Whether you are maintaining your existing HITRUST certification or pursuing certification for the first time, now may be a good time to review the HITRUST guidance and ensure your policies and procedures are up to par.

Adjusting to the latest HITRUST scoring rubric

The latest version of the scoring rubric was released in September 2019 and is required for assessments submitted after December 31, 2019. In addition to outlining the scoring models for each of the five levels of HITRUST’s PRISMA maturity levels, HITRUST also introduced some other key concepts on the back of the rubric. As HITRUST expectations during assessments have risen in alignment with the new rubric, companies and external assessors have had to adjust testing approaches in parallel.  We have outlined the biggest challenges we’ve been seeing below:

To meet all formal policy criteria, documentation must:

  • Be formally approved by management,
  • Be communicated to stakeholders and workforce members of the organization,
  • Communicate management’s expectations of the control using phrases such as “shall,” “will,” or “must.”

To meet all formal procedure criteria, documentation must:

  • Be formally approved by management,
  • Be communicated to stakeholders and workforce members of the organization,
  • Include stakeholder responsibilities,
  • Include the operational aspects such as how, when, who, and on what the action/control/requirement is to be performed.

Important reminders on achieving HITRUST criteria

It is just as important to remember that all policy elements defined within the illustrative procedure must be formally documented in this fashion.  If there are four separate elements listed, be sure all four are defined with a “shall,” “will,” or “must” statement and subsequently supported by a procedure that defines the operational aspects for achieving each criteria.

As you make your policy and procedure updates, keep in mind that HITRUST’s CSF assurance program requirements mandate that assessors only consider evidence (including policies and procedures) that existed in the environment for at least 90 days.