We're HITRUST r2 Certified

We take the security and privacy of our customers’ and clients’ information seriously. In fact, ADVault offers the only digital advance care planning (ACP) tools and interoperable cloud-based storage that is HITRUST Risk-Based 2-year Certified – a significant differentiator for healthcare payers and providers when choosing an ACP solution vendor.

ADVault_HITRUST-Certified-r2 Logo-1

What is HITRUST r2? And why does HITRUST certification matter?

HITRUST Risk-Based 2-Year (r2) Certification is the United States equivalent to the European General Data Protection Regulation (GDPR) and is a systematic approach for managing data privacy and security above and beyond what HIPAA requires. This evaluation harmonizes multiple standards and more than 40 authoritative sources while providing prescriptive and granular control requirements and leveraging a common assurance methodology across all HITRUST Assessments. The HITRUST evaluation process involves engaging an independent HITRUST-Authorized, External Assessor to verify an organization has met all the industry-defined certification requirements relating to the security and privacy of sensitive data. The importance of HITRUST certification is further supported in “Why digital health companies should be HITRUST certified”, a compelling article by Jim Farrell for MedCity News.

What is the HITRUST ACP Solution Value Proposition?

Vendor risk management, data security and privacy, and quality audits are key factors to consider when choosing a digital ACP solution partner, as well as their commitment to being fully vested in doing what it takes to meet the healthcare industry’s highest data security, privacy, and compliance requirements.

1. Partner with a Trusted ACP Solution Provider

ADVault Vendor Risk Management

ADVault is proud of the work we do. Not only to keep our partners’ patients and members at the center of care when it matters most but to ensure their sensitive data is secure. Our unique ability to pair critical security with accessibility is what allows patients and members to have control over when, how, and with whom their information is shared, as well as track who is accessing their data. If fact, every aspect of our MyDirectives Solutions platform is designed to prioritize strong cybersecurity and regulatory compliance.

2. Share Responsibility for Data Security and Privacy

ADVault Data Security and Privacy

Ensuring data security and privacy is a shared responsibility between healthcare technology systems and their users. It’s paramount both parties do their part as illustrated in the graphic below.

ADVault Shared Responsibility Model Graphic


The consumers and clients (in “yellow”) accessing the MyDirectives Solutions platform are responsible for the privacy and security of their devices (smartphones, tablets, laptops, desktops) as well as the applications (operating system, browser, authentication, etc.) they use to manage the personal data placed in our system.

Shared Responsibility

In turn, ADVault and the MyDirectives Solutions platform, the “healthcare technology system,” continually employs the most current security and privacy controls (in “blue”) to ensure patients, residents, and members have control over when, how, and with whom their ACP documents and portable medical order (PMO) forms are shared.


Each party has a role (in “green”) to maintain the integrity of their systems. Our HITRUST r2 certification demonstrates that we’ve fulfilled our responsibility to the highest standards in the industry, and that everyone can benefit from our implemented policies, architecture, and operational processes with confidence. In addition, MyDirectives Solutions features and functions enable compliant management of the platform and the data added to it.

3. Relay on Rigorous Annual Quality Audits

ADVault Rigorous Audit

Maintaining HITRUST r2 certification is a continuous commitment and investment. Doing so requires an annual in-depth analysis and evidence-based investigation of over 256 different data privacy and protection domains with a HITRUST-Authorized External Assessor firm. Once again, ADVault has successfully completed its comprehensive cybersecurity compliance audit with KirkpatrickPrice.

The requirements imposed on companies seeking HITRUST Certification include the following:

  • Audit logging and monitoring of all access to all information systems.
  • Extensively documented policies and procedures around data security and privacy, including physical office and network security.
  • Comprehensive data encryption, both at rest and in transit (for example, hashed storage and encrypted transmission).
  • Thorough credential/key management, including multi-factor authentication and forced password changes with preset parameters.
  • Regularly updated and tested Business and Disaster Recovery Plans.

MyDirectives Solutions, powered by ADVault Inc., continue to be the only digital advance care planning tools and interoperable, cloud-based storage platform that is certified HITRUST Risk-based r2 certified.

To learn more about the HITRUST certification process, or our regulatory compliance, data security, and privacy approach, contact one of our experts.

HITRUST r2-Assessment-Badge-3 eHealth Exchange Logo Commonwell Health Alliance Logo Is