What's the difference between e1, i1, and r2?

e1 is a foundational essentials-based assessment with 44 controls. i1 is an intermediate-rigor assessment around 180 controls. r2 (formerly r2 CSF Certified) is the most rigorous, fully-tailored assessment with hundreds of controls and is what most enterprise healthcare buyers expect.

How does HITRUST relate to HIPAA?

HITRUST CSF is a comprehensive framework that incorporates HIPAA security and privacy requirements along with controls from NIST, ISO, PCI, and others. Many healthcare organizations pursue HITRUST as a way to demonstrate HIPAA compliance plus more.

Who performs HITRUST assessments?

HITRUST r2 and i1 assessments are performed by HITRUST Authorized External Assessors. e1 can be self-assessed or validated. The assessor uploads results to MyCSF for HITRUST's quality assurance review.

How long does a HITRUST r2 take?

A first-time r2 typically takes 9–18 months from kickoff to certification depending on scope and maturity. Programs that have an existing SOC 2 or ISO 27001 in episki can move significantly faster because evidence and controls already exist.

HITRUST without the binder cart

Move from e1 to r2 without rebuilding your program

HITRUST CSF mapped to your existing controls, assessment-handler-friendly evidence packets, and cross-walks to HIPAA, SOC 2, and ISO 27001 so you stop running parallel programs.

Start free trial Book a demo

What is HITRUST CSF?

The HITRUST Common Security Framework is a certifiable, risk-based control framework originally developed for the healthcare industry and now used across regulated industries broadly. HITRUST integrates requirements from HIPAA, NIST, ISO 27001, PCI DSS, GDPR, and other authorities into a single, scalable control catalog.

The HITRUST organization offers three assessment types: e1 (essentials), i1 (intermediate), and r2 (the comprehensive, certifiable assessment). Each escalates the rigor of evidence and the breadth of controls. r2 is the most widely recognized in enterprise procurement.

Who needs HITRUST

HITRUST CSF Certified status is increasingly expected — sometimes required — by major payers, hospitals, and pharma companies before doing business with a SaaS or technology vendor. Outside healthcare, financial services and government contractors are also adopting HITRUST as a comprehensive way to demonstrate a mature control environment.

How episki helps

HITRUST is dense (the r2 control set alone is hundreds of requirements). episki keeps the HITRUST CSF crosswalked to your existing controls so you're not running a parallel HITRUST-only program. Add HITRUST to a workspace that already has SOC 2 or HIPAA and most of the evidence is already in place.

HITRUST CSF outcomes with episki

Quantify the impact security and compliance brings to your business.

3 paths

e1, i1, and r2 assessment types supported with the right scoping.

100+ controls

HITRUST CSF requirements pre-mapped to your control library.

1 program

One evidence set serving HITRUST, HIPAA, SOC 2, ISO 27001 simultaneously.

Why teams choose episki for HITRUST CSF

Framework-specific automation, collaboration, and reporting in one workspace.

e1, i1, r2 scoping

Pick the right assessment type and scope, with the right control selection guided by HITRUST's risk factors.

HITRUST CSF library at the requirement level
Risk-factor-driven control selection
Inheritance from prior assessments

External assessor collaboration

HITRUST authorized External Assessors get a scoped workspace with the evidence and walkthroughs they need.

Scoped portal per engagement
Evidence packets organized by requirement
MyCSF-style language in episki narratives

Cross-mapped to HIPAA, SOC 2, ISO 27001

Stop maintaining parallel programs. One control, many certifications.

Evidence reuse across audits
Crosswalks visible per control
Map once, satisfy many

HITRUST readiness inside episki

Everything you need to scope and prepare for assessment.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ HITRUST CSF library at the requirement level
✓ Risk-factor questionnaire driving control selection
✓ Evidence library organized by HITRUST domain
✓ Cross-walks to HIPAA, SOC 2, and ISO 27001
✓ External Assessor collaboration workspace
✓ Interim assessment workflow

HITRUST accelerators

HITRUST program accelerators

Stop running HITRUST as a separate animal.

Scoping wizard

Risk-factor-driven control selection so you don't over- or under-scope.

Evidence cross-walk

Reuse the same evidence across HIPAA, SOC 2, ISO 27001, and HITRUST.

Assessor handoff packet

Pre-organized evidence and narratives for your External Assessor.

HITRUST frequently asked questions

Other compliance frameworks

CCPA / CPRA CMMC FedRAMP GDPR HIPAA ISO 27001 ISO 27701 ISO 42001 NIST 800-171 NIST 800-53 NIST CSF PCI DSS SOC 1 Type I/II SOC 2 Type I/II SOX

Start your HITRUST program in episki

Pull in your existing controls, pick the right assessment type, and prep your assessor.

Start free trial Book a walkthrough