HITRUST is enhancing e1 or i1 assessments to provide a “combined assessment” option, in which the HITRUST CSF requirements mapping to included authoritative sources (e.g. HIPAA) are included alongside their assessment of the “core” e1 (44) or i1 (182) HITRUST requirement statements.
When an assessed entity opts to combine their e1 or i1 validated assessment with the HITRUST CSF requirements mapping to one or more authoritative sources, the assessed entity will receive Insights Reports for each added authoritative source in addition to their e1 or i1 HITRUST CSF Report. Insights Reports provide easy-to-understand and reliable reporting focused on the authoritative sources included in the e1 or i1 assessment. These reports may be shared with internal and external stakeholders of the assessed entity to illustrate the organization’s control maturity against HITRUST CSF requirements mapping to the added authoritative sources in a clear and concise format.
Insights Reports allow assessed entities to:
A sample HIPAA Insights Report may be found here.
The following sections outline the changes that enable combined e1 and i1 assessments.
Factors Page
The Factors page within e1 and i1 validated assessments will include all compliance factors that are eligible for insights reporting. At this time, only the following compliance factors are eligible:
HITRUST will continue to make additional authoritative sources available for insights reporting. Additional sources being actively considered by HITRUST currently include StateRAMP's moderate impact overlay of NIST 800-53 r5, GDPR (The General Data Protection Regulation), and HICP (Health Industry Cybersecurity Practices). Assessed entities and external assessors are encouraged to let HITRUST know which additional authoritative sources we should consider through this UserVoice forum.
When compliance factors are added to e1 and i1 assessments, MyCSF may ask follow-up questions. For example, when the HIPAA security rule is included, MyCSF will ask the assessed entity’s US healthcare entity type (e.g., business associate) in the context of the assessment’s scope.
For e1 or i1 combined validated assessments, each included compliance factor will require the assessed entity to purchase an Insights Report credit. For more information regarding Insights Report credits, please contact your Customer Success Manager or sales@hitrustalliance.net.
Pre-QA Assessment Results Review
A new phase, Pre-QA Assessment Results Review, has been added to the e1 or i1 validated assessment workflow for the purpose of displaying the preliminary assessment results before the assessment is submitted to HITRUST. The Pre-QA Assessment Results Review phase occurs after the Performing Validation phase and is present in all e1 and i1 assessments, regardless of whether a combined assessment is being performed (according to the implementation timeline below). For the full assessment workflow and a detailed description of each phase, see the e1 or i1 Assessment Workflow.
The preliminary assessment results displayed during this phase have not been confirmed by HITRUST and are subject to change based on the results of the QA review for validated assessments.
The a newly added Pre-QA Assessment Results Review page in MyCSF includes:
e1 and i1 Certification Determination
The e1 and i1 certification criteria have not changed. When a combined assessment is performed, the HITRUST CSF requirement statements added to the assessment due to an included compliance factor will not impact whether an organization meets the criteria for an e1 or i1 HITRUST CSF certification.
When calculating the average score for each assessment domain, only the scores for the core e1 or i1 requirement statements are included in the calculation. The average score of the core e1 or i1 requirement statements in each domain must be greater than or equal to 83 for certification to be achieved. For an example calculation, see the e1 or i1 Combined Assessment FAQs.
CAPs and Gaps
When a combined e1 or i1 assessment is performed:
HITRUST QA
When a combined e1 or i1 assessment is performed, the HITRUST QA review of the assessment will include a sample of requirement statements from each included compliance factor in addition to the sample of core e1 or i1 requirement statements reviewed.
Reporting
e1 or i1 HITRUST CSF Reports
When a combined assessment is performed, the e1 or i1 HITRUST CSF Reports will still contain only the core e1 or i1 requirement statements and will not report on any requirement statements added due to the inclusion of a compliance factor.
Insights Reports
In a combined assessment, after the e1 or i1 HITRUST CSF Report has been finalized, a separate Insights Report will be issued for each compliance factor included in the assessment. Each Insights Report will contain only the requirement statements that are mapped to the corresponding authoritative source.
Reviewing and Revising Drafts
The e1 or i1 validated assessment workflow has been expanded to include several new phases (highlighted in Figure 5 below). These phases allow for MyCSF tasks to be opened in order to address revision requests for the HITRUST CSF Reports and/or Insights Reports. For a detailed description of each phase, see the e1 or i1 Assessment Workflow. Note that the phases pertaining to additional reports are only utilized when a combined assessment has been performed.
i1 or e1 Rapid Assessments
In the first half of 2025, the i1 rapid assessment will be updated to support i1 combined assessments. Additionally, the rapid sampling functionality will become available for e1 validated combined assessments that contain compliance factors and include more than 60 requirement statements to the assessment.
The e1 or i1 rapid assessments result in the same i1 or e1 assessment reports (HITRUST CSF Reports and Insights Reports) and i1 or e1 certification as a full i1 or e1 validated assessment.
i1 Rapid Assessment Overview
After completing an i1 combined validated assessment in year 1, the assessed entity may be eligible to complete an i1 rapid assessment in year 2. The i1 rapid assessment will allow the rapid sampling approach, described below, to be applied independently to the core i1 requirement statements and any compliance factor that includes more than 60 requirement statements. If any compliance factors included in the combined assessment include 60 or fewer requirement statements, those requirement statements must all be assessed in the i1 rapid assessment.
e1 Rapid Assessment Overview
After completing an e1 combined validated assessment in year 1, if the combined assessment included a compliance factor that adds more than 60 requirement statements to the assessment, the assessed entity may be eligible to complete an e1 rapid assessment in year 2. The e1 rapid assessment will allow the rapid sampling approach, described below, to be applied independently to any compliance factor that includes more than 60 requirement statements. The core e1 requirement statements and any compliance factors that include 60 or fewer requirement statements must all be assessed in the e1 rapid assessment.
i1 and e1 Rapid Assessment Eligibility
Eligibility to apply the rapid sampling approach in year 2 will be determined individually for each set of requirement statements included in the assessment (where a “set” is the set of e1 core, i1 core, and each set of requirement statements added by a single compliance factor).
Eligibility for each set of requirement statements is determined as depicted in Figure 6 and described below:
Authoritative Source Requirements
Eligibility Criteria
General Eligibility Criteria – The assessed entity must meet all of the following criteria to utilize the rapid sampling approach:
Eligibility Criteria for Each Set of Requirement Statements – If all of the General Eligibility Criteria are met, then for each set of requirement statements potentially eligible for rapid sampling approach, the following criteria will determine if that particular set of requirement statements may be sampled.
When assessed entities are not eligible to apply the rapid sampling approach to any set of requirement statements, a full i1 or e1 assessment must be completed to obtain an i1 or e1 certification. When an assessed entity is eligible to apply the rapid sampling approach to at least one set of requirement statements and ineligible to apply the rapid sampling approach to others, an i1 or e1 rapid assessment may be performed. Within the rapid assessment, the eligible sets of requirement statements will be sampled, while the ineligible sets will be assessed in full.
Rapid Sampling Approach
For each set of requirement statements that is determined to be eligible for the rapid sampling approach to be applied, the approach below will be followed.
The below requirement statements must be assessed:
1. New: If the e1 or i1 rapid assessment is created using a newer CSF version than that which was utilized for the assessed entity’s previous e1 or i1 assessment, there may be additional requirement statements included in this set of requirement statements due to the HITRUST threat analysis and other updates to the CSF.3. N/As:
All requirement statements from this set that were marked as N/A during the previous e1 or i1 assessment.
All other requirement statements in the set are not required to be assessed. By default, these requirement statements appear within the assessment in a read-only state and include the scores that were entered in the previous e1 or i1 assessment. If the assessed entity would like to show improvement on a requirement statement that is not already required to be assessed in the e1 or i1 rapid assessment, the assessed entity may optionally include any of these requirement statements by toggling the requirement statement from read-only to an editable state.
Adding or Removing Authoritative Sources during a Rapid Assessment
While performing the e1 or i1 rapid assessment, the assessed entity does have the ability to include additional compliance factors that were not included in the parent e1 or i1 assessment. If an additional compliance factor is included in the e1 or i1 rapid assessment, all requirement statements added due to that compliance factor will be included in the New category described above and must be assessed in full.
Additionally, the assessed entity may choose to not include an authoritative source that was assessed in the previous e1 or i1 assessment. The compliance factor for the authoritative source may be un-selected on the Factors page in MyCSF to remove the associated requirement statements from the assessment.
Control Degradation
During the performance of the e1 or i1 rapid assessment and also during HITRUST QA review, MyCSF monitors the scoring of the sampled requirement statements in the rapid assessment and compares them to the parent e1 or i1 assessment to determine whether any scores have been lowered. The control degradation detection process illustrated in the flowchart (Figure 7) and described below is applied independently to each set of sampled requirement statements.
Upon acceptance of the assessment, HITRUST will perform a Quality Assurance review of the submitted assessment. The QA review includes HITRUST review of a random selection of requirement statements from each set of requirement statements (where a “set” is the set of e1 core, i1 core, and each set of requirement statements added by a single compliance factor).
If scores are lowered during the QA review process, HITRUST will consider whether the scores have been lowered due to an issue with the operation of the control or due to an error in testing approach or documentation. Scores lowered due to an error in testing approach or documentation are not considered to be control degradation. Only scores lowered due to an issue with the operation of the control will count toward the threshold for control degradation.
If scores are lowered due to an issue with control operation, there is a possibility that the threshold for number of scores lowered to indicate material degradation is met during the QA review process. If this occurs, the assessed entity and external assessor must expand the sample of requirement statements evaluated in the e1 or i1 rapid assessment or complete a full e1 or i1 assessment according to the previous guidelines.
e1 or i1 Readiness Assessments
The Factors page within e1 or i1 readiness assessments will include the same compliance factors eligible for inclusion within e1 or i1 validated assessments. Insights Reports are not issued for readiness assessments and therefore Insights Report credits are not required to perform an e1 or i1 combined readiness assessment.
Although Insights Reports are not issued for readiness assessment, the new Assessment Results Review phase has been added to the readiness assessment workflow. This phase occurs after the Answering Assessment phase and is present regardless of whether a combined assessment is being performed. For the full readiness assessment workflow and a detailed description of each phase, see the e1 or i1 Assessment Workflow.
The Assessments Results Review page includes:
As of August 27, 2024:
For any additional questions, please contact our support team or a HITRUST Customer Success Manager. Later this year HITRUST will announce an update to the HITRUST Assessment Handbook to address the new e1 or i1 combined assessments.