Advisories

HAA 2021-010: HITRUST MyCSF Enhancements – Tasks and Notifications

Written by HITRUST | Mar 15, 2024 5:00:53 AM

Overview 
Tasks in MyCSF give HITRUST Assessed Entities and their HITRUST Authorized External Assessor Organizations the ability to track and respond to questions and follow-up items from HITRUST during assessment check-in and QA. Each task contains an action item for the Assessed Entity or External Assessor resulting from the check-in or QA review of the assessment by HITRUST. 

Some benefits of tasks in MyCSF include: 

  • Eliminates email communication from QA Analyst to Assessed Entity or External Assessor. 
  • Automates notifications to Assessed Entity or External Assessor when tasks are created. 
  • Clearly outlines (through individualized action items) what is needed to complete QA, including which party is responsible for completion. 
  • Better tracking of open items that need to be addressed by either Assessed Entity or External Assessor to complete QA. 
  • Better visibility on how long QA items have been open and the state the assessment is in 
  • Ability to categorize tasks for trending analysis and the ability for HITRUST to provide more meaningful feedback to assessor firms. 

Task functionality is being introduced into MyCSF as part of a larger suite of enhancements to the MyCSF platform. These enhancements are being announced collectively in a series of five Assurance Advisories. These Assurance Advisories should be reviewed in the following order as the concepts introduced in each Assurance Advisory build upon each other: 

Tasks During Check-in 
When HITRUST CSF Validated, Interim, Bridge, and Readiness Assessments are submitted to HITRUST, they enter the Performing Check-In phase in which HITRUST performs automated QA checks and a high-level review of the assessment. Refer to HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows for more information related to the Check-In phase. 

For Validated Assessments, when the check-in review identifies a small number of potential issues, typically related to the required documents and webforms (e.g. Organization Information, Scope of the Assessment, Factors, VRA, Management Representation Letter, Test Plans, External Assessor Time Sheet, QA Checklist, and Audits and Assessments Utilized), HITRUST will create Check-In Tasks within the assessment for the External Assessor and Assessed Entity to address prior to the assessment being accepted by HITRUST. After the necessary Check-In Tasks have been resolved by the External Assessor and Assessed Entity, the assessment will be accepted by HITRUST, and the QA review will begin during the reserved QA Block. 

For Validated Assessments, when the check-in review identifies a larger number of potential issues, rather than creating Check-In tasks, HITRUST reverts the assessment back to the Performing Validation phase and supplies the External Assessor and Assessed Entity with a set of pre-QA quality recommendations to address the potential issues identified. For more information, refer to the Performing Check-In section of HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows. 

For Interim and Bridge Assessments, when questions arise during the check-in review, HITRUST will create Check-In Tasks within the assessment for the External Assessor and Assessed Entity to address prior to the assessment being accepted by HITRUST. After the necessary Check-In Tasks have been resolved by the External Assessor and Assessed Entity, the assessment will be accepted by HITRUST and enter a queue to await the QA review. 

For Readiness Assessments, when the check-in review identifies an error with the Management Representation Letter, HITRUST will create a Check-In Task for the Management Representation Letter to be corrected. After the Check-In Task has been resolved by the Assessed Entity, the assessment will be accepted by HITRUST and HITRUST will prepare the draft report. 

Tasks During QA 
HITRUST CSF Validated, Interim, and Bridge Assessments undergo a Quality Assurance Review performed by a HITRUST QA Analyst. 

As the QA Analyst performs their review of the assessment, they will create QA Tasks for the External Assessor and Assessed Entity to address. All Assessed Entity and External Assessor users with access to the assessment in MyCSF will have access to view all tasks created within an assessment and may edit the Tasks assigned to their group. 

Over the normal course of QA, all QA questions will be sent to the External Assessor and Assessed Entity via Tasks within MyCSF, eliminating the need for the QA Analyst to send some QA questions through email or offline documents. However, if the QA review identifies more significant QA concerns than normal, rather than creating tasks, HITRUST will provide the External Assessor with a workbook outlining the QA concerns, communicate via email to the External Assessor and Assessed Entity, and will meet with the External Assessor to review those concerns to bring them to resolution. 

Task Management View 


 

Each HITRUST CSF Validated, Interim, Bridge, and Readiness Assessment will contain an Assessment Task Management page that can be accessed by clicking Tasks in the left navigation bar within an assessment. The Assessment Task Management page is where Check-In and QA Tasks for a particular assessment can be addressed and where the status of open and pending tasks can be tracked. 

When the Assessment Task Management page is accessed by an Assessed Entity or External Assessor user, the My Task Queue displays all open tasks assigned to the user’s group. For a listing of all tasks within the assessment, the All Tasks tab may be viewed by any user. 

The My Task Queue and All Tasks tabs contain the following task information: 

  • Assessment Task Number: The unique identifier assigned to the task. 
  • Name: The name of the task. 
  • Organization Name: The Assessed Entity organization name. 
  • Assessment Name: The name of the Assessment that the task is for. 
  • Assigned: The group to which the task is currently assigned (Subscriber, External Assessor, or HITRUST). 
  • Type: The type of task (General or Proposed. See the Types of Tasks section below for the details of each task type). 
  • Date Opened: The date that HITRUST initially opened the task. 
  • Date Assigned: The date the task was assigned to the group it is currently assigned. 
  • Days Assigned: The number of days the task has been assigned to the current group since it was last assigned. 
  • Date Completed: The date that HITRUST closed the task.
  • Status: The status of the task (Open, Pending, or Closed).
  • Open: The task is assigned to the Assessed Entity or External Assessor awaiting a response.
  • Pending: The Assessed Entity or External Assessor has responded to the task and the task is awaiting review by the Check-in or QA Analyst.
  • Closed: the HITRUST Check-in or QA Analyst agrees that the task has been addressed and can be considered complete. 

 The Assessment Task Management page also contains a pie chart displaying the number of open and pending tasks assigned to each group, as well as a banner indicating whether there are any requirement statements or CAPs within the assessment that require attention due to a change made via a task. 

 In addition to the assessment-specific Task Management page, Assessed Entity and External Assessor users may access a global Task Management page from the top navigation bar of MyCSF to view tasks within all assessments to which the user has access. When accessing either the global Task Management page or an assessment-specific Task Management page, the user may sort and filter the tasks displayed based on the task type, current assigned group, status, and more. Additionally, users have the option to download a .CSV file containing task information. 

 Additional information related to the status of tasks and other open items may be accessed via the Assessment Details View (see HAA 2021-008: HITRUST MyCSF Enhancements – Status Dashboards for details). 

Types of Tasks 
During Check-in and QA, two types of tasks may be created: General Tasks and Proposed Tasks. 

General Tasks
A general task opens a screen or a field to be edited by the Assessed Entity or External Assessor. 

For example, a general task could allow the: 

  • Assessed Entity to edit the Organization Information or the Scope of the Assessment Webform. 
  • External Assessor or Assessed Entity to edit the Audit and Assessments Utilized Webform. 
  • Assessed Entity to edit the Representation Letter Webform. 
  • Assessed Entity to edit the Validated Report Agreement Webform. 
  • Assessed Entity to update a CAP (Corrective Action Plan) response. 
  • Assessed Entity to edit a Not Applicable rationale. 
  • External Assessor to edit document linkages for a requirement statement. 

Within a general task, the Assessed Entity and External Assessor will see the following: 

  • Assessment Task Number: The unique identifier assigned to the task. 
  • Description: A description of the task. 
  • Name: The name of the task. 
  • Assigned: The group to which the task is currently assigned (Subscriber, External Assessor, or HITRUST). 
  • Created: The date that HITRUST initially opened the task. 
  • Last Assigned: The date that the task was assigned to the group to which it is currently assigned. 
  • Status: The status of the task (Open, Pending, or Closed). 
  • Assessment Location: A link to the area of the assessment to which the task pertains (example: Factors page, a specific requirement statement, etc.). 
  • Field to be Updated: When the assessment field that the task pertains to can be updated within the task itself, the field name and its current value are present within the task. If an assessment field is not present within the task, an Assessment Location link can be used to access the area of the assessment to which the task pertains to make the requested update in that location. 
  • HITRUST Comments: A comment from the HITRUST Check-In or QA Analyst to describe the question or request within the task. 
  • New Comments: A field to allow the Assessed Entity, External Assessor, and HITRUST Check-In or QA Analyst to comment to each other within the task. 
  • History: A log of the creation and assignment changes of the task, as well as any changes to assessment fields made within the task. 

During Check-In and QA, HITRUST will initially assign all general tasks to the External Assessor. This allows the External Assessor to review each general task and take one of the following next steps: 

  • Address the task: When the general task includes a request from HITRUST to update document linkages, Test Plans, the External Assessor Time Sheet, or the Audits and Assessments Utilized Webform, the External Assessor may address the task by making the requested update on the relevant assessment page. After making the requested update, the External Assessor should leave a comment within the task to state the update that was made and should send the task back to HITRUST. 
  • Leave a comment within the task and send it back to HITRUST: If the External Assessor would like to respond to the task by leaving a comment or question for the Check-in or QA Analyst, the External Assessor may enter their comment within the task and send the task back to HITRUST. Some examples for when this option may be used are: 
  • The task contains a question from HITRUST that does not require any assessment content to be updated. In this case, the External Assessor may answer the question by leaving a comment within the task and sending the task to HITRUST. 
  • The task contains a request from HITRUST for assessment content to be updated, but the External Assessor does not understand the request or has a question related to the request. In this case, the External Assessor may leave their question as a comment within the task and send the task to HITRUST. 
  • The task contains a request from HITRUST for assessment content to be updated, but the External Assessor does not agree with the request. In this case, the External Assessor may leave a comment within the task to explain their disagreement and send the task to HITRUST. 
  • Send the task to the Assessed Entity to be addressed: When the general task is a request from HITRUST to update the Organization Information Webform, Scope of the Assessment Webform, Factors, requirement statement scoring or applicability, N/A rationale, Management Representation Letter, VRA, or a CAP response, the general task should be sent to the Assessed Entity. 

When the External Assessor has assigned a general task to the Assessed Entity, the Assessed Entity may take one of the following next steps: 

  • Leave a comment within the task and send it back to the External Assessor: If the Assessed Entity would like to respond to the task by leaving a comment or question for the External Assessor or the HITRUST Check-in or QA Analyst, the Assessed Entity may enter their comment within the task and send the task back to the External Assessor. 
  • The task contains a question from HITRUST that does not require any assessment content to be updated. In this case, the Assessed Entity may answer the question by leaving a comment within the task and sending the task to External Assessor. 
  • The task contains a request from HITRUST for assessment content to be updated, but the Assessed Entity does not understand the request or has a question related to the request. In this case, the Assessed Entity may leave their question for the External Assessor or HITRUST as a comment within the task and send the task to the External Assessor. 
  • The task contains a request from HITRUST for assessment content to be updated, but the Assessed Entity does not agree with the request. In this case, the Assessed Entity may leave a comment within the task to explain their disagreement and send the task to the External Assessor. 
  • Address the task: When the general task includes a request from HITRUST to update the Organization Information Webform, Scope of the Assessment Webform, Factors, requirement statement scoring or applicability, N/A rationale, Management Representation Letter, VRA, or a CAP response, the Assessed Entity may address the task by making the requested update. Depending on the instructions within the task, the requested update will either be made within the task itself or on the relevant page of the assessment. After addressing the task, the Assessed Entity should leave a comment within the task to state the update that was made and should send the task back to the External Assessor. 

General tasks may be sent back and forth between the Assessed Entity and External Assessor as many times as needed for the task to be addressed. When the task has been addressed, the External Assessor should send the task to HITRUST. After the general task has been sent back to HITRUST by the External Assessor, HITRUST may close the task if it has been appropriately resolved or may leave a comment in the task to explain any additional action needed and send the task back to the External Assessor. 

The Assessed Entity and External Assessor should also be aware that the actions taken to resolve a general task may generate additional requirement statements or CAPs that must be addressed before Check-in or QA is completed. (For more information refer to the Addressing Check-in Tasks and Addressing QA Tasks sections of HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows.) When any requirement statements or CAPs within the assessment require attention during Check-in or QA, the Task Management page will display a banner to indicate that there are requirement statements or CAPs requiring input or validation. The banner contains a link to the Assessment Homepage where those requirement statements and CAPs will be identified by the requirement statement response status. The following scenarios are examples of when a requirement statement or CAP may require attention during Check-In or QA: 

  • When a requirement statement score is updated through a general task, the requirement statement will have a status of External Assessor Review Pending to allow the External Assessor to review and thumb up the updated score and link documents as needed. 
  • When a requirement statement score is lowered through a general task, after the External Assessor has reviewed and thumbed up the score, new required CAPs may be generated. Any requirement statements requiring CAPs during QA will have a status of CAP Required to allow the Assessed Entity to enter a CAP and then the External Assessor to review the CAP. 

 Proposed Tasks:
A proposed task allows HITRUST to propose a specific value for a field. For this type of task, the Assessed Entity or External Assessor can only apply the value proposed by HITRUST and cannot change any other fields within MyCSF. 

For example, a proposed task can be used to change a: 

  • Technical Factor answer from ‘No’ to ‘Yes’ or vice versa. 
  • Geographical Factor answer from drop-down menu options. 
  • Requirement which has been scored to Not Applicable. 
  • Maturity level score to a specific proposed value. 

Within a proposed task, the Assessed Entity and External Assessor will see the following: 

  • Assessment Task Number: The unique identifier assigned to the task. 
  • Description: A description of the task. 
  • Name: The name of the task. 
  • Assigned: The group to which the task is currently assigned (Subscriber, External Assessor, or HITRUST). 
  • Created: The date that HITRUST initially opened the task. 
  • Last Assigned: The date the task was assigned to the group it is currently assigned. 
  • Status: The status of the task (Open, Pending, or Closed). 
  • Assessment Location: A link to the area of the assessment to which the task pertains (example: Factors page, a specific requirement statement, etc.). 
  • Field to be Updated: The name of the assessment field that the proposed change is for, as well as its current value and proposed value. 
  • HITRUST Comments: A comment from the HITRUST Check-In or QA Analyst to describe the question or request within the task. 
  • New Comments: A field to allow the Assessed Entity, External Assessor, and HITRUST Check-In or QA Analyst to comment to each other within the task.
  • History: A log of the creation and assignment changes of the task as well as any changes to assessment fields made within the task.

    During Check-In and QA, HITRUST will initially assign all proposed tasks to the External Assessor. This allows the External Assessor to review each proposed task and take one of the following next steps: 
  • Apply the Proposed Change: The External Assessor may apply any changes proposed by HITRUST. This includes proposed tasks to change factor responses and requirement statement scoring. The External Assessor is expected to discuss any proposed changes with the Assessed Entity prior to applying them. After applying the change proposed within the task, the task will automatically be sent back to HITRUST. If a proposed change adds additional requirements to the assessment (e.g., factor change) or additional required CAPs (e.g., certain scoring changes), the Assessed Entity users with access to the assessment will be notified of the change via email and MyCSF notifications. The notifications outline whether a factor response or requirement statement score was changed, the email address of the individual who applied the proposed change, and whether there is a new requirement statement or CAP to be addressed. 
  • Reject the Proposed Change: If the External Assessor does not agree with the proposed change, the External Assessor may reject the proposed change. When rejecting the proposed change, the External Assessor is required to enter a comment within the task to explain why the change was rejected. The task will automatically be sent back to HITRUST. 
  • Send the task to the Assessed Entity to be addressed: If the External Assessor would like the Assessed Entity to review the task and make the decision to either apply or reject the proposed change, the External Assessor may send the task to the Assessed Entity. 

When the External Assessor has assigned a proposed task to the Assessed Entity, the Assessed Entity may take one of the following steps: 

  • Apply the Proposed Change: The Assessed Entity may apply any changes proposed by HITRUST. This includes proposed tasks to change factor responses and requirement statement scoring. After applying the change proposed within the task, the task will automatically be sent back to HITRUST. If a proposed change adds additional requirements to the assessment (e.g., factor change) or additional required CAPs (e.g., certain scoring changes), the Assessed Entity users with access to the assessment will be notified of the change via email and MyCSF notifications. The notifications outline: whether a factor response or requirement statement score was changed; the email address of the individual who applied the proposed change; and whether there is a new requirement statement or CAP to be addressed. 
  • Reject the Proposed Change: If the Assessed Entity does not agree with the proposed change, the Assessed Entity may reject the proposed change. When rejecting the proposed change, the Assessed Entity will be required to enter a comment within the task to explain why the change was rejected. The task will automatically be sent back to HITRUST. 

When the proposed task has been either applied or rejected by the Assessed Entity or the External Assessor, it will be automatically sent back to HITRUST. HITRUST may close the task if it has been appropriately resolved or may leave a comment in the task to provide additional explanation or answer a question and send the task back to the External Assessor. If a proposed task has been rejected and a different change needs to be proposed, HITRUST will create a new proposed task. Additionally, if any new issues are identified during check-in or QA, a new proposed task will be created. 

The Assessed Entity and External Assessor should also be aware that the actions taken to resolve a proposed task may generate additional requirement statements or CAPs that must be addressed before QA is completed (for more information refer to the Addressing Check-in Tasks and Addressing QA Tasks sections of HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows). When any requirement statements or CAPs within the assessment require attention during Check-in or QA, the Task Management page will display a banner to indicate that there are requirement statements or CAPs requiring input or validation. The banner contains a link to the Assessment Homepage where those requirement statements and CAPs will be identified by the requirement statement response status. The following scenarios are examples of when a requirement statement or CAP may require attention during Check-In or QA: 

  • When a factor response updated through a proposed task, additional requirement statements may be added to the assessment in the status Response Needed for New Statement to allow the Assessed Entity to score the requirement statement and then the External Assessor to review and link documents. 
  • When a requirement statement score is lowered through a proposed task, new required CAPs may be generated. Any requirement statements requiring CAPs during QA will have a status of CAP Required to allow the Assessed Entity to enter a CAP and then the External Assessor to review the CAP. 

Notification of Check-in and QA Tasks 

Throughout the Check-in and QA processes, the Assessed Entity and External Assessors assigned to the assessment will receive email and MyCSF notifications each time that the assessment changes phase. Those notifications include information related to tasks and other open items. For more information see HAA 2021-007: HITRUST MyCSF Enhancements – New Assessment Workflows. 

Assessed Entities and External Assessors will also receive two summary emails for assessments that are undergoing Check-In and QA. The two additional email notifications are: 

  • Open Item Summary: A summary of all open items (tasks, requirement statements, and PQIs) assigned to the Assessed Entity, External Assessor, and HITRUST for assessments that have been submitted to HITRUST and are undergoing check-in or QA. This email will be received weekly by default. However, users have the option to set their email preferences to receive it daily. 
  • New Item Summary: A summary of all new items (tasks, requirement statements, and PQIs) assigned to you for assessments that have been submitted to HITRUST and are undergoing check-in or QA. This email will be received daily by default. However, users have the option to set their email preferences to receive it hourly, daily, weekly, or never. 

For instructions on configuring the frequency of these summary emails please see Summary Email Preferences. 

Implementation 
HITRUST CSF Validated Assessments 

Tasks will be utilized during the Check-In and QA Reviews for all Validated Assessments created on or after February 15, 2022, as well as all existing Validated Assessments meeting all the following criteria on February 15, 2022: 

  • Assessment has not previously been submitted to HITRUST. 
  • Assessment is in the Not Started or Answering Assessment state. 
  • No assessment domains have been submitted to the External Assessor for review. 

HITRUST CSF Interim and Bridge Assessments 
Tasks will be utilized during the Check-In and QA Reviews for all Interim and Bridge Assessments created on or after February 15, 2022. Interim and Bridge assessments created prior to February 15, 2022, will not be affected. 

HITRUST CSF Readiness Assessments 
Tasks will be utilized during the Check-In Review for all Readiness Assessments created on or after February 15, 2022, as well as all existing Readiness Assessments meeting all the following criteria on February 15, 2022: 

  • Assessment has never been submitted to HITRUST. 
  • Assessment is in the Not Started or Answering Assessment state. 

Additional Resources 
A video walk-through of the process for responding to tasks is available here.