HAA 2016-002: HITRUST CSF Assurance Program requirement change related to timely submission of corrective action plans that are required as part of certification report issuance.

Impacted Policy/Program Name

CSF Assurance Program Requirements

Publication Date

January 12, 2016

From

Ken Vander Wal, Chief Compliance Officer, HITRUST

Advisory Type

Requirement Change

Policy/Program Change Details

This change will require submission of all corrective action plans that are REQUIRED for certification within 30 days of the posting of the corresponding draft report. Failure to submit the required corrective action plans within the 30 day timeframe will result in the report being issued final as VALIDATED and not CERTIFIED. The Letter of Certification included in the report will be replaced with a Letter of Validation.

Rationale

HITRUST’s policy is to issue a final report no later than 30 days after the draft report is posted. HITRUST cannot issue a final report in cases where there are REQUIRED corrective actions as a condition of CERTIFICATION without the required corrective action plans. HITRUST has been experiencing long delays and/or failures in receiving required corrective actions in a timely manner. This has had an adverse effect on HITRUST’s ability to achieve its desired SLA with regard to processing of these reports. It is believed that this new policy will encourage organizations to be more diligent and submit corrective action plans within the allotted timeframe.

Timetable for Implementation

Effective Date: January 15, 2016

Enforcement Date: April 1, 2016