To help ensure the rely-ability of HITRUST CSF Validated Reports and Certifications, assessors and assessed entities must observe several requirements related to MyCSF access, training, assessments, reporting, and control implementation timing. These timing requirements are outlined in the HITRUST CSF Control Maturity Scoring Rubric, the HITRUST CSF Assurance Program Requirements, and the HITRUST CSF Assessment Methodology and include (but are not limited to):
- External assessor’s validated assessment fieldwork window (maximum):
- 90 calendar days prior to the date of submission of the validated assessment object to HITRUST.
- Minimum number of days that a remediated or newly implemented control must operate prior to assessor testing:
- 90 calendar days past the control’s implementation or remediation.
- Maximum age of testing performed by an Internal Assessor being relied upon by an External Assessor:
- 90 calendar days, as determined by comparing the External Assessor’s fieldwork start date of the internal assessor’s fieldwork start date.
- Window during which HITRUST will accept grammatical changes to a draft report:
- 30 calendar days from issuance of draft report.
- Days allowed for Corrective Action Plans (CAPs) to be entered into MyCSF:
- 30 calendar days from issuance of draft report.
- Interim assessment object submission due date:
- No later than the 1-year anniversary of the HITRUST CSF Certification (based on the HITRUST CSF Validated Report’s date).
- Validated assessment object submission due date for re-certification efforts:
- No later than the 2-year anniversary of the HITRUST CSF Certification (based on the organization’s previous HITRUST CSF Validated Report date).
- Duration of MyCSF access for report-only customers:
- 90 calendar days for validated assessments and 60 calendar days for interim assessments.
- Validity window for the CCSFP certification:
- Three years, subject to remaining current with required training. Practitioners are required to complete an online, annual refresher course each of the two years following classroom component completion and attend the full class again the third year to maintain the CCSFP certification. The training is due no later than the end of the month that corresponds with the certification’s original anniversary date.
- Validity window for the CHQP certification:
- Two years, and the full CHQP course and accompanying certification exam must be retaken no later than the end of the month that corresponds with the certification’s original anniversary date.
HITRUST acknowledges that the ability to consistently adhere to these timing-related requirements may be affected by the ongoing spread of COVID-19. While HITRUST has waived the External Assessor’s on-site requirement, HITRUST is not at this time issuing a blanket waiver for any timing requirements as doing so goes against the overall integrity of the CSF Assurance Program and the rely-ability of assessment reports.
However, HITRUST may issue discretionary, limited modifications or exceptions to these timing requirements to organizations who request them. Such requests should be sent in writing to HITRUST’s Compliance team at compliance@hitrustalliance.net. All timing extension and modification requests will be evaluated by HITRUST. Assessed entities and their assessors should not assume that all requests will be approved. For those organizations that may be delayed in obtaining a HITRUST CSF Certification or in completing a HITRUST CSF assessment, we encourage you keep all stakeholders apprised of the status of your HITRUST efforts.