HOPPR™ AI Foundry Platform Achieves HITRUST Certification 

Written By Ehmed Nauman

By Trever Falconi, Director, IT Security & Operations at HOPPR 

When we announced our SOC 2 Type 2 certification, we made a commitment: this was just the beginning to an ever-evolving journey.  At HOPPR, our approach to security has always started with steadfast stewardship grounded in servant leadership.  

Our responsibility centers on systems that handle healthcare data that operate under a different standard. The data is sensitive, the environments complex, and the expectation is that security controls work consistently, not just on paper.  

That expectation shapes how we approach security at HOPPR. Over the past year, we’ve focused on building that foundation grounded in disciplined execution on how systems are configured, how access is managed, and how controls perform under real operating conditions.    We first achieved SOC 2 Type I and Type II attestation to validate that our controls are designed and operating effectively over time.   

Today, I’m sharing the next step in that progression. The HOPPR™ AI Foundry (our AI development platform) has achieved HITRUST e1 Certification, following an independent assessment of the system and controls supporting the platform hosted on Amazon Web Services. 

This milestone is not about accumulating certifications. It reflects a deliberate approach to building systems that can be trusted in environments where that trust is essential.   

What Is HITRUST Certification 

HITRUST is widely adopted assurance framework on healthcare, designed to address the regulatory and threat landscape associated with sensitive health data. 

Unlike single-framework certifications, HITRUST’s Common Security Framework (CSF) harmonizes and maps to over 50 authoritative sources, including HIPAA, NIST, ISO 27001, and SOC 2. 

In practice, this is the framework I see referenced most often in healthcare security and vendor risk conversations. It provides a consistent way to evaluate whether controls are not only defined, but operating in a way that aligns with real-world risk.  

The e1 assessment focuses on a defined set of foundational cybersecurity controls, selected based on current threat intelligence and common risk scenarios in healthcare environments. 

For the HOPPR™ AI Foundry, this certification means the in-scope system and supporting controls were assessed by an authorized external assessor and reviewed by HITRUST. These controls were independently assessed within a defined system boundary. 

Why HITRUST Certification Matters for Healthcare Organizations 

Healthcare organizations operate in one of the most security-sensitive environments in any industry. Vendor risk management processes require clear evidence that systems handling sensitive data are supported by structured and validated controls. 

HITRUST provides a standardized way to evaluate that. 

According to HITRUST’s 2025 Trust Report, organizations with HITRUST certifications reported a 0.59 percent incident rate in 2024, with 99.41 percent remaining breach-free. While no framework eliminates risk, this data reflects the impact of structured and consistently implemented controls. 

What matters is not the certification itself, but the discipline required to achieve and maintain it. These frameworks are effective when they reflect how systems are actually operated, not just how they are documented.  

How HITRUST and HIPAA: A Stronger Compliance Posture  

HITRUST and HIPAA are closely aligned, but they serve different purposes. 

HIPAA defines regulatory requirements for protecting health information. HITRUST translates those requirements into specific, measurable controls that can be assessed and validated. 

The HITRUST Common Security Framework incorporates HIPAA’s Security, Privacy, and Breach Notification Rules and maps those requirements into a structured framework. 

HOPPR operates as a HIPAA business associate. The HITRUST e1 Certification provides independent validation that the controls supporting the HOPPR™ AI Foundry align with a healthcare-focused framework that incorporates HIPAA requirements. 

Security as an Operational Discipline: How HITRUST e1 Certification Builds on SOC 2 Type I and Type II Attestation 

The HITRUST e1 Certification builds on the broader security program supporting the HOPPR™ AI Foundry, including SOC 2 Type I and Type II attestation.  

SOC 2 provides validation that controls are designed and operating effectively across general trust service criteria. HITRUST extends that validation into a framework tailored to healthcare, incorporating regulatory requirements and healthcare-specific risk models. 

Reaching this point required consistency more than speed. Security programs are built through daily execution, ensuring that we are thoughtful about how access is managed, how systems are configured, how events are monitored, and how issues are handled.  

There is a level of focus and discipline that comes with operating systems in healthcare. The data moving through these environments represents real patients and real care delivery. That responsibility shapes how we approach security at HOPPR.  

What HITRUST e1 Certification Means for Healthcare Customers and Partners 

For healthcare organizations evaluating AI platforms and infrastructure providers, security validation is a critical part of the process. 

These evaluations are detailed. Security questionnaires, architecture reviews, and compliance discussions require clear evidence that controls are not only defined but implemented and operating as expected. 

HITRUST e1 Certification provides a recognized, independently validated benchmark that supports vendor risk assessments, procurement reviews, and compliance evaluations. 

Our role in that process is straightforward: to provide clear evidence of how our systems are operated and to do so transparently.  

Maintaining Security and Compliance After HITRUST e1 Certification 

HITRUST e1 Certification is one step in an ongoing process of strengthening the security program supporting the HOPPR™ AI Foundry.  

Threat landscapes evolve. Infrastructure changes. New capabilities introduce new risks. 

Maintaining a strong security posture requires continuous monitoring, reassessment, and improvement. 

We approach this work with a long-term mindset. The goal is not to meet a point-in-time requirement, but to build and operate systems that remain trustworthy as they scale.  

Secure Infrastructure for AI in Medical Imaging 

No certification replaces responsibility. Achieving this milestone required coordination and consistency across engineering, infrastructure, and security teams. Maintaining it will require continuous monitoring, reassessment, and improvement as the threat landscape evolves. We approach this work with a long-term mindset: the goal is not to meet a point-in-time requirement, but to build and operate systems that remain trustworthy as they scale. 

At HOPPR, no achievement like this belongs to one person. It’s the result of people showing up every day, doing the hard work with integrity, and holding each other accountable to a standard that goes beyond what’s required. I’m grateful to work with a team that approaches that work with discipline and a clear understanding of what’s at stake.  

To our customers and partners, thank you for your trust. We don’t take it lightly, and we never will. 

Ehmed Nauman
Next

Security is our Foundation: What Soc 2 Type II Means for HOPPR