Overview
HITRUST assessments for CSF versions 9.x and later will no longer create CAPs for gaps that only exist at the Policy and/or Procedure maturity levels. This change is being made to continue HITRUST’s emphasis towards the Implemented maturity level, as described in HITRUST Assurance Advisory 2021-002, without compromising the integrity or Rely-Ability of the HITRUST CSF Certification.
Implementation and Timeline
HITRUST will not create a required CAP for a gap identified in the Policy and/or Procedure maturity level if there is not a gap at the Implemented maturity level. This change will be applied to start on June 24, 2021, as follows:
HITRUST CSF Validated Assessments
For any existing HITRUST CSF Validated Assessment, Table 1 summarizes how the change will be applied by HITRUST MyCSF state. For any HITRUST CSF Validated Assessments participating in the Assurance Enhancements Beta Program, you will receive an alternate communication to describe how the change will be applied to your participating assessments.
Table 1
|
MyCSF State |
Application of the Change and Notification |
|
Not Started |
MyCSF will automatically apply the change to the assessment. When the draft reports are posted, CAPs will be generated such that a required CAP will not be created if gaps only exist at the Policy and/or Procedure maturity levels. |
|
Draft Report Posted – Awaiting CAP Responses |
|
|
Final Report Posted |
No changes will be applied to MyCSF by default. |
HITRUST CSF Readiness Reports
All HITRUST CSF Readiness Assessments created on or after June 24, 2021, will automatically be configured to not create a required CAP if gaps only exist at the Policy and/or Procedure maturity levels.
For any existing HITRUST CSF Readiness Assessment, Table 2 summarizes how the change will be applied by MyCSF state.
Table 2
|
MyCSF State |
Application of the Change and Notification |
|
Not Started |
|
|
Draft Report Posted |
|
|
Final Report Posted |
No changes will be applied to MyCSF by default. Please see the Reissuing Reports section of this Advisory for more information. |
Reissuing Reports
Assessed Entities who are interested in optionally having a Final Report reissued to reflect this change must meet both of the following criteria in order to qualify:
- Have a recently issued Final Report (that used the prior CAP logic), which is defined as follows:
- For HITRUST CSF Validated Assessment reports: An active certification in the ‘Final Report Posted’ state within MyCSF.
- For HITRUST CSF Readiness reports: A report dated no earlier than June 24, 2020
- Currently be an active MyCSF subscriber with access to the completed assessment (assessment cannot be archived).
Assessed Entities who purchased only the HITRUST CSF Readiness or Validated Assessment report without subscribing to MyCSF are ineligible to have their report reissued.
Qualified and interested Assessed Entities should contact their Customer Success Manager to obtain pricing information and initiate the reissuance process.
For Assessed Entities who do have their final report reissued, the following actions will be taken:
- Upon initiation of the reissuance process:
- For HITRUST CSF Validated Assessments, the existing certified assessment within MyCSF will be decertified and the existing HITRUST CSF Validated Assessment report will be considered invalid.
- For HITRUST CSF Readiness Assessments, no action will be taken.
- For both HITRUST CSF Validated and Readiness Assessments, a clone of the original assessment will automatically be made and put into a state of ‘Draft Report Posted – CAPs Complete’ for HITRUST CSF Validated Assessments or a state of ‘Assessment Submitted to HITRUST’ for HITRUST CSF Readiness Assessments. Upon creation of the clone, the original assessment will be automatically archived.
- A QA analyst will post the revised final report to MyCSF to the cloned assessment.
- For HITRUST CSF Validated Assessments:
- The cloned assessment will be marked as certified using the date from the original assessment, so this change does not alter or extend the date of certification.
- If applicable, the previously completed Interim Assessment will be linked to the cloned assessment.
Impact on Interim Assessments for Reissued HITRUST CSF Validated Assessments
For Assessed Entities who choose to optionally reissue a HITRUST CSF Validated Assessment report, there could potentially be an impact on their Interim Assessment. To understand the potential impact on their Interim Assessment, Assessed Entities and their External Assessors should review the following scenarios.
- Scenario 1 – The Interim Assessment has not been generated by MyCSF.
The Interim Assessment will be automatically generated based upon the new cloned Validated Assessment. - Scenario 2 – The Interim Assessment has been generated by MyCSF but has not been submitted to HITRUST.
Upon initiating the reissuance process, the existing Interim Assessment will be refreshed to remove any requirements that were CAPs but have been moved to gaps based upon the change in CSF Validated Assessment and maintain at least one requirement per domain within the Interim Assessment. - Scenario 3 – The Interim Assessment has been submitted to HITRUST, but the Interim Letter has not been posted.
No changes will be applied to the Interim Assessment. HITRUST will link the existing Interim Assessment to the cloned Validated Assessment. - Scenario 4 – The Interim Assessment has already been completed.
No changes will be applied to the Interim Assessment. HITRUST will link the existing Interim Assessment to the cloned Validated Assessment.
Additional Resources
Click here for a list of anticipated questions and answers.