Whether you are maintaining your existing HITRUST certification or pursuing certification for the first time, now may be a good time to review the HITRUST guidance and ensure your policies and procedures are up to par.

Adjusting to the latest HITRUST assurance advisories

In June, HITRUST released 3 new assurance advisories relating to validated assessment enhancements (HAA 2021-002), identification of corrective action plans (CAPs) (HAA 2021-003), and MyCSF enhancements (HAA 2021-004).

You can read all 3 advisories here: https://hitrustalliance.net/advisories/

The following details summarize the changes from advisory HAA 2021-002: HITRUST CSF Validated Assessment Enhancements.

Policy and Procedure Incubation Period

What changed?

The minimum number of days that a remediated or newly implemented policy or procedure must be in place to be considered for scoring is being reduced from 90 days to 60 days.

For organizations currently in the remediation phase, now policy and procedure updates only need to be in existence for 60 days in order to be assessed during testing. Additionally, for organizations undergoing a validated assessment, policies and procedures that have been in place for 60 days can be utilized. The number of days for implemented, measured, and managed maturity levels is not changing; it remains at 90 days.

Also, it should be noted that any validated assessment which has already been submitted to HITRUST will not be able to be re-scored.

When is this effective?

This change is effective immediately. This change applies to all HITRUST CSF Validated Assessments that do not currently have a draft or final report posted.

Policy and Procedure Level Scoring

What changed?

HITRUST has updated the scoring requirements for the Policy and Procedure maturity levels. For both levels, the score is calculated based on the strength of the policy / procedures, as well as the percentage of CSF policy elements being addressed/covered by the documentation. This change impacts the strength criteria only – for Policy, the strength criteria are being reduced from 3 criteria to 1 criterion. For Procedure, the strength criteria are being reduced from 4 criteria to 1 criterion.

Prior Strength Criteria Updated Strength Criteria
Policy
To meet all formal policy criteria,
documentation must:

  • Be formally approved by management,
  • Be communicated to stakeholders and workforce members of the organization,
  • Communicate management’s expectations
    of the control using phrases such as
    “shall,” “will,” or “must.”
A documented policy must specify the mandatory nature of the control requirement in a written format which could reside in a document identified as a policy, standard, directive, handbook, etc.
Procedure
To meet all formal procedure criteria,
documentation must:

  • Be formally approved by management,
  • Be communicated to stakeholders and
    workforce members of the organization,
  • Include stakeholder responsibilities,
  • Include the operational aspects such as
    how, when, who, and on what the action/control/requirement is to be performed.
A documented procedure must address the operational aspects of how to perform the requirement. The procedure should be at a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement.

Also, it should be noted that any validated assessment which has already been submitted to HITRUST will not be able to be re-scored.

When is this effective?

This change is effective immediately. This change applies to all HITRUST CSF Validated Assessments that do not currently have a draft or final report posted.

HITRUST CSF Certification Letter Issuance

What changed?

When an organization achieves HITRUST CSF Certification, HITRUST will also provide an additional stand-alone Certification Letter that does not include the Assessed Entity’s detailed scope information. This allows an organization to provide evidence of certification along with the flexibility to provide the correct level of detail they wish to share regarding their environment.

When is this effective?

This change is effective immediately and applies to all assessments that do not currently have a Final Report posted. If an organization has a current, valid certification, this letter can be requested from HITRUST support.

Important reminder on achieving HITRUST criteria

As advisories are released, LBMC is evaluating the impact to our processes as well as our clients. The latest advisories continue to enhance the quality of the CSF assessment program as well as reduce time and effort to achieve certification.

As you have questions, please contact us. We are here to help you and guide you through these updates.