Navitus Sets New PBM Standard, Pairing Transparency with Elite Security

MADISON, WI – January 19, 2026 – In an era where data is as valuable as currency, Navitus, the nation's largest transparent pharmacy benefit manager (PBM), has solidified its commitment to information security by earning the prestigious HITRUST Risk-based, 2-year (r2) Certification. The announcement marks the third consecutive time the Madison-based firm has achieved this high-level validation, signaling a deepening commitment to protecting the sensitive health information of the more than 18 million lives it serves.

While certifications can often seem like corporate jargon, this achievement represents a critical strategic move in a healthcare sector besieged by cyber threats. For a PBM, which sits at the nexus of patient data, prescription claims, and complex financial transactions, proving the integrity of its digital infrastructure is no longer an option—it is a foundational requirement for trust.

Deconstructing the Gold Standard in Data Protection

Not all cybersecurity validations are created equal. The HITRUST r2 Certification is widely regarded as the gold standard for the healthcare industry, representing the highest level of assurance offered by the HITRUST Alliance. It goes far beyond a simple checklist for HIPAA compliance, providing a comprehensive, prescriptive, and certifiable framework for risk management.

Achieving r2 certification involves a rigorous, multi-faceted evaluation of an organization's security controls. Unlike frameworks that offer general guidance, HITRUST requires a detailed assessment performed by an independent third-party assessor. This process validates not only that security controls are in place but also that they are operating effectively and are measured and managed consistently. The framework harmonizes dozens of authoritative sources, including federal regulations like HIPAA and globally recognized standards such as NIST, ISO, and OWASP, into a single, integrated structure. This allows an organization to “assess once, report many,” demonstrating compliance across multiple requirements simultaneously.

The “r2” designation signifies a risk-based, two-year certification cycle that includes a mandatory interim assessment after one year. This ensures that an organization’s security posture is not just a snapshot in time but a continuously monitored and adaptive system, capable of evolving to meet the latest threat intelligence. For Navitus, this means its pharmacy claims processing platform has been tested and proven resilient against a sophisticated and ever-changing threat landscape.

Fortifying Defenses in Healthcare's Digital Battlefield

The PBM industry operates at the heart of the U.S. healthcare system, managing prescription drug benefits for hundreds of millions of Americans. This central role makes PBMs a prime target for cybercriminals, who see their vast repositories of Protected Health Information (PHI) and financial data as a treasure trove. Ransomware attacks can cripple operations, disrupting patient access to medication, while data breaches can expose the most sensitive details of an individual's health journey.

In this high-stakes environment, health plans, employers, and government entities are placing unprecedented scrutiny on the security practices of their business associates. A data breach originating with a vendor can have devastating consequences for all parties involved, leading to regulatory fines, legal liabilities, and a profound loss of patient trust. Consequently, demonstrating robust, validated cybersecurity is becoming a non-negotiable aspect of vendor selection and a critical component of risk management for health plan sponsors.

By securing its third consecutive HITRUST certification, Navitus is proactively addressing these industry-wide concerns. It provides tangible assurance to its 800 clients—and its strategic owners, SSM Health and Costco—that their data is being handled according to the most stringent standards. This certification streamlines the due diligence process for clients, who can rely on the HITRUST validation as comprehensive proof of a mature and effective security program.

A New Value Proposition: Transparency Reinforced by Trust

Navitus built its reputation on a disruptive business model: radical transparency. As a pass-through PBM, it passes 100% of drug manufacturer rebates and pharmacy discounts directly to its clients, a stark contrast to traditional PBMs often criticized for opaque pricing and retaining a portion of savings. However, financial transparency alone is not enough to build enduring partnerships in healthcare. That transparency must be built on a foundation of operational integrity and data security.

The HITRUST r2 Certification powerfully reinforces this value proposition. It demonstrates that while the company is open about its financial dealings, it is uncompromisingly guarded when it comes to protecting client and member data. This fusion of financial clarity and validated security creates a holistic definition of trust that resonates with risk-averse clients.

“Our clients rely on us to manage pharmacy benefits responsibly and to protect the data that enables those services,” said Darryl Munden, Chief Operating Officer at Navitus Health Solutions. “Earning HITRUST r2 Certification strengthens our long-standing record of independent validation.”

This sentiment is echoed by leaders in the cybersecurity field. “Earning HITRUST Certification demonstrates Navitus’ commitment to managing information risk and protecting sensitive data through a rigorous, proven assurance process,” noted Gregory Webb, CEO of HITRUST. “This achievement reflects the organization’s proactive approach to cybersecurity and trust.”

Building a Framework of Comprehensive Excellence

Navitus’s focus on third-party validation extends beyond cybersecurity. The HITRUST r2 Certification is the cornerstone of a broader framework of quality and compliance that includes accreditations from other leading healthcare bodies. The company also holds accreditations from the National Committee for Quality Assurance (NCQA) for Utilization Management and a certification for its Health Information Product-Pharmacy Benefit, as well as accreditation from the Utilization Review Accreditation Commission (URAC) for Pharmacy Benefit Management.

These additional credentials address the clinical and operational quality of Navitus’s services. NCQA accreditation focuses on evidence-based decision-making and patient safety in managing drug utilization, while URAC accreditation validates best practices in areas like claims processing, formulary management, and consumer protection. Together, these accolades paint a picture of an organization committed to excellence across every facet of its operations.

While HITRUST ensures the digital vaults are secure, NCQA and URAC accreditations assure clients that the services themselves are delivered with clinical integrity and operational excellence. This comprehensive approach to quality and risk management demonstrates a deep-seated organizational culture dedicated to setting the highest possible standards, providing a powerful assurance of reliability and value in the complex world of pharmacy benefits.