866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Why You Should Get HITRUST e1 Certified Blog Feature
RYAN MEEHAN

By: RYAN MEEHAN

Print/Save as PDF

Why You Should Get HITRUST e1 Certified

Healthcare Assessments

Though considered somewhat abbreviated in comparison to HITRUST’s other certification options, the HITRUST e1 Certification still represents a potentially beneficial path, particularly for those organizations that have already established their compliance programs.

Though these initiatives began as extra obligations to fulfill customer requests, compliance is now moving beyond these basic requests—adding more third-party assurance has become a powerful way organizations can differentiate themselves from their competitors in their markets.

As a single-provider cybersecurity assessments firm with a broad suite of services, we have and continue to witness clients invest more in compliance and see returns. HITRUST certification continues to grow in popularity among organizations of all kinds, and while each of those options is worth pursuing on its merits, in this article, we’re going to focus on the e1 and why it would make a great addition to your compliance program.

What is the HITRUST e1 Certification?

A newer introduction by HITRUST, the essentials 1-year (e1) Validated Assessment, at its core, is a static set of 44 requirement statements that—if met—will demonstrate that your organization’s scoped system(s) have foundational cybersecurity in place.

Here’s how it would work (at a base level):

For more details on this process, you can check our article on how to get HITRUST certified.

3 Reasons to Get HITRUST e1 Certified

If you’re familiar with compliance at all, that process may sound fairly familiar and similar to other initiatives you’ve undergone. So why should the e1 be next for you, among your other potential options?

Here are three great reasons to get HITRUST e1 certified.

1. Convenient Mapping to Other Compliance Standards

 

First and foremost, the HITRUST e1 certification provides an easier jump from other compliance assessments.

While any new compliance initiative will command more of your budget and precious internal resource time, adding HITRUST e1 certification would be a prudent use of both primarily due to how well it maps to and from two other prominent standards: 

SOC 2

If your organization already performs an annual Type 2 SOC 2 examination, that evidence you’re already pulling to test your SOC 2 controls has a 66% overlap with the evidence required to test the 44 requirements in the HITRUST e1.

Why Does This Matter?

Should you elect to add an e1 Certification, you’d save resources and time and avoid additional audit fatigue while achieving an additional certification that can be helpful, if not required, to do business with certain prospective clients.

ISO 27001

If your organization currently holds an ISO 27001 Certification, that evidence you’re already pulling to test your Annex A controls has a 63% overlap with the evidence required to test the 44 requirements in the HITRUST e1.

Why Does This Matter?

In fact, while the HITRUST CSF—the set of requirements that HITRUST is built on—incorporates many frameworks and regulations, its most dominant influence is ISO 27001.

Similar to what was noted above for SOC 2, this overlap between your ISO 27001 efforts would make adding a HITRUST e1 Certification simpler, as you would again save internal resource time and avoid additional audit fatigue while adding more to your compliance portfolio.

Plus, if you use the same assessor firm for both audits—whether it’s SOC 2 and the e1 or ISO 27001 and the e1—you can also combine those walkthroughs/interviews to further reduce your time spent doing audit activities.

2. Easier Segue to Other HITRUST Certifications

 

Speaking of overlap, the HITRUST e1 also crosses over with the other HITRUST certification options.

We mentioned the “abbreviated” nature of the e1, which could initially seem off-putting in comparison to those other HITRUST avenues.

However, the 44 requirements in the e1 Certification are nested within both:

  • The 182 requirements in the i1 Certification; and
  • The varied number of requirements in the r2 Certification (which uses risk-based questions that can drive the number of requirements anywhere from 200-something requirements up to well over 1000).

All this to say, even if you are later required to upgrade to an i1 or r2, if you’ve previously acquired e1 Certification, you’ll have already taken a big step toward your efforts for either of the other two. Not only that, but going for the e1 Certification first can also provide:

  • Exposure to the HITRUST process
  • Insight into what would be required to upgrade, and
  • The necessary time to implement more robust controls, as needed, for those upgraded certifications. 

3. A Door Into Healthcare

 

If e1 Certification maps well to more broad security standards in SOC 2 and ISO 27001, it also can clear a path through to a specific market—if your organization is trying to break into the healthcare vertical, you’ll eventually run across potential clients that not only view a HITRUST certification as nice to have but also those that actually require it for you to even be considered for the use of your products/services.

Each healthcare client is likely to have their own formula / flow chart for determining the risk level that your organization’s product presents for them. (Our article here can provide a sense of what that risk assessment might look like.)

Still, the HITRUST e1 Certification, with its smaller cost and necessary lift, represents a great starting point for compliance to satisfy healthcare organizations (unless you’re certain that your organization’s system(s) would fall into healthcare’s “high-risk” category—in which case it likely wouldn’t suffice and you’d need to move to the i1 or r2).

Once you do get that foot in the door, there may be eventual situations where prospective clients are looking for a higher level of HITRUST certification, and should that happen, most will allow you a grace period—typically 18 months—to achieve the desired level, and again, with an e1 Certification in hand, you’ll already be better positioned to make that move. 

Next Steps for Your HITRUST e1 Certification

HITRUST certification has become an excellent, sector-agnostic compliance option for any organization seeking to prove its cybersecurity measures. Though organizations will be more familiar with the established and robust i1 and r2 options, HITRUST’s newest alternative in the e1 can also particularly benefit those organizations with existing compliance programs that want to more easily leverage an additional piece into new possibilities. 

As you use this information to mull over how to best move your organization forward with HITRUST, learn more details about more of the latest updates from our other articles:

About RYAN MEEHAN

Ryan is a Senior Manager at Schellman. He has worked in public accounting since 2007 specializing in compliance auditing, including SOC examinations, ISO certifications, and healthcare audits such as HIPAA and HITRUST. Ryan has serviced clients in a multitude of industries including business process outsourcing, financial services, information technology, and healthcare. Ryan holds certifications including the CISSP, CISA, ISO 27001 Lead Auditor, CIPP/US, CCSFP, and the Advanced SOC certification.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.