Yes. HITRUST Bridge Assessments are available only for r2 Certifications. Since the HITRUST e1 and i1 certifications expire after 1 year, there are no i1 Bridge Assessments available for an e1 or i1 assessment.

The interim assessment is still due on the one-year anniversary of the certification date. A hypothetical timeline: An organization’s HITRUST Certification is set to expire on 5/31/22 and this organization is awarded a HITRUST Bridge Certificate. This organization submits a completed validated assessment to HITRUST prior to the Bridge Certificate’s expiration which results in a HITRUST Certification. The organization’s newly issued HITRUST Certification is dated 6/1/22, and the interim assessment would be due to HITRUST no later than 6/1/23.

The HITRUST Bridge Certificate is designed to assist organizations who need to maintain HITRUST Certification but may be experiencing challenges in completing their next HITRUST Validated Assessment.

The HITRUST Bridge Assessment links the two HITRUST Validated Assessments by offering a limited level of assurance during the period when the next HITRUST Validated Assessment is being completed. This limited level of assurance is not sufficient to stand alone without the completion of a subsequent HITRUST Validated Assessment where the level of assurance can only be maintained for 24 months.

Decommissioning servers, creating new user accounts, updating the business continuity plan, hiring a new CISO, patching endpoints, applying software enhancements through the organization’s SDLC, invoking a work-from-home strategy as part of business continuity activities, and/or adding a new vendor in observance of the organization’s third-party onboarding and review process.

HITRUST will evaluate changes on a case-by-case basis and is available to engage with assessed entities to discuss specifics. Examples of activities that might be considered significant changes include:

• Moving from an on-premise data center into a public cloud environment,
• Moving the organization’s physical headquarters,
• Decommissioning a data center and moving all assets to a different data center,
• Replacing in-scope platforms (e.g., moving from SAP to Oracle EBS),
• Changing an in-scope system so it uses a NoSQL backend instead of a relational database,
• Moving away from an outsourced IT model by standing up an internal IT function,
• Decommissioning the helpdesk ticketing system, and/or
• New functionality in an in-scope platform enabling it to be accessed from a public location.

The HITRUST Bridge Assessment object can be submitted to HITRUST no more than 30 days before and up to 30 days after the expiration date of the HITRUST Certification.

Yes.

The HITRUST Bridge Assessment object can be created no more than 60 days before and up to 30 days after the expiration date of the HITRUST Certification.

Any organization that (a) has a HITRUST Validated Report (after 1/1/22 called an “r2” Validated Report) with Certification, (b) will miss their validated assessment submission due-date, (c) hasn’t missed that due date by more than 30 days, and (d) did NOT have significant changes in the scoped control environment since the previous HITRUST Certification was issued.

HITRUST believes that a HITRUST Bridge Certificate adds value in demonstrating that an organization’s scoped control environment is unlikely to have degraded since the last validated assessment and that the organization has indicated its commitment to complete a HITRUST Validated Assessment in the next 90 days.

Assessed entities should consult with their stakeholders and relying parties to determine if they will accept a HITRUST Bridge Certificate while they await receipt of the intended HITRUST Validated Report with Certification.

It should not be accepted in place of a complete HITRUST Certification, as it does not convey the same level of assurance.