Compliance Standards Library

Hitrust E1

  • Updated

For more information about the HITRUST Assessment, please visit the official HITRUST Assessment Handbook


HITRUST Certification

To achieve the HITRUST certification, your organization must undergo a validated assessment (r2, i1, or e1). There are four parties involved in the HITRUST certification process:

  • Assessed Entity: The organization seeking the HITRUST certification.
  • Vanta: Vanta provides the platform that customers will use to get ready for their assessment. 
  • External Assessor: An authorized HITRUST assessor who reviews and validates the assessed entity’s readiness. You can learn more about External Assessors here. You can purchase a validated assessment directly from Vanta, utilizing our network of trusted auditors.
  • HITRUST: Conducts a quality assurance review of the external assessor’s evaluation, prepares and reviews draft reports

Below is a simplified view of the Validated Assessment process.:

  1. Pre-Assessment: The Assessed Entity starts by entering preliminary information into the MyCSF system. (Organization Information, Assessment Options, and Scope of the Assessment.)
  2. Readiness: The Assessed Entity uses Vanta to complete the necessary steps to get their systems and processes ready for their assessment. 
  3. Performing Validation: The External Assessor validates the information provided by the Assessed Entity, approves pre-assessment content, links documentation, and addresses any potential quality issues (PQIs).
  4. Quality Assurance: The assessment is assigned to a HITRUST QA Analyst who begins the QA process during the reserved QA block.
  5. Preparing and Reviewing Deliverables: HITRUST prepares and reviews draft reports, creating additional tasks if questions arise.
  6. Reviewing Draft Deliverables: The Assessed Entity reviews the draft reports and either approves them or requests revisions within 30 days.
  7. Complete: The final reports are uploaded in MyCSF, marking the assessment as complete.


Implementing HITRUST e1 with Vanta

You will use Vanta to ensure their systems and processes are ready for their assessment and your external assessor will inform you when you’re ready to be assessed. You do not have to upload evidence and documents directly into MyCSF. 

Vanta will facilitate the provisioning of your MyCSF account when you purchase the HITRUST e1 framework. Getting access to MyCSF will require a few additional steps:

  • For New Customers: You'll receive an onboarding email with set-up instructions for your account (more below).
  • For Existing Customers: Once your purchase is complete, you'll automatically receive access to HITRUST e1 in MyCSF.

MyCSF Account Setup 

  • After completing your purchase from Vanta, you will need to sign a MyCSF license agreement You will receive the agreement in the same email inbox as your Vanta contract

  • Once signed, HITRUST will send your login details within 48 hours
  • The first admin in Vanta will receive the MyCSF login details and will be set as the primary administrator
  • Based on the type of MyCSF account that you purchased, you will have access to the following features:
    • HITRUST Lite Bundle, 4 users, 1 assessment object*, 1 report credit, 12 months of access
    • HITRUST MyCSF Professional, 5 users, 2 assessment objects*, 12 months access - the report credit will need to be purchased separately

*Assessment object: The scope of the assessment, a defined scope of the review. For example, business units with their own networks and segmentation. Each business unit processes different types of data with different configurations and control requirements. Each business unit would require its own certification and thus, assessment object.


Key Terms

HITRUST CSF The HITRUST CSF is an overarching security and privacy framework that incorporates and harmonizes information protection requirements, including federal, state, and international legislation.
Assessment Types The HITRUST assessment portfolio offers three certification options based on your organization’s size, needs, and risk profile. The three types of certifications are r1, i1, and r2 validated assessments.
HITRUST e1 HITRUST e1 - 1-year Validated Assessment: Entry-level validated assessment and certification based on 44 foundational security controls suited for companies with low-risk profiles, establishing foundational cybersecurity.
MyCSF The MyCSF Assessment Platform is HITRUST’s audit platform. Its use is required by HITRUST in order to complete the assessment validation.