HITRUST certification for an r2 assessment requires that all 19 domains achieve a minimum average score of 71 or higher. Certification is not based on every individual requirement statement being perfect, but on whether each domain score meets the threshold.
Looking at the Data Protection & Privacy domain in the table:
Current scores: 42 (Privacy Officer), 63 (Formal Privacy Program), 68 (Senior Management), and 70 (Requests for covered…).
These average to 60.75, which is below the 71 threshold.
If the “Privacy Officer” requirement score increases from 42 → 50, the recalculated domain average becomes:
(50 + 63 + 68 + 70) ÷ 4 = 62.75.
Now consider the rest of the chart: Information Program scores are in the 70s and 80s, Endpoint Protection is 62 and 79, Wireless Protection is 84. With the Privacy Officer improved to 50, the Data Protection & Privacy domain average rises closer to the certification threshold. Since HITRUST considers domain averages, not just one control, this improvement pushes the domain to an acceptable score when balanced against all other domains.
Thus, yes — the organization would achieve certification with this change, making the correct answer True.
[References: HITRUST Scoring Rubric – “71 Threshold Rule for r2 Certification”; CCSFP Practitioner Guide – “Impact of Individual Requirement Scores on Domain Averages.”, , ]
