866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

E100 January 2025 Edition Blog Feature
Douglas Barbin

By: Douglas Barbin

Print/Save as PDF

E100 January 2025 Edition

Published: Apr 9, 2025

Hello Friend,

As we kick off 2025, I wanted to take a moment to thank you for your partnership and share how excited we are to continue working together this year. Whether it’s navigating emerging trends AI, international compliance, or driving growth, our team is dedicated to helping you achieve your objectives.

SAVE THE DATES

SchellmanCON is back! Join our virtual conference on March 6th & 7th.

This year’s agenda is filled with insightful sessions, engaging discussions, and exclusive networking opportunities—all designed to deliver maximum value to you while offering the chance to earn CPE credits.

Explore key topics through expert-led panels, including:

  • Consolidating Compliance
  • Artificial Intelligence and ISO 42001
  • NIS2
  • DORA
  • CMMC - and much more!

WHAT IS TRENDING

We expect healthcare to continue to get focus in 2025. As many know, there are proposed revisions to the HIPAA Security Rule. Even if they do not go into effect, clients will need to continue to reiterate their commitments to customers around the protection of ePHI. We will continue to monitor updates but maintain our belief that healthcare compliance is part of a comprehensive approach to compliance. With that, we wanted to start a HITRUST update. If you shudder at the word “HITRUST”, whether because of some past trauma or word of mouth, I ask for just a moment to bear with us...

In the past there was only one HITRUST certification but there are actually three varieties now as follows:

  • r2 (risk-based 2-year certification) – previously the only option for getting HITRUST certified
  • i1 (implemented 1-year certification) – 182 static requirements and it does NOT require policy and procedure for every requirement like the old HITRUST (r2)
  • e1 (essentials 1-year certification) – only 44 static requirements that also do NOT require policy and procedure for every requirement

To simplify it further think of e1 as easy, i1 as intermediate, and r2 as robust.While the e1 is lighter assessment, it provides a lower level of assurance.The e1 is nested within the i1 and it provides a medium level of assurance. Likewise the i1 is nested within the r2 which provides the highest level of assurance.

Many healthcare payers and providers are requiring some form of HITRUST certification to participate in an RFP; or may not even contact vendors if they are not listed on the Health3PT directory (a free directory that shows entities pursuing or having achieved some level of HITRUST certification). Holding at least an e1 certification allows for more opportunities, and most times, allows vendors to stay in an RFP. If a higher level of HITRUST certification is required, you are typically given 12-18 months to pursue the higher level of certification and now have a return on audit investment argument that previously didn’t exist for HITRUST.

In addition, having an e1 pairs well / can be incorporated into existing compliance efforts like SOC 2 or ISO 27001 and is a lower cost effort to maintain some level of HITRUST certification. Learn more about why you should get HITRUST e1 certified.

We would love to learn what you are hearing from healthcare customers and stakeholders.

I look forward to connecting with you soon.

I hope you had a great February, both professionally and personally! In this month’s E100 update, we’re geeking out a little on Greenhouse Gas (GHG) Emissions, sharing some exciting firm updates, including new leadership and upcoming events.

Sustainability Update - What's the Scope?

Back in December, we announced our acquisition of Sustas, a company specializing in Greenhouse Gas (GHG) reporting and accounting. While this isn't directly related to cybersecurity, many of our enterprise clients have asked us to review their environmental programs and commitments.

Now that we've secured the appropriate expertise to meet those needs, we'd like to provide a brief overview of the three scopes of GHG emissions:

  • Scope 1: Direct emissions from owned or controlled sources, such as on-site fuel combustion (e.g., data centers).
  • Scope 2: Indirect emissions from the generation of purchased electricity, steam, heating, and cooling consumed by the company (e.g., hosting/cloud providers using data centers).
  • Scope 3: All other indirect emissions in a company's value chain, including upstream and downstream activities. This reflects your commitment to using providers that measure and manage their emissions.

Why is this important? While the SEC no longer requires reporting on GHG emissions, California, New York, and the EU do still have related mandates in place, as do organizations like Microsoft and Coupa. As such, becoming a provider that is committed to meeting and managing their emissions may be the key market differentiator that you need, and Schellman can help.

Want to learn more? Listen here and reach out!

FIRM SPOTLIGHTS

Scaling Success: Preeya Voss Appointed as Chief Revenue Officer

Schellman is excited to welcome Preeya Voss as our new Chief Revenue Officer. With nearly two decades of experience in SaaS and services revenue leadership, Preeya brings a strong track record of driving growth and innovation across industries. As we continue to expand our go-to-market strategies, her leadership will play a key role in enhancing client partnerships and delivering greater value. Read the press release.

SchellmanCON Reminder

One final thing: Don’t miss SchellmanCON 2025 on March 6-7! We’ll bring together top thought leaders in compliance, cybersecurity, threat management, artificial intelligence, and more to discuss emerging trends shaping our industry. It’s also a great opportunity to network with like-minded professionals and earn valuable CPEs; because let’s be honest, we all scramble for them each year! Secure your spot today.

To access your complimentary pass, click here and be sure to register using your company email address or Zoom account and select the "Elite 100" ticket type.

As always, we appreciate your partnership and the opportunity to support you. We’re excited about the growth ahead. We hope to see you at SchellmanCON next month and look forward to staying connected!

If you have any questions or need anything from us, don’t hesitate to reach out

About Douglas Barbin

As President and National Managing Principal, Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman's service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor's degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.