Skip to main content
InterScripts
Cluster · Compliance

HITRUST CSF v11 readiness checklist

The short answer: HITRUST CSF v11 is the current version of the HITRUST Common Security Framework, and r2 is the highest assurance certification level. A first-time r2 certification typically takes 12–18 months from kickoff to recommendation. The work breaks into three phases: scope and gap analysis (3 months), control implementation and evidence collection (6–9 months), and external assessment with HITRUST validation (3–6 months).

Chad Campbell
Chad Campbell · AVP, Compliance & Transitions· Reviewed 2026-05-15

Key takeaways

  • HITRUST CSF v11 — current version (as of 2026)
  • r2 — highest assurance level
  • 12–18 months typical first-time certification timeline
  • Three phases: scope/gap, implementation, external assessment
  • InterScripts and BytePad are HITRUST r2 certified

The numbers

v11
Current HITRUST CSF version
HITRUST Alliance
r2
Highest assurance level
HITRUST Alliance
12–18 months
First-time r2 certification timeline
Industry practice

The three-phase pattern

Phase 1 — scope and gap analysis (3 months). Define the system boundary, run a CSF gap assessment against v11, and produce a remediation roadmap with control owners.

Phase 2 — control implementation and evidence collection (6–9 months). Execute the remediation roadmap. Stand up evidence-collection processes that will continue post-certification.

Phase 3 — external assessment with HITRUST validation (3–6 months). Engage a HITRUST authorized External Assessor; complete the validated assessment; submit to HITRUST for quality assurance and recommendation.

Sources & references

Frequently asked questions

What is HITRUST r2?

HITRUST r2 is the highest assurance certification level under the HITRUST Common Security Framework (CSF), currently at version v11. It is required by many U.S. health-system business associate agreements and is the certification InterScripts and BytePad hold.

How long does a first-time HITRUST r2 certification take?

Typically 12–18 months from kickoff to HITRUST recommendation: 3 months scope and gap, 6–9 months control implementation and evidence collection, 3–6 months external assessment and HITRUST validation.

Bring this to your team

Book a 30-minute walkthrough with the InterScripts experts who wrote this. We will tailor it to your systems, retention obligations, and federal compliance posture.

Schedule a meeting