Advisories

HAA 2016-001: Clarification of HITRUST CSF Assurance Requirements Related to an Assessed Entity Outsourcing Selected HITRUST CSF Controls

Written by HITRUST | Mar 15, 2024 5:00:55 AM

Written by Ken Vander Wal, Chief Compliance Officer, HITRUST

Policy/Program Clarification Details 
This bulletin clarifies the treatment of controls required for Certification in situations where certain controls are outsourced to a third party, and the impact of outsourced controls on a HITRUST CSF validated assessment. 

Organizations may not transfer risk or the obligation to obtain satisfactory assurances relating to HITRUST CSF controls. It is the assessed entity’s responsibility to ensure that all assessed controls, either supported directly or through use of a third party, are in place and functioning according to HITRUST CSF requirements. 

Under no circumstances are outsourced controls or those supported by a third party considered “Not Applicable” when performing a CSF Assessment. All controls must be tested by an approved External Assessor, or the External Assessor must determine the controls have been satisfactorily tested by another independent party consistent with HITRUST CSF Assurance Program requirements. For example, External Assessors may be able to rely on a current CSF Certification report, CSF Validated Report, or a current SOC 2 report that is based on the HITRUST CSF criteria. 

 

Rationale 
HITRUST has seen a growing trend in the outsourcing of certain HITRUST CSF controls. In many instances, the validated assessment is submitted with the outsourced controls listed as “Not Applicable” or the External Assessors are being provided assessments performed with limited understanding of the scope, methodology, or assurance of the accuracy relating to the controls in question. HITRUST has been returning these assessments back to the External Assessor in order to perform the required testing and score the controls in question. HITRUST is releasing this bulletin to clarify the HITRUST CSF Assurance Program requirements related to the outsourcing of controls. This should allow External Assessors to communicate this requirement more clearly to their clients and prevent costly re-work related to outsourced controls. 

 

Timetable for Implementation 
Immediate: This bulletin is to clarify existing policy.