessor reviews your controls against a standardized framework and HITRUST itself validates the results. That's a meaningful signal to a CISO at a large health system who's reviewing 50 vendor security questionnaires a year.
The question isn't whether to pursue HITRUST, but which level and when.
The three HITRUST certification levels — what each actually proves
e1 — Essentials (44 controls)
Launched in 2022, HITRUST e1 is the entry-level certification covering 44 controls focused on fundamental cybersecurity hygiene — the things every organization with internet exposure should have regardless of healthcare context. The e1 addresses MFA, endpoint protection, patch management, access controls, security awareness training, encryption, logging, incident response, and backup.
e1 is valuable as a starting point. It demonstrates you've cleared the absolute minimum cybersecurity bar. Some smaller healthcare buyers and mid-market health systems accept e1 for low-risk vendor relationships. However, most large enterprise healthcare buyers — major health systems, national health plans, government healthcare programs — require i1 or r2.
Timeline: 6–12 months from starting remediation to certificate. Total investment: $25K–$60K (MyCSF subscription + assessor fees + internal staff time).
i1 — Implemented (182 controls)
i1 is the level that enterprise healthcare buyers typically mandate for vendors handling PHI or ePHI. At 182 controls, it covers HIPAA Security Rule alignment, access management, third-party risk, business continuity, vulnerability management, and more — across 14 HITRUST control categories.
The i1 certification signals: we have implemented the foundational security controls and validated them with an independent assessor. It's the minimum viable HITRUST certification for most enterprise healthcare sales. If a hospital or health plan asks for HITRUST, they almost certainly mean i1 or higher.
Timeline: 12–18 months. Total investment: $60K–$150K (MyCSF + assessor + internal ISSO time).
r2 — Risk-Based (375+ controls)
r2 is the gold standard — the full HITRUST framework with 375+ controls, calibrated to your organization based on a scoping exercise that factors in organization size, regulatory requirements, and data types. r2 was the original HITRUST certification before the tiered model was introduced.
r2 is required by: major national payers (Blues plans, Aetna, United, Cigna), large Integrated Delivery Networks, federal healthcare programs, pharmaceutical companies, and research institutions handling sensitive health data. If you're selling above-market-level deals to top-tier healthcare organizations, plan for r2.
Timeline: 18–24 months. Total investment: $150K–$350K.
How HITRUST maps to HIPAA — and why that matters
HITRUST was designed from the ground up to satisfy HIPAA Security Rule requirements while pulling in controls from ISO 27001, NIST SP 800-53, PCI DSS, and other frameworks. This means a HITRUST i1 or r2 assessment inherently addresses your HIPAA obligations — it's not two separate exercises.
Key HITRUST domain to HIPAA Security Rule mapping:
| HITRUST Domain | Key HITRUST Controls | HIPAA Security Rule | Requirement |
|---|---|---|---|
| Access Control (01) | 01.a, 01.b, 01.d | §164.312(a)(1) | Unique user IDs, emergency access, automatic logoff, encryption/decryption |
| Compliance (06) | 06.a, 06.d | §164.308(b)(1) | Business Associate Agreements, regulatory identification |
| Risk Management (11) | 11.a | §164.308(a)(1)(ii)(A) | Risk Analysis — the #1 OCR audit finding |
| Incident Management (12) | 12.a, 12.c | §164.308(a)(6) | Security incident procedures, breach notification |
| Communications & Operations (09) | 09.v, 09.ab, 09.l | §164.312(b), §164.308(a)(1)(ii)(D) | Audit controls, information system activity review |
| Business Continuity (13) | 13.c | §164.308(a)(7) | Data backup plan, contingency plan |
When a healthcare enterprise buyer asks for HITRUST, they're implicitly asking you to demonstrate HIPAA alignment through an independent, standardized lens. A successful HITRUST assessment is strong evidence of a robust HIPAA compliance programme.
What enterprise healthcare buyers actually require
Healthcare enterprise procurement processes have formalized around HITRUST in the last five years. Here's what different buyer categories typically require:
- Health systems (large, 500+ beds): Typically i1 for operational SaaS; r2 for core clinical systems
- National payers (Blue Cross/Blue Shield plans, United, Aetna, Cigna): r2 almost universally for any vendor handling member PHI
- Mid-market health systems (100–500 beds): Often accept i1; some accept e1 + SOC 2 Type II for lower-risk vendors
- Physician groups and specialty clinics: SOC 2 Type II + HIPAA attestation usually sufficient; HITRUST emerging
- Federal healthcare programs (CMS, VA, DoD TRICARE): FedRAMP + HITRUST combination required
The practical implication: if your ICP (Ideal Customer Profile) is large health systems or national payers, budget for r2 from the start. If you're targeting mid-market health systems, i1 gets you to the table.
The HITRUST assessment process — what actually happens
HITRUST certification is managed through the MyCSF platform (mycsf.net). Here's the process:
- MyCSF subscription and scoping: You subscribe to MyCSF ($10K–$30K/year depending on level) and complete a scoping exercise. The scoping determines which controls apply based on your organization profile — regulatory requirements, industry, data types, size.
- Self-assessment in MyCSF: For each applicable control, you provide implementation evidence and score yourself on HITRUST's 5-level maturity scale: Policy → Procedure → Implemented → Measured → Managed. For i1, you're assessed at the Implemented level.
- External assessor engagement: You select a HITRUST Authorized External Assessor (listed at hitrustalliance.net). They review your self-assessment, conduct interviews, and perform technical testing. Assessor fees are the largest cost component.
- Security Assessment Report (SAR) and validation: The assessor submits their findings to HITRUST directly through MyCSF. HITRUST validates the assessment — this is unique to HITRUST vs. SOC 2, where the auditor issues the report directly.
- Certificate or CAPs: If all controls are at the required maturity level, HITRUST issues a certificate. Controls that fail receive Corrective Action Plans (CAPs) — you remediate, resubmit evidence, and HITRUST validates before issuing the certificate.
Timeline from assessor engagement to certificate: 3–6 months for i1, 4–8 months for r2. Build in additional time for CAP remediation.
HITRUST vs SOC 2 — which do you need?
This is the question every healthcare SaaS founder asks. The honest answer: for healthcare enterprise sales, SOC 2 alone is often insufficient, and HITRUST alone is sometimes too heavyweight for a startup. Many companies end up with both.
| Dimension | SOC 2 Type II | HITRUST i1 | HITRUST r2 |
|---|---|---|---|
| Healthcare buyer acceptance | Mid-market; not top tier | Most enterprise health systems | National payers; large IDNs |
| HIPAA coverage | Indirect (CC6/CC7 overlap) | Direct HIPAA alignment | Full HIPAA Security Rule |
| Timeline | 6–12 months | 12–18 months | 18–24 months |
| Total cost | $20K–$80K | $60K–$150K | $150K–$350K |
| Third-party validation | Yes (AICPA-accredited CPA firm) | Yes (HITRUST Authorized Assessor + HITRUST validation) | Yes (same) |
| Renewal | Annual | Annual surveillance + 2-year recertification | Annual surveillance + 2-year recertification |
Practical recommendation: if you're pre-Series A and selling to mid-market healthcare, start with SOC 2 Type II + HIPAA SRA. When you start hitting enterprise deals that require HITRUST, pursue e1 or i1. SOC 2 evidence maps significantly to HITRUST i1 controls, so it's not wasted work.
The most common HITRUST assessment gaps
Based on HITRUST assessment patterns, the most common control gaps that result in CAPs:
- MFA coverage (01.d): MFA enabled but not enforced. Self-service bypass options. No coverage for service accounts. Shared admin accounts.
- Risk analysis (11.a): HIPAA risk analysis never formally conducted, or conducted years ago without update. This is ALSO the #1 OCR HIPAA audit finding — two compliance wins in one.
- BAA inventory (06.d): BAAs not executed with all subprocessors and subcontractors handling PHI. Most common miss: cloud infrastructure providers (AWS/Azure/GCP), analytics tools, monitoring services.
- Access review evidence (01.q): Quarterly access reviews claimed but not evidenced. Need export reports showing review dates, reviewers, and access changes made.
- Security awareness training completion (07.d): Training policy exists but completion rates below 95%, or training content not HIPAA-specific for healthcare workforce.
- Breach notification procedures (12.c): General IRP exists but HIPAA 60-day breach notification to HHS and affected individuals not specifically addressed.
Practical starting point for healthcare SaaS founders
Sequence of steps if you're starting from scratch:
- Conduct a HIPAA Security Risk Analysis (§164.308(a)(1)) — use the free HHS SRA Tool or our HIPAA SRA Generator
- Execute BAAs with all subprocessors handling PHI
- Enforce MFA across all systems — remote access, email, privileged accounts
- Deploy endpoint protection (EDR) on all company devices
- Enable centralized audit logging
- Document an Incident Response Plan with HIPAA breach notification procedures
- Test backup restoration
- Complete HITRUST e1 self-assessment in MyCSF as a gap analysis
- Engage a HITRUST Authorized External Assessor for e1 or i1 as budget allows
For a structured readiness assessment covering all HITRUST CSF control domains relevant to your certification level, use the HITRUST CSF Readiness Assessment Generator. For your HIPAA Security Risk Analysis, use the HIPAA Security Risk Assessment Generator. For your Incident Response Plan with HIPAA breach notification procedures, use the Incident Response Plan Generator.