Advisories

HAA 2021-003: CAP Identification Changes

Written by HITRUST | Mar 15, 2024 5:00:52 AM

Overview 
HITRUST assessments for CSF versions 9.x and later will no longer create CAPs for gaps that only exist at the Policy and/or Procedure maturity levels. This change is being made to continue HITRUST’s emphasis towards the Implemented maturity level, as described in HITRUST Assurance Advisory 2021-002, without compromising the integrity or Rely-Ability of the HITRUST CSF Certification. 

Implementation and Timeline 
HITRUST will not create a required CAP for a gap identified in the Policy and/or Procedure maturity level if there is not a gap at the Implemented maturity level. This change will be applied to start on June 24, 2021, as follows: 

HITRUST CSF Validated Assessments 
For any existing HITRUST CSF Validated Assessment, Table 1 summarizes how the change will be applied by HITRUST MyCSF state. For any HITRUST CSF Validated Assessments participating in the Assurance Enhancements Beta Program, you will receive an alternate communication to describe how the change will be applied to your participating assessments. 

Table 1 

MyCSF State 

Application of the Change and Notification 

Not Started 
Answering Assessment 
Assessment Submitted to HITRUST 
Undergoing QA 
Awaiting External Assessor Response to QA 
External Assessor Response Received 
Undergoing Compliance Review 
Compliance Review Complete 

MyCSF will automatically apply the change to the assessment. When the draft reports are posted, CAPs will be generated such that a required CAP will not be created if gaps only exist at the Policy and/or Procedure maturity levels. 

Draft Report Posted – Awaiting CAP Responses 
Draft Report Posted – CAPs Complete 

  • The assigned QA Analyst will manually apply the change to the assessment. 
  • A notification of any CAPs that were moved to gaps will be sent to the Assessed Entity, External Assessor, and assigned QA Analyst. 
  • The assessment will be returned to the Compliance Review Complete state and the assigned QA Analyst will post a revised draft report to MyCSF. 

Final Report Posted 

No changes will be applied to MyCSF by default. 
Please see the Reissuing Reports section of this Advisory for more information. 

 

HITRUST CSF Readiness Reports 
All HITRUST CSF Readiness Assessments created on or after June 24, 2021, will automatically be configured to not create a required CAP if gaps only exist at the Policy and/or Procedure maturity levels. 

For any existing HITRUST CSF Readiness Assessment, Table 2 summarizes how the change will be applied by MyCSF state. 

Table 2 

MyCSF State 

Application of the Change and Notification 

Not Started 
Answering Assessment 
Assessment Submitted to HITRUST 

  • MyCSF will automatically apply the change to the assessment. 

Draft Report Posted 

  • MyCSF will automatically apply the change to the assessment. 
  • The assessment will be returned to the Assessment Submitted to HITRUST state and the assigned HITRUST Analyst will post a revised Draft Report to MyCSF. 

Final Report Posted 

No changes will be applied to MyCSF by default. 

Please see the Reissuing Reports section of this Advisory for more information. 

 

Reissuing Reports 
Assessed Entities who are interested in optionally having a Final Report reissued to reflect this change must meet both of the following criteria in order to qualify: 

  • Have a recently issued Final Report (that used the prior CAP logic), which is defined as follows: 
  • For HITRUST CSF Validated Assessment reports: An active certification in the ‘Final Report Posted’ state within MyCSF. 
  • For HITRUST CSF Readiness reports: A report dated no earlier than June 24, 2020 
  • Currently be an active MyCSF subscriber with access to the completed assessment (assessment cannot be archived). 

Assessed Entities who purchased only the HITRUST CSF Readiness or Validated Assessment report without subscribing to MyCSF are ineligible to have their report reissued. 

Qualified and interested Assessed Entities should contact their Customer Success Manager to obtain pricing information and initiate the reissuance process. 

For Assessed Entities who do have their final report reissued, the following actions will be taken: 

  • Upon initiation of the reissuance process: 
  • For HITRUST CSF Validated Assessments, the existing certified assessment within MyCSF will be decertified and the existing HITRUST CSF Validated Assessment report will be considered invalid. 
  • For HITRUST CSF Readiness Assessments, no action will be taken. 
  • For both HITRUST CSF Validated and Readiness Assessments, a clone of the original assessment will automatically be made and put into a state of ‘Draft Report Posted – CAPs Complete’ for HITRUST CSF Validated Assessments or a state of ‘Assessment Submitted to HITRUST’ for HITRUST CSF Readiness Assessments. Upon creation of the clone, the original assessment will be automatically archived. 
  • A QA analyst will post the revised final report to MyCSF to the cloned assessment. 
  • For HITRUST CSF Validated Assessments: 
  • The cloned assessment will be marked as certified using the date from the original assessment, so this change does not alter or extend the date of certification. 
  • If applicable, the previously completed Interim Assessment will be linked to the cloned assessment.  

Impact on Interim Assessments for Reissued HITRUST CSF Validated Assessments 
For Assessed Entities who choose to optionally reissue a HITRUST CSF Validated Assessment report, there could potentially be an impact on their Interim Assessment. To understand the potential impact on their Interim Assessment, Assessed Entities and their External Assessors should review the following scenarios. 

  • Scenario 1 – The Interim Assessment has not been generated by MyCSF. 
    The Interim Assessment will be automatically generated based upon the new cloned Validated Assessment. 
  • Scenario 2 – The Interim Assessment has been generated by MyCSF but has not been submitted to HITRUST. 
    Upon initiating the reissuance process, the existing Interim Assessment will be refreshed to remove any requirements that were CAPs but have been moved to gaps based upon the change in CSF Validated Assessment and maintain at least one requirement per domain within the Interim Assessment. 
  • Scenario 3 – The Interim Assessment has been submitted to HITRUST, but the Interim Letter has not been posted. 
    No changes will be applied to the Interim Assessment. HITRUST will link the existing Interim Assessment to the cloned Validated Assessment. 
  • Scenario 4 – The Interim Assessment has already been completed. 
    No changes will be applied to the Interim Assessment. HITRUST will link the existing Interim Assessment to the cloned Validated Assessment. 

Additional Resources 
Click here for a list of anticipated questions and answers.