HITRUST PORTAL CONTACT US
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
HAA 2016-001: Clarification of HITRUST CSF assurance requirements related to an assessed entity outsourcing selected HITRUST CSF controls.
<< All Blogs

Date: January 12, 2016

Impacted Policy/Program Name

CSF Assurance Program Requirements

Publication Date

January 12, 2016

Effective Date

Immediate: This bulletin is to clarify existing policy.

From

Ken Vander Wal, Chief Compliance Officer, HITRUST

Advisory Type

Requirement Clarification

Policy/Program Clarification Details

This bulletin clarifies the treatment of controls required for Certification in situations where certain controls are outsourced to a third party, and the impact of outsourced controls on a HITRUST CSF validated assessment.

Organizations may not transfer risk or the obligation to obtain satisfactory assurances relating to HITRUST CSF controls. It is the assessed entity’s responsibility to ensure that all assessed controls, either supported directly or through use of a third party, are in place and functioning according to HITRUST CSF requirements.

Under no circumstances are outsourced controls or those supported by a third party considered “Not Applicable” when performing a CSF Assessment. All controls must be tested by an approved External Assessor, or the External Assessor must determine the controls have been satisfactorily tested by another independent party consistent with HITRUST CSF Assurance Program requirements. For example, External Assessors may be able to rely on a current CSF Certification report, CSF Validated Report, or a current SOC 2 report that is based on the HITRUST CSF criteria.

Rationale

HITRUST has seen a growing trend in the outsourcing of certain HITRUST CSF controls. In many instances, the validated assessment is submitted with the outsourced controls listed as “Not Applicable” or the External Assessors are being provided assessments performed with limited understanding of the scope, methodology, or assurance of the accuracy relating to the controls in question. HITRUST has been returning these assessments back to the External Assessor in order to perform the required testing and score the controls in question. HITRUST is releasing this bulletin to clarify the HITRUST CSF Assurance Program requirements related to the outsourcing of controls. This should allow External Assessors to more clearly communicate this requirement to their clients and prevent costly re-work related to outsourced controls.

Timetable for Implementation

Immediate: This bulletin is to clarify existing policy.

<< All Blogs

Chat Now

This is where you can start a live chat with a member of our team