Impacted Policy/Program Name
CSF Assurance Program Requirements
January 12, 2016
Ken Vander Wal, Chief Compliance Officer, HITRUST
Policy/Program Change Details
This change will require submission of all corrective action plans that are REQUIRED for certification within 30 days of the posting of the corresponding draft report. Failure to submit the required corrective action plans within the 30 day timeframe will result in the report being issued final as VALIDATED and not CERTIFIED. The Letter of Certification included in the report will be replaced with a Letter of Validation.
HITRUST’s policy is to issue a final report no later than 30 days after the draft report is posted. HITRUST cannot issue a final report in cases where there are REQUIRED corrective actions as a condition of CERTIFICATION without the required corrective action plans. HITRUST has been experiencing long delays and/or failures in receiving required corrective actions in a timely manner. This has had an adverse effect on HITRUST’s ability to achieve its desired SLA with regard to processing of these reports. It is believed that this new policy will encourage organizations to be more diligent and submit corrective action plans within the allotted timeframe.
Timetable for Implementation
Effective Date: January 15, 2016
Enforcement Date: April 1, 2016