Like almost every organization doing business in 2020, HITRUST® has had to adopt some changes due to the COVID-19 Pandemic. As the year progressed and we were able to see the long-term impact that COVID-19 has caused, we began to see changes in guidelines and options for HITRUST-related assessments. Here is a recap of the main items to consider as an entity using HITRUST for a readiness or validated assessment and for HITRUST Authorized External Assessor Firms.
The first change came in March (HAA 2020-001), encouraging External Assessors to exercise judgement when planning onsite visits and assessment-related travel and waiving onsite validation procedure requirements, stating that, “Given that HITRUST assessments take place across the US as well as internationally, we acknowledge that some HITRUST assessments will be affected more than others. External Assessors should work closely with their clients to adjust travel plans as deemed necessary. To provide External Assessors added travel flexibility, HITRUST is waiving the requirement that in-person/on-site validation procedures be performed at the assessed entity’s facilities.” For situations where External Assessors do choose to use alternative approaches after speaking with their clients, such as video conferencing to perform visual inspections and walkthroughs, remember that assessment documentation must clearly reflect the nature, timing, and extent of the approaches used.
The second Advisory related to COVID-19 (HAA 2020-002) spoke to the impact of the virus on the assessment timelines. While this Advisory recaps the timeline requirements for different gates throughout the process, it noted that “HITRUST acknowledges that the ability to consistently adhere to these timing-related requirements may be affected by the ongoing spread of COVID-19. While HITRUST has waived the External Assessor’s on-site requirement, HITRUST is not at this time issuing a blanket waiver for any timing requirements as doing so goes against the overall integrity of the HITRUST CSF® Assurance Program and the rely-ability of assessment reports.”
HITRUST, in the same Advisory, goes on to say that “HITRUST may issue discretionary, limited modifications or exceptions to these timing requirements to organizations who request them. Such requests should be sent in writing to HITRUST’s Compliance team at firstname.lastname@example.org. All timing extension and modification requests will be evaluated by HITRUST. Assessed entities and their External Assessors should not assume that all requests will be approved. For those organizations that may be delayed in obtaining a HITRUST CSF Certification or in completing a HITRUST CSF Assessment, we encourage you keep all stakeholders apprised of the status of your HITRUST efforts.”
Lastly, I want to speak on one of the most impactful changes, the introduction of the HITRUST CSF Bridge Assessment which allows organizations to maintain a form of HITRUST CSF Certification status for an additional 90 days even if their validated assessment submission due date is missed. This was the result of the need for an interim solution to assist organizations in addressing challenges in completing the validation on-time during the pandemic even though HITRUST is unable to extend the validity of the HITRUST CSF Certification past its two-year anniversary because of degraded reliability.
The result of a HITRUST CSF Bridge Assessment is a HITRUST CSF Bridge Certificate. This change was discussed in the HAA 2020-004 Assurance Advisory.
This is a forward-looking, temporary certificate that gets issued by HITRUST and is valid for 90 days from the expiration date of the organization’s previous HITRUST CSF Certification (this is the date on your certification letter and your HITRUST CSF Validated Report). So, for those organizations that were impacted by COVID-19 and are in a scenario where they need some extra time to get through the validation that may have gotten delayed, this is a great option.
Performing this assessment and obtaining this certificate demonstrates that the scoped control environment is unlikely to have changed or have controls that have lost their efficacy and that any such change is unlikely for the upcoming 90 days the certificate covers. Typically, if you are going to go for the HITRUST CSF Bridge Certificate, your organization should expect that the next full validation is on the same environment.
It is important to remember that a HITRUST CSF Bridge Assessment is NOT an extension of the organization’s existing certification or a replacement of the traditional HITRUST CSF Certification, as it does not provide an equivalent amount of assurance.
To learn more about the HITRUST CSF Bridge Assessment process or anything HITRUST related, please reach out to email@example.com.