866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

The HITRUST e1 Assessment Explained: What You Need to Know Blog Feature
Kevin Keane

By: Kevin Keane

Print/Save as PDF

The HITRUST e1 Assessment Explained: What You Need to Know

Healthcare Assessments | HITRUST

Published: Sep 7, 2023

Last Updated: Dec 11, 2025

Over the past couple of years, HITRUST has expanded exponentially to become an all-encompassing certification that can be achieved by a wide variety of industries and organizations. When HITRUST endeavored to become more accessible to more institutions, they introduced alternatives to the now-typical 2-year (r2) certification.

One of HITRUST's most notable expansions is a lower-effort validated cybersecurity assessment option they have designated as their HITRUST Essentials, 1-year (e1) Assessment.

As experienced HITRUST assessors, we’re going to explain the basics of this assessment option, including its benefits and a high-level comparison of all three HITRUST assessments. The e1 option represents an exciting opportunity for those who have perhaps not yet committed to HITRUST certification—read on to find it if it’s the right move for you.

What is the HITRUST e1 Assessment?

Presuming you’re familiar with the HITRUST i1 and r2 assessments, the e1 assessment offers clients a certification alternative that is significantly lower effort and cost than the typical r2 assessment.

Like its siblings—the i1 and r2—the e1 is also designed to be threat-adaptive. HITRUST consistently reevaluates the most pressing cyber threats through its quarterly reconciliation of cyber threat intelligence to the HITRUST CSF requirements—therefore, when changes are necessary, they will be included in major and minor releases of the HITRUST CSF.

However, with its static baseline of only 44 requirements, the e1 assessment can be completed in a much shorter timeframe while still providing your clients with assurance regarding your good security hygiene.

This e1 assessment can also serve as just a first step for those who are:

  • New to HITRUST
  • Planning to continue onto the more thorough i1 and r2 assessments
  • Interested in evaluating the risk management of your (potential) third-party vendors

Should you complete the e1 certification process, your deliverables will include the certification report, certification letter, and certification letter with scope, which can be distributed to your clients as evidence of your foundational benchmark of proper cybersecurity controls.

 

Key Benefits of the e1 Assessment

HITRUST wouldn’t introduce an assessment option without established use cases, but there are a few key considerations when deciding if the e1 is the right option for your organization:

  • Flexibility: The e1 assessment can be performed as a readiness or validated assessment – and readiness assessments can be performed with an External Assessor or as a self-assessment.
    • If you opted for the former, the scope of your e1 assessment would be fully inheritable for your subsequent i1 and r2 assessment, as all controls are nested into the more comprehensive certifications.
  • Broad Appeal: The e1 assessment’s focused scope contains key controls that are inherently expected for nearly all entities, making it relevant to any and all industries seeking proper cybersecurity hygiene.
  • Addresses Modern Threats: As per HITRUST’s commitment to threat adaptability, such threats addressed include those that are potentially high impact like phishing and ransomware.
  • Lean and Low Effort: The curated set of 44 cybersecurity controls focuses on fundamental cybersecurity practices while remaining lean and relatively low effort when compared to the i1 and r2 assessments.
    • e1 assessments focus mostly on implemented evidence, which significantly reduces the amount of Policy and Procedure updates, compared to that which is necessary for the r2 assessment.
  • Shorter Turnaround: The Quality Assurance phase of the e1 assessment—during which HITRUST reviews and issues the certification—is significantly reduced. You would receive certification no more than 30 days after submission (or your next e1 Validated Report is complimentary). 

HITRUST e1 vs. i1 vs. r2

To help put all of this into perspective, we put together a breakdown of the high-level elements of all three HITRUST assessments. If you’re brand new to HITRUST, this might provide a good starting point for understanding all three of your options:

 

e1

i1

r2

Timeline

1-year certification

1-year certification

2-year certification

HITRUST Certifiable?

Do You Need a HITRUST External Assessor?

Yes

Yes

Yes

MyCSF Data Entry

External Assessor can enter scoring and scope into MyCSF

External Assessor can enter scoring and scopeinto MyCSF

You must enter scoring and scope into MyCSF

Requires an Interim Assessment?

No

No

Yes

Threat Adaptive?

Fixed Requirements?

Yes

Yes

No - Requirements are tailored to your assessment scope

For further details on the i1 and r2, you can also check our article here.

Key Considerations for HITRUST Certification

Through it's significant expansions, HITRUST has grown its key offerings from two to three assessments. The newest option in the e1 represents both a lighter lift in proving your cybersecurity hygiene as well as an avenue to the more robust HITRUST assessments.

Though you may now understand more about the e1, HITRUST certification features many complexities you’ll need to navigate, no matter which assessment you choose. To learn more about these intricacies, check out our other content further detailing different aspects:

Of course, you may find you have more organizationally specific questions regarding this framework—if so, please feel free to contact us, and our experts would be happy to address your needs and clear the way for your moving forward with HITRUST.

About Kevin Keane

Kevin Keane is a Senior Associate with Schellman. Prior to joining the firm in 2020, Kevin worked as a Senior Technology Risk Professional and gained significant experience in many areas of IT audit such as SOX IT Controls, System Implementations, Automated Controls, and SOC Report Evaluations. As a Senior Associate at Schellman, Kevin primarily focuses on HITRUST audits for various healthcare organizations.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.