HITRUST r2 Assessment Readiness Checklist: Complete Evidence Guide
Preparing for a HITRUST r2 validated assessment requires rigorous evidence collection across 19 control domains and five maturity levels. This comprehensive checklist details the exact documentation, screenshots, and policy evidence assessors require to achieve certification, and explains how to automate the evidence collection process.
A HITRUST r2 (Risk-based, 2-year) Validated Assessment is widely considered the "gold standard" of information security certifications, particularly in healthcare. Unlike SOC 2, which allows organizations to define their own controls, HITRUST r2 mandates a strict set of requirements based on the HITRUST CSF (Common Security Framework). Achieving certification requires providing comprehensive evidence—including policy documents, process narratives, and technical screenshots—across 19 control domains.
For many compliance teams, the sheer volume of required documentation turns assessment preparation into a 6–12 month ordeal. This article provides a complete HITRUST r2 readiness checklist and explains how automation can reduce evidence collection time from months to weeks.
What Does HITRUST r2 Readiness Require?
Answer: HITRUST r2 readiness requires demonstrating compliance with the CSF requirements applicable to your organization's scope. Unlike lower-tier assessments (e1 or i1), the r2 assessment evaluates controls based on five maturity levels: Policy, Procedure, Implemented, Measured, and Managed.
To pass, you must prove not only that a policy exists (Level 1) but that it is actively implemented (Level 3) on every system in scope. This "Implemented" level is where most assessments stall, as it requires granular, screenshot-based evidence for hundreds of controls that APIs cannot easily verify.
Phase 1: Scoping and Gap Analysis
Before collecting evidence, you must define what is being assessed. Errors in scoping are the most common cause of assessment delays.
1. Define the Assessment Scope
- [ ] System Boundaries: Clearly define which applications, databases, and infrastructure are in scope.
- [ ] Geographic Scope: Identify all physical locations where data is processed or stored.
- [ ] Third-Party Vendors: List all vendors (CSPs, MSPs) that impact your security posture.
- [ ] Regulatory Factors: Determine if you need to include specific regulatory factors (HIPAA, GDPR, CCPA, NIST) in your MyCSF assessment object.
2. Perform a Self-Assessment (Gap Analysis)
- [ ] Create Assessment Object: Set up your assessment in the MyCSF portal to generate your requirement set.
- [ ] Initial Scoring: Score your controls honestly against the maturity levels.
- [ ] Identify Gaps: Mark controls that score below "3" (Implemented) or lack documentation.
- [ ] Inheritance Strategy: Identify controls that can be inherited from your cloud provider (AWS/Azure) or external assessors.
Phase 2: Evidence Collection Checklist (By Maturity Level)
HITRUST assessors require specific types of evidence for each maturity level. Use this checklist to ensure your documentation is audit-ready.
Level 1: Policy (Is it written?)
- [ ] Information Security Policy: A master document approved by management (updated within the last year).
- [ ] Domain-Specific Policies: Separate policies for Access Control, Incident Response, Risk Management, etc.
- [ ] Review Dates: Evidence that policies are reviewed annually (e.g., meeting minutes or version history).
Level 2: Procedure (Is it communicated?)
- [ ] Standard Operating Procedures (SOPs): Step-by-step guides showing how to perform the tasks defined in the policy.
- [ ] Roles and Responsibilities: Documentation defining who owns each process (e.g., RACI charts).
- [ ] Communication Evidence: Emails, Slack messages, or intranet logs proving procedures were distributed to staff.
Level 3: Implemented (Is it working?)
Critical: This is the most evidence-intensive level. You must provide "operational evidence" proving the control is active.
- [ ] Configuration Screenshots: Images of settings (e.g., password complexity, encryption enabled).
- [ ] Workflow Recordings: Visual proof of processes (e.g., user onboarding steps, change approval flows).
- [ ] Logs and Reports: System-generated logs showing control activity (e.g., antivirus scans, backup logs).
- [ ] Sample Testing: Evidence for a sample of items (e.g., screenshots for 25 randomly selected new hires).
Level 4 & 5: Measured and Managed (Optional for Certification)
- [ ] KPIs and Metrics: Dashboards showing control performance over time.
- [ ] Continuous Improvement: Evidence that metrics are used to adjust and improve security processes.
Phase 3: Domain-Specific Evidence Checklist
The HITRUST CSF contains 19 control domains. Below are the checklists for the most labor-intensive domains regarding evidence collection.
Domain 01: Access Control
- [ ] 01.b User Registration: Screenshots of the ticketing system showing approval for new user access requests.
- [ ] 01.c Privilege Management: Screenshots of role definitions (RBAC) and evidence of quarterly access reviews.
- [ ] 01.j Password Management: Screenshot of IDP (Okta/Azure AD) settings showing complexity, history, and lockout rules.
- [ ] 01.x Unattended User Equipment: Screenshot of MDM settings enforcing screen lock after inactivity.
Domain 09: Audit Logging & Monitoring
- [ ] 09.aa Audit Logging: Screenshots of log configurations sending data to a SIEM (e.g., Splunk, Datadog).
- [ ] 09.ab User Activities: Evidence that administrator actions are logged and retained.
- [ ] 09.ac Protection of Log Information: Screenshot of S3 bucket permissions showing logs are immutable or restricted.
Domain 10: Vulnerability Management
- [ ] 10.m Control of Technical Vulnerabilities: Reports from vulnerability scans (e.g., Tenable, Qualys) and screenshots of tickets proving remediation.
- [ ] 10.l Patch Management: Screenshots of patch management policies and evidence of automated patching schedules.
Domain 12: Operations Management
- [ ] 12.e Change Management: Screenshots of Pull Requests (GitHub/GitLab) showing peer review and CI/CD deployment logs.
- [ ] 12.a Operational Procedures: Documented runbooks for backup restoration and system maintenance.
Where Traditional HITRUST Automation Falls Short
Many organizations attempt to use general GRC tools (like Drata or Vanta) for HITRUST. While these tools are excellent for SOC 2, they often struggle with the depth of HITRUST r2.
1. The "Implemented" Evidence Gap
GRC tools rely on APIs to check configurations (e.g., "Is MFA on?"). However, HITRUST assessors often require screenshots to verify the context of the implementation—such as seeing the specific error message a user gets when access is denied, or viewing the actual UI of an internal tool. APIs cannot capture this visual context.
2. Process Validation
HITRUST requires proof of process, not just state. An API can confirm a backup exists, but it cannot prove you performed a restoration test. Documenting a restoration test requires recording the workflow: selecting the backup, initiating the restore, and validating the data. This manual "computer-use" evidence is where teams lose hundreds of hours.
3. Sampling Requirements
For controls like user access reviews, assessors often demand evidence for a specific sample (e.g., "Show me the access tickets for these 10 users"). GRC tools usually provide a dump of all users, but gathering the specific screenshots for the sample list is a manual, tedious process.
How to Automate HITRUST Evidence Collection
To close the gap between GRC capabilities and HITRUST requirements, teams are turning to evidence automation agents like Screenata.
Step 1: Map Controls to Workflows
Identify the high-friction controls that require visual evidence (e.g., Access Control, Change Management, Backup Restoration).
Step 2: Record "Golden" Workflows
Use Screenata to record the standard procedure for testing these controls.
- Example: Record the flow of onboarding a new user: Ticket creation -> Manager Approval -> IDP Provisioning -> Welcome Email.
Step 3: Automate Capture
Run these workflows automatically or on-demand. Screenata navigates the applications, captures timestamped screenshots, redacts PII, and generates a PDF evidence pack mapped to the specific HITRUST requirement (e.g., "Evidence for 01.b").
Step 4: Upload to MyCSF
Export the structured evidence packs and upload them directly to the HITRUST MyCSF portal, tagged with the correct requirement IDs.
Comparison: HITRUST Assessment Types
Understanding which assessment you are preparing for determines the depth of evidence required.
| Feature | HITRUST e1 (Essentials) | HITRUST i1 (Implemented) | HITRUST r2 (Risk-based) |
|---|---|---|---|
| Focus | Cyber Hygiene | Leading Practices | Comprehensive Risk |
| Control Count | ~44 controls | ~219 controls | 200–800+ controls |
| Assurance Level | Low | Moderate | High (Gold Standard) |
| Validation | Self-Assessment or Validated | Validated | Validated |
| Certification | 1 Year | 1 Year | 2 Years |
| Evidence Load | Low (Policies) | Medium (Configs) | High (Policies + Screenshots) |
Frequently Asked Questions
How long does a HITRUST r2 assessment take?
A typical timeline is 6–12 months. This includes 2–4 months for readiness/remediation, 3 months for the validated assessment period (evidence collection), and 1–3 months for HITRUST QA and report issuance. Automation can compress the evidence collection phase to 6–8 weeks.
Can I inherit controls from SOC 2?
No, you cannot directly "inherit" a SOC 2 report into HITRUST. However, if you use a cloud provider like AWS or Azure, you can inherit their HITRUST controls for physical security and infrastructure, significantly reducing your own control count.
What happens if I fail a control in the validated assessment?
HITRUST r2 allows for Corrective Action Plans (CAPs). If a control is not fully compliant but doesn't pose a critical risk, you can still achieve certification by submitting a CAP detailing how you will fix the gap.
Do assessors accept automated screenshots?
Yes. HITRUST assessors accept automated evidence provided it is accurate, timestamped, and unalterable. Screenata generates PDF evidence packs with cryptographic metadata that meet these criteria.
Key Takeaways
- ✅ HITRUST r2 is a rigorous assessment requiring evidence across 19 domains and 5 maturity levels.
- ✅ Scoping is critical; ensure all systems, locations, and vendors are correctly identified in MyCSF.
- ✅ "Implemented" (Level 3) evidence is the hardest to collect, often requiring screenshots and workflow recordings that APIs miss.
- ✅ GRC tools manage policies well but struggle with the operational evidence required for validated assessments.
- ✅ Automation tools like Screenata can capture the necessary screenshot evidence, reducing prep time by months.
Learn More About HITRUST r2 Certification Evidence Automation
For a complete guide to automating your assessment strategy, see our guide on automating HITRUST r2 evidence collection, including how to map automated evidence to MyCSF requirements.
Ready to Automate Your Compliance?
Join 50+ companies automating their compliance evidence with Screenata.