Healthcare data infrastructure often moves faster than the security audits meant to govern it. HITRUST r2 Certification, the health industry's externally validated security credential, requires an independent examiner to test an organization's controls before the Health Information Trust Alliance issues the certificate. Eligible, Inc., a New York company whose Platform Services System routes transactions among healthcare providers, insurance agents, and insurers, announced July 7, 2026 that it earned that credential along with concurrent certification against the NIST Cybersecurity Framework version 1.1.

What HITRUST r2 actually requires

HITRUST r2 is the most rigorous tier the Health Information Trust Alliance certifies. An authorized external assessor works through a defined set of controls, tests whether each one functions in practice, and submits findings to HITRUST for review. The organization then issues or withholds the certificate. The "r2" designation refers to a risk-based scope that draws from multiple regulatory requirements and maps them into a single assessment. For Eligible, which sits between providers, agents, and insurers on every transaction its platform carries, that external check answers the first question a new counterparty raises before connecting: has someone outside the company independently tested this?

The NIST Cybersecurity Framework layer

The National Institute of Standards and Technology released the Cybersecurity Framework as a voluntary set of guidelines for managing cybersecurity risk. Version 1.1 organizes security activities into five functions: identify, protect, detect, respond, and recover. That common structure gives auditors and counterparties a shared vocabulary for comparing security programs across different organizations. Earning concurrent certification against it alongside HITRUST r2 means Eligible's Platform Services System was assessed against two methodologically distinct standards in a single review cycle.

Where transaction infrastructure sits in the healthcare data chain

Eligible describes itself as healthcare transaction infrastructure. That means the platform functions as the connection layer among a provider's office, an insurance agent, and an insurer when those parties need to exchange data. Security certification at that layer carries consequences for every party whose transactions flow through it. HITRUST r2 and NIST CSF v1.1 together produce documentation that an external party examined those controls rather than Eligible doing so itself.

Related reading