This post was written by Ryan Redden, General Counsel at Redox.
Earning a HITRUST badge is truly a significant accomplishment. That badge is the result of hundreds or thousands of hours of painstakingly creating processes, procedures, and documentation for how to safeguard sensitive data. Organizations rely on the HITRUST badge to communicate to their prospects and customers that they prioritize data protection and can be trusted to do the right thing.
But the badge alone doesn’t capture how an organization manages risk day to day, and it shouldn’t.
Three badges, three different HITRUST journeys
A HITRUST badge might get you in the door, but it’s just the beginning. With three distinct levels (e1, i1, and r2), each badge tells a different story about an organization’s security posture and how well equipped they are to handle risk.
An e1 badge tells the world that an organization is more novice when it comes to data security, but are starting off on the right foot. This badge shows basic compliance with a fixed set of 44 foundational controls. e1 is most appropriate for newer start-ups and groups that handle low-risk data. This one-year certification is attainable with relatively low effort.
An i1 badge demonstrates that you’re well down your path, investing heavily in compliance and cybersecurity. The controls tested against are curated to an organization’s threat landscape, and number in the low hundreds. This badge is appropriate for a mid-sized company dedicated to industry best practices.
An r2 badge is for the well-worn traveler, where compliance and cyber-security are ingrained in systems and culture. The test controls for this badge number in the mid to high hundreds and are specifically tailored to an organization’s risk profile. r2 is the standard for mature companies in highly regulated industries that deal in large volumes of the most sensitive data.
Decoding the details behind HITRUST scores
These badges, no matter how hard-earned, should only be the start of the conversation when evaluating whether or not a vendor can be trusted with your most sensitive data, especially PHI.
To assess your risk with competing vendors, look beyond the badge. The average r2 assessment contains 385 controls, and in 2024, contained an average of 8.6 CAPs (corrective action plans).
If HITRUST certification was a test, each of those dozens or hundreds of controls is a question. Obtaining certification and displaying the badge simply shows that a company achieved a minimal passing score.
When assessing a vendor, these questions can be helpful to get the full picture:
- How many controls has your organization been tested against?
- What was your average score in each control domain?
- How many CAPs were you tasked with? What were they?
- What are your remediation plans?
Diving into CAPs can be a useful tool when evaluating vendors. The presence of a CAP alone does not tell the full story, and many can be easily explained or remediated. CAPs should kick off a conversation and give insight as to what a company prioritizes, their overall security posture, and their gaps. Their remediation plans will give insight to their path forward and dedication to continuous improvement.
Together, these answers reveal the bigger picture and help you assess the real risk of sharing your data.
Go beyond the badge
While a HITRUST badge marks the end of an audit, it’s only the beginning of a meaningful risk conversation.
To truly evaluate a vendor, go beyond the badge: ask deeper questions, understand the context, and make sure you’re entrusting your data to a partner who treats security as more than a checkbox.