Impacted Policy/Program Name
CSF Assurance Program
March 6, 2017
This bulletin is to communicate a change in the assurance process regarding the processing of validated assessments and the time allowed to respond to a HITRUST Quality Assurance (QA) request.
After a validated assessment has been submitted, HITRUST responds within 24-48 hours with a QA Letter. This letter requests supporting evidence for those controls selected for QA, those controls that have been assigned a Measured/Managed score, and those controls marked as N/A. Supporting evidence should be provided within 14 days of the issuance of the QA Letter. If supporting evidence is not provided within that time frame, HITRUST will only issue a Readiness Assessment report in lieu of a validated report. No certification will be awarded.
Establishing a deadline for receiving QA materials will help ensure a timely and efficient process for generating draft reports. As evidence is supposed to be gathered throughout the assessment process, submitting artifacts in support of a QA request should be a minimal effort. Assessor organizations that have gathered evidence throughout the effort should not be impacted by this advisory. The timely processing of a client’s assessment through QA is best achieved if the QA Letter is responded to promptly. Failure to respond in a timely manner may indicate that an assessor has not collected, nor is maintaining, adequate working papers in support of their assessments. This may lead to a conclusion that adequate validation has not occurred and may therefore result in the issuance of a Readiness Assessment report.
Timetable for Implementation
Immediate: This bulletin is a clarification to the existing process and will impact all assessments submitted to HITRUST as of the date of issuance of this advisory.