HITRUST Bridge Assessment and Certificate FAQs
What is the HITRUST Bridge Assessment?
The HITRUST Bridge Assessment results in a HITRUST Bridge Certificate. The HITRUST Bridge Certificate is a forward-looking, temporary certificate issued by HITRUST. It is valid for 90 days from the expiration date of the organization’s previous HITRUST Certification and allows organizations to maintain a form of HITRUST Certification status for an additional 90 days even if their validated assessment submission due date is missed.
Is a Bridge Assessment only available for an r2 certification?
Yes. HITRUST Bridge Assessments are available only for r2 Certifications. Since the HITRUST e1 and i1 certifications expire after 1 year, there are no i1 Bridge Assessments available for an e1 or i1 assessment.
How does a Bridge Assessment affect the interim assessment due date?
The interim assessment is still due on the one-year anniversary of the certification date. A hypothetical timeline: An organization’s HITRUST Certification is set to expire on 5/31/22 and this organization is awarded a HITRUST Bridge Certificate. This organization submits a completed validated assessment to HITRUST prior to the Bridge Certificate’s expiration which results in a HITRUST Certification. The organization’s newly issued HITRUST Certification is dated 6/1/22, and the interim assessment would be due to HITRUST no later than 6/1/23.
Why is the three-month period of the HITRUST Bridge Certificate deducted from the organization’s next HITRUST Certification?
The HITRUST Bridge Certificate is designed to assist organizations who need to maintain HITRUST Certification but may be experiencing challenges in completing their next HITRUST Validated Assessment.
The HITRUST Bridge Assessment links the two HITRUST Validated Assessments by offering a limited level of assurance during the period when the next HITRUST Validated Assessment is being completed. This limited level of assurance is not sufficient to stand alone without the completion of a subsequent HITRUST Validated Assessment where the level of assurance can only be maintained for 24 months.
What are examples of changes that are not alone typically significant enough to preclude performance of a HITRUST Bridge Assessment?
Decommissioning servers, creating new user accounts, updating the business continuity plan, hiring a new CISO, patching endpoints, applying software enhancements through the organization’s SDLC, invoking a work-from-home strategy as part of business continuity activities, and/or adding a new vendor in observance of the organization’s third-party onboarding and review process.
What are examples of “significant changes” that might preclude performance of a HITRUST Bridge Assessment?
HITRUST will evaluate changes on a case-by-case basis and is available to engage with assessed entities to discuss specifics. Examples of activities that might be considered significant changes include:
- Moving from an on-premise data center into a public cloud environment,
- Moving the organization’s physical headquarters,
- Decommissioning a data center and moving all assets to a different data center,
- Replacing in-scope platforms (e.g., moving from SAP to Oracle EBS),
- Changing an in-scope system so it uses a NoSQL backend instead of a relational database,
- Moving away from an outsourced IT model by standing up an internal IT function,
- Decommissioning the helpdesk ticketing system, and/or
- New functionality in an in-scope platform enabling it to be accessed from a public location.
When can I submit a completed HITRUST Bridge Assessment to HITRUST?
The HITRUST Bridge Assessment object can be submitted to HITRUST no more than 30 days before and up to 30 days after the expiration date of the HITRUST Certification.
Are the 19 randomly selected HITRUST CSF requirement statements picked during the HITRUST Bridge Assessment object creation?
When can I create the HITRUST Bridge Assessment object in MyCSF?
The HITRUST Bridge Assessment object can be created no more than 60 days before and up to 30 days after the expiration date of the HITRUST Certification.
Who qualifies for the HITRUST Bridge Assessment and Certificate?
Any organization that (a) has a HITRUST Validated Report (after 1/1/22 called an “r2” Validated Report) with Certification, (b) will miss their validated assessment submission due-date, (c) hasn’t missed that due date by more than 30 days, and (d) did NOT have significant changes in the scoped control environment since the previous HITRUST Certification was issued.
Will all of my relying parties accept the HITRUST Bridge Certificate?
HITRUST believes that a HITRUST Bridge Certificate adds value in demonstrating that an organization’s scoped control environment is unlikely to have degraded since the last validated assessment and that the organization has indicated its commitment to complete a HITRUST Validated Assessment in the next 90 days.
Assessed entities should consult with their stakeholders and relying parties to determine if they will accept a HITRUST Bridge Certificate while they await receipt of the intended HITRUST Validated Report with Certification.
It should not be accepted in place of a complete HITRUST Certification, as it does not convey the same level of assurance.