HITRUST made several announcements in June of 2021 which could impact your HITRUST assessment.
Policy and Process Documentation
Detailed policies and procedures are a key requirement of demonstrating your compliance with the HITRUST CSF. On June 7, 2021, HITRUST issued HITRUST Assurance Advisory: HAA 2021-002, which provided new guidance on the maturity requirements for policy and process documentation. For policies and procedures to achieve full maturity, they will now be required to be in place for 60 days when the control is tested. Previously HITRUST required the policy and process documentation to be in place for 90 days at the time of testing.
HITRUST also provided guidance on the policy and procedure scoring. For a policy, the revised guidance indicates that the organization must have written documented policies that specify the mandatory nature of the control requirement. For a process, the revised guidance indicates a process must provide a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement. The requirement for implementation of the control did not change from 90 days in order to achieve full maturity.
HITRUST also made a change to the Corrective Action Plan (CAP) requirements for gaps that are related solely to issues with the policy and process documentation. In HAA 2021-003, it was announced that if the gap is solely related to policy and procedure documentation, organizations will not be required to complete a required CAP. If you already have a Validated Certification, then you may contact HITRUST to have your report re-issued without the mandatory CAPs related only to your policy and process documentation.
Assessment Scoping Update
HITRUST continues to work to implement scoping factors that more accurately tailor the assessment to the organization.
HITRUST Assurance Advisory HAA 2021-004, issued on June 7, 2021, has implemented rules to help avoid inconsistent responses as noted below:
|Is any aspect of the scoped environment hosted in the cloud?
||A “Yes” here will will automatically default the next two questions to “Yes”
|Is the system(s) accessible from the internet?
||A “Yes” here will automatically default the next question to “Yes”
|Does the system allow users to access the scoped environment from an external network that is not controlled by the organization?
||A “Yes” here will automatically default the previous question to “Yes”
HITRUST will also allow the entity to determine if they want to include Measured and Managed levels in their assessment. If an organization does not have any documentation for Measured and Managed, they may indicate that, and the levels will not appear in their assessment.