By Jeremy Huval, Chief Compliance Officer
As COVID-19 continues to spread across the globe and affect the way we live and work, countries around the world have established travel restrictions, social gathering limitations, social distancing guidance, and—in some cases—shelter at home orders. This has shifted many organizations to adopt work from home programs and restrict access to their offices to employees only. These actions have consequences for organizations undergoing HITRUST CSF Assessments, and for their HITRUST Authorized External Assessors.
HITRUST has issued two CSF Assurance Program Bulletins precipitated by the impact of COVID-19. However, the current situation cannot and should not undermine the ‘rely-ability’ of HITRUST CSF Assessments, given the reliance on their accuracy and consistency by organizations. External Assessors should continue to comply fully with the HITRUST CSF Assurance Program Requirements.
Given restrictions on travel, meetings, and access to company sites, some assessed entities and External Assessors are facing practical difficulties in carrying out certain aspects of HITRUST CSF Assessments. Perhaps the most impacted aspect is the External Assessor’s ability to perform observation procedures to validate the implementation of HITRUST CSF Assurance Program Requirements related to physical and environmental protections. In response, External Assessors will need to develop alternative assessment procedures to gather sufficient, appropriate assessment evidence as a replacement for traditional observation procedures.
In the document accompanying this blog post, HITRUST has identified several level 1, 2, and 3 HITRUST CSF requirement statements for which the Implemented PRISMA level is typically validated through on-site observation procedures. For each, HITRUST has identified examples of alternative procedures to validate implementation in lieu of on-site observations; these are not intended to be the only viable alternative procedures. The underlying theme throughout these suggested alternative test procedures is to consider less traditional supporting artifacts—such as maintenance records, installation documentation, facility diagrams, etc.—which collectively evidence both the installation and ongoing operation of the associated HITRUST CSF requirement statements.
External Assessors are encouraged to engage with entities they assess to:
- Develop and agree upon possible alternate assessment procedures for instances where an observation would normally be performed.
- Ensure that assessed entities understand that it is vital that assessors have sufficient, appropriate evidence to support validation of management’s implementation of the HITRUST CSF. Where assessors are unable to obtain such evidence to support their assessment, they will be unable to agree with “Fully Compliant” scoring.
In situations where External Assessors choose to leverage alternative validation procedures, assessment documentation must clearly reflect the nature, timing, and extent of the alternative procedures employed.
When performing a HITRUST CSF Assessment, External Assessors must ensure that all validation procedures they perform provide the necessary level of assurance over the assessed entity’s implementation of the HITRUST CSF. Even when alternate test procedures are employed, and even when a HITRUST CSF Validated Assessment is performed remotely, External Assessors must take all necessary steps to ensure that the ‘rely-ability’ and integrity of the assessment process is maintained.
HITRUST is actively considering what additional advice and guidance may be necessary to support the HITRUST ecosystem and will work with the CSF Assessor Council and Quality Subcommittee throughout the process. We want to ensure we maintain the integrity and effectiveness of the HITRUST CSF Assurance Program while being responsive and accommodating to changing market dynamics. We recognize that these are challenging times for organizations, and we welcome engagement with External Assessors and assessed entities who are working through the identification of alternate test procedures.