HASP and HITRUST

Not directly — and we will not say otherwise. Today, HASP's HITRUST posture is inherited from the compliance substrate that hosts the platform. The substrate's HITRUST attestation covers the substrate-layer controls (infrastructure, encryption, access management, change control, incident response, data-center physical security). HASP's own HITRUST e1 validation is the next direct attestation engagement; it runs ~4–6 months on a continuous-compliance evidence platform in parallel with SOC 2 Type II. Until that engagement closes, what you can rely on is the inherited substrate posture plus a single, unified application-layer control set with continuous evidence collection. The substrate attestation letter is available under mutual NDA on request.

HITRUST CSF v11 control set. The CSF v11 e1 assessment is the entry-level tier introduced specifically for cloud-native SaaS providers — 44 controls covering the highest-impact safeguards (access control, encryption, vulnerability management, incident response, change management). When we align our control matrix and continuous evidence to HITRUST, we align to v11 e1 first because that is the framework version active enterprise healthcare procurement teams are actually asking for in 2026. r2 alignment lives on top of the same evidence base for the subset of customers who genuinely require it.

e1, with r2 reserved as a successor decision against a specific contract that genuinely requires it. e1 (Essentials, 1-year) is a 44-control validated assessment scoped for cloud-native SaaS — it is what the vast majority of enterprise health-system procurement intake asks for when a security questionnaire says "HITRUST." r2 (Risk-based, 2-year) is a much larger engagement — 200+ controls, ~12+ months, materially higher cost — typically required only by the largest tier-1 health systems with explicit r2 contractual language. Our architecture and control set scope cleanly to r2 if a customer contract justifies it; the engagement itself is the additional commitment. We will not claim r2 unless we hold an r2 certificate.

The substrate-layer half of every framework. The compliance substrate runs HASP's compute, managed databases, network, and operational tooling. It holds its own HIPAA, SOC 2 Type II, and HITRUST attestations covering: data-center physical security, host-OS hardening and patching, network segmentation and firewall rules, encryption at rest (AES-256 full-disk on managed databases and compute), encryption in transit at the substrate edge, intrusion detection, vulnerability scanning of the underlying compute fleet, and the change-management process for the substrate itself. HASP owns the application layer on top — the audit chain, BAA enforcement, PHI handling, gateway controls, identity, RBAC, and data-rights endpoints. Both layers are required for a HITRUST claim; we hold the application half and inherit the substrate half. The substrate attestation is available under mutual NDA on request.

Yes — through [email protected] under mutual NDA. While the direct HASP e1 engagement is in progress, what you receive is: (1) the substrate-level HITRUST attestation letter, (2) HASP's HITRUST e1 control matrix mapped to the application layer, (3) HASP's audit-chain integrity architecture document, and (4) HASP's sub-processor register. Once HASP's direct e1 attestation closes, the report itself is added to that package. Email [email protected] to request the package.

Heavily — by design, and that is the entire point. HITRUST CSF was originally written as an implementation framework for the HIPAA Security Rule. Most HIPAA Security Rule administrative, physical, and technical safeguards have direct mappings into HITRUST CSF controls; many are 1-to-1. The practical consequence: when HASP issues a HIPAA Business Associate Agreement, the controls backing that BAA — encryption, access control, audit logging, breach notification, workforce training, sub-processor management — are the same controls evidence-tested under HITRUST. You do not have to evaluate two different control programs. HASP's multi-framework scope is built on a single-control-set principle: one set of controls satisfies HIPAA + HITRUST + SOC 2 + GDPR + CCPA + PIPEDA simultaneously. We collect evidence once and map it to every framework that needs it.

HITRUST scores each in-scope control on a five-level PRISMA-style maturity scale (Policy, Procedure, Implementation, Measured, Managed). A control's score is the average of its applicable maturity levels, weighted by HITRUST's published methodology. A control passes if it scores at or above the threshold for the assessment type — for e1, this is calibrated for cloud-native SaaS providers and emphasizes Implementation evidence over Measured/Managed evidence (which usually require multi-year observation). The HITRUST assessor (an Authorized External Assessor — "AEA") validates HASP's self-assessment, samples evidence, and submits the scored assessment to HITRUST for QA review. HASP targets full pass on all 44 e1 controls at the Implementation maturity tier minimum, with Policy and Procedure at Managed.

Yes. PHI handling is owned by HASP end-to-end and runs on managed compliance infrastructure inside the same compliance substrate that hosts the rest of the platform. PHI scanning, de-identification, redaction, and re-identification happen in HASP's PHI anonymization pipeline before any content leaves HASP's substrate to an inference provider. Every PHI-adjacent event lands in the cryptographically chained audit log. The PHI pipeline is in scope for the e1 application-layer audit because it is part of the same control set that handles access, audit, and encryption.

All of them, including the Free Evaluation environment. HASP's compliance posture is universal — the same floor at every tier. Every customer runs on the same compliance substrate, the same audit chain, the same BAA, and (once issued) the same HITRUST attestation. The Enterprise tier adds dedicated database isolation and Customer-specific contract terms, but compliance posture itself does not vary by tier. There is no "compliance edition" upsell.

SIG, CAIQ, HECVAT, and HITRUST-specific questionnaires (HITRUST MyCSF questionnaires, payer-specific intake questionnaires that map to CSF controls) are completed promptly. If the questionnaire requires substrate-level evidence, that NDA-gated package is included in the response. Contact [email protected] to start.