HITRUST i1 vs r2 (2026): Honest Verdict + Implementation Help
Pick the i1 (Implemented, 1-Year) if you need a credible HITRUST cert fast to clear customer security questionnaires — fixed ~182 controls, ~$30k–$60k, one-year validity, implementation-only scoring. Pick the r2 (Risk-based, 2-Year) only when a payer, health system, or BAA contract explicitly demands the gold-standard risk-tailored assessment — 300 to 2,000+ requirement statements, five-level maturity scoring, ~$60k–$150k+, two-year validity with an interim. For most San Diego SaaS and digital-health vendors, start at i1 and climb to r2 when a contract forces it.
Same HITRUST CSF framework. Two very different assessment depths. One is a fixed annual snapshot. One is a risk-tailored, maturity-scored, two-year certification. Here is the real difference.
Head-to-Head Comparison
| Dimension | HITRUST i1 | HITRUST r2 |
|---|---|---|
| Full name | Implemented, 1-Year (i1) | Risk-based, 2-Year (r2) |
| Control count | Fixed ~182 requirement statements | Dynamic — typically 300 to 500+, can exceed 1,000–2,000 for large regulated scope |
| How scope is set | Pre-set by HITRUST, refreshed annually | Tailored by MyCSF scoping engine from your risk factors |
| Scoring model | Implementation maturity only (1 dimension) | PRISMA maturity — Policy, Process, Implemented, Measured, Managed (up to 5) |
| Validity | 1 year — full re-assessment annually | 2 years + required 1-year interim assessment |
| Threat focus | Leading practices vs. evolving cyber threats | Comprehensive, risk-based, expansive coverage |
| Regulatory mapping | Limited — core CSF only | Add authoritative sources: HIPAA, NIST 800-53, ISO 27001, PCI DSS, FedRAMP, GDPR, etc. |
| Corrective Action Plans | CAPs allowed for low-scoring gaps | CAPs allowed; gaps tracked across maturity levels |
| Assurance level | Moderate — strong, broadly accepted | High — the gold standard health-data vendors recognize |
| Typical timeline | ~6–12 weeks once controls are in place | ~3–9 months (readiness + validated assessment) |
| Re-use credit | Inherits e1 work; feeds into r2 | Inherits i1 and prior r2 work via shared CSF |
| Best fit | SaaS clearing questionnaires fast | Vendors handling large PHI volumes for payers/health systems |
Cost Deep-Dive (All-In, 2026 Estimates)
All-in means MyCSF subscription + external assessor (CPA/HITRUST authorized firm) fees + internal labor + remediation tooling. HITRUST does not publish fixed prices; these are operator-honest market ranges, not quotes.
| Cost component | HITRUST i1 | HITRUST r2 |
|---|---|---|
| MyCSF subscription | ~$3k–$6k/yr | ~$10k–$25k/yr (more controls, more sources) |
| External assessor fees | ~$20k–$40k | ~$40k–$90k+ |
| Readiness / remediation | ~$10k–$25k (lighter, fixed scope) | ~$25k–$75k (maturity docs across 5 levels) |
| Typical total Year 1 | ~$30k–$60k | ~$60k–$150k+ |
| Recurring cost | Full re-assessment every year | Lower-cost interim Year 2, full reassess Year 3 |
Honest Verdict
The i1 wins on speed, cost, and predictability — it is a fixed ~182-control snapshot that gets you a real HITRUST cert in weeks and clears 90% of vendor security questionnaires. The r2 wins on depth and assurance — it is the risk-tailored, maturity-scored, two-year gold standard that large payers and health systems specifically name in contracts. The mistake operators make is jumping straight to r2 because it sounds more impressive, then burning $100k+ and six months on assurance their customers never asked for. Start at i1. HITRUST deliberately built the e1 → i1 → r2 ladder so each tier reuses your prior work in the shared CSF — so climbing to r2 later is cheaper than you think. Only go straight to r2 when a signed or pending contract explicitly requires it.
