HITRUST Compliance Insights Reports FAQs
What are HITRUST Compliance Insights Reports?
A Compliance Insights Report is a narrowly focused report designed to communicate compliance-related insights to internal and external stakeholders that can be generated using information gathered during a HITRUST r2 Validated Assessment. Compliance Insights Reports are not certifications.
How will my organization benefit from and use a Compliance Insights Report?
- Allows you to understand and easily communicate to external and internal stakeholders insights relevant to compliance with a specific standard, guideline, or regulation (e.g., HIPAA).
- Increases the usefulness of your r2 assessment at a modest additional investment.
- Adds value to your existing MyCSF subscription by supporting the HITRUST Assess Once, Report Many™ approach.
- Identifies controls that are met by Cloud Service Providers and other external providers that have relevance to compliance with a specific standard, guideline, or regulation.
Can a Compliance Insights Report be run at the same time as the r2, or do we have to wait until the r2 Assessment is complete?
Compliance Insights Reports can only be run after a validated r2 has been completed.
Once a HITRUST r2 Assessment is complete, can a Compliance Insights Report be generated later without using an External Assessor?
Yes. Since results are based on their completed and validated r2, the assessed entity can generate a Compliance Insights Report on their own if the r2 Assessment qualifies. In order to qualify for a Compliance Insights Report, the assessment must meet all of the following criteria:
- Must be a validated r2 assessment (currently the only assessment type supported).
- The final HITRUST CSF report must already be issued / assessment must be in the “completed” state in MyCSF.
- The assessment must be tailored to include the part(s) that the Compliance Insights Report will cover.
(e.g., for HIPAA the security, privacy, and/or breach notification rules must be included).
- The assessment must use a version of the HITRUST CSF that supports compliance insights reporting for the selected authoritative source (e.g., v9.5+ for HIPAA security and v11.0 for HIPAA breach and privacy).
How do I know if my r2 Assessment qualifies for a Compliance Insights Report?
A display banner at the top of the Completed Assessments homepage in MyCSF indicates if your completed assessment qualifies for a Compliance Insights Report. If no banner is shown, your organization does not have an assessment that qualifies for a Compliance Insights Report.
What is the cost of a Compliance Insights Report?
Compliance Insights Report credits are $1500. Contact your CSM for details. You can purchase Compliance Insights Reports credits early, up to a year in advance.
Can I generate more than one Compliance Insights Report from a qualifying HITRUST r2 Assessment, and if so, is there a separate report credit needed for each?
Yes, as part of the Assess Once, Report Many HITRUST approach, it is possible to generate multiple Compliance Insights Reports from a single qualifying r2 Assessment. An additional report credit is needed for each one. At the time of launch, a Compliance Insights Report for HIPAA Security, Privacy, and Breach Notification Rules is the only one available.
How do I access and generate a Compliance Insights Report?
For qualifying assessments, look for an information banner on the MyCSF assessment homepage describing how to generate a Compliance Insights Report.
Then, find and click the Compliance Insights Reports link in the assessment’s left-bar navigation.
Is a separate Compliance Insights Report generated for each part of HIPAA (Security/Privacy/Breach)?
No, all portions of HIPAA included in the associated r2 Assessment will all be included in the resulting HIPAA Compliance Insights Report.
Can r2 Report Only customers purchase and generate Compliance Insights Reports?
Does the r2 Assessment have to be HITRUST Certified to generate a Compliance Insights Report?
No, an r2 Assessment does not need to be certified. Validated Assessments can also generate Compliance Insights Reports.
Can Readiness Assessments, Targeted Assessments, or Interim Assessments be used to generate a Compliance Insights Report?
No. Only validated assessments can be used as the basis of Compliance Insights Reports. Although a Compliance Insights Report cannot be generated from an r2 Interim Assessment, one can still be generated from the fully validated assessment associated with the interim assessment.
What Compliance Insights Reports are available now? Which ones are coming in the future?
November 2023: HITRUST launched a Compliance Insights Report for HIPAA, which combines the Security Rule, Privacy Rule, and Breach Notification Rule.
Next on the Roadmap: NIST AI RMF, Personal Health Information Protection Act (PHIPA), Ontario, Canada, and GDPR.
Future Considerations: Additional topics under consideration include Ransomware, AI, Singapore PDPA, NIST 171, StateRAMP, HICP– and others as market needs are identified.
I am a HITRUST External Assessor – how do HITRUST Compliance Insights Reports impact my work?
Even though an assessed entity can generate a Compliance Insights Report on its own, your assessor firm plays a key role up-front by providing valuable coaching when helping clients through the HITRUST journey.
First of all, when you are scoping the initial assessment, if your client plans to use Compliance Insights Reports in the future, make sure you help them appropriately tailor the assessment during the pre-assessment phase to include the right authoritative sources, such as HIPAA. This includes using the proper CSF version to ensure that the relevant authoritative source is included (e.g., v9.5+ for HIPAA security and v11.0 for HIPAA breach and privacy).
Secondly, how you advise your client during the initial assessment to decide which gaps and CAPS to remediate and which to accept can have a significant impact on a future Compliance Insights Report scorecard. What a client may accept for a HITRUST assessment report (e.g., lower-risk gaps and CAPs), they may not be comfortable leaving as a HIPAA-relevant gap that will show up in a future Compliance Insights Report.
To enhance your firm’s standing as a trusted advisor, be sure to equip your clients to benefit from the extra value that HITRUST Compliance Insights Reports offer.
Is the HIPAA Compliance Insights Report a certification of HIPAA Compliance?
No. HITRUST issues certifications over the HITRUST CSF and the NIST CSF, but not over HIPAA. Instead, the HIPAA Compliance Insights Report provides transparency into an organization’s current state of HIPAA coverage and control maturity within the assessed entity’s scoped environment. This supports the organization in communicating the status of controls supporting HIPAA compliance and is not a certification of HIPAA compliance.
My organization’s HITRUST assessment is scoped to focus only a portion of my organization’s IT platforms and facilities, but electronic protected health information (ePHI) is present elsewhere in our environment. Can the HIPAA Compliance Insights Report be used to gain insights into the protection of ePHI outside the scope of the underlying HITRUST CSF Assessment?
No. HITRUST Assessments are scoped based on a defined boundary inclusive of specified physical facilities and IT platforms. Therefore, the HITRUST Assessment may be scoped differently than an assessment focused exclusively on evaluating HIPAA compliance across the entirety of the organization. HIPAA requires the safeguarding of protected health information regardless of the residing facility or IT platform. In consultation with the assessed entity, parties relying on HITRUST HIPAA Compliance Insights Reports should therefore evaluate the scope of the HITRUST Assessment in relation to the assessed entity’s HIPAA obligations.
Does the HITRUST CSF (and therefore the HIPAA Compliance Insights Reports) include all of HIPAA, or just a subset?
The HITRUST CSF is composed exclusively of information security and privacy controls, and the scope of HIPAA extends far beyond just the security and privacy of protected health information. Therefore, HITRUST Assessments do not evaluate coverage of or compliance with HIPAA in its entirety. HITRUST has incorporated into the HITRUST CSF the security and privacy-related aspects of HIPAA, specifically portions of 45 CFR Part 164 subparts C, D, and E.
The HITRUST CSF’s coverage of HIPAA at a high level is shown in the following graphic:
How do the HITRUST r2 Assessment’s selected preferences and tailoring impact the HIPAA Compliance Insights Report?
HITRUST Assessments are performed against a subset of the numerous HITRUST CSF requirements. The requirements included in the HITRUST Risk-based, 2-year (r2) assessments are tailored based on the unique risks and compliance needs of the assessed entity and on the HITRUST CSF version selected by the assessed entity.
Through tailoring, an assessed entity can optionally add authoritative sources to their r2 Assessment(s). When this occurs, the assessment is expanded to consider additional requirements mapping to the information security and/or privacy-related portions of the included authoritative sources. The resulting, tailored HITRUST r2 Assessment then serves to directly evaluate an assessed entity’s adherence to a subset of the HITRUST CSF and indirectly evaluate the assessed entity’s compliance with the information security and/or privacy aspects of the included authoritative source(s).
How does the HITRUST CSF version used in the HITRUST r2 assessment impact the HIPAA Compliance Insights Report?
The HITRUST CSF is constantly updated by HITRUST in response to changes in the cybersecurity threat landscape and updates to which authoritative sources are included. Organizations can utilize the most recent HITRUST CSF version in HITRUST r2 Assessments or can optionally utilize one of many prior HITRUST CSF versions. As HITRUST advances the framework, more and better reporting capabilities are unlocked. Not all versions allow for the HITRUST Compliance Insights reporting against all portions of HIPAA. HITRUST Compliance Insights Reports support HIPAA as follows:
- HIPAA Security Rule: HITRUST CSF v9.5.0 and later
- HIPAA Breach Notification Rule: HITRUST CSF v11.0.0 and later
- HIPAA Privacy Rule: HITRUST CSF v11.0.0 and later
My organization is classified as a business associate under HIPAA. Will my organization’s HIPAA Compliance Insights Report look different than one prepared for a HIPAA-covered entity or group health plan?
HIPAA’s Security Rule, Privacy Rule, and Breach Notification Rule, all contain standards and implementation specifications applicable to only certain types of organizations. Several standards and implementation specifications apply only to covered entities, some apply only to business associates, while others apply only to group health plans. When an organization tailors its HITRUST r2 Assessment, they are responsible for specifying the appropriate HIPAA designation, which affects the applicability of HIPAA standards and implementation specifications considered in the HITRUST r2 Assessment. This applicability is reflected in the resulting HIPAA Compliance Insights Report.
How are deficiencies identified in a HITRUST CSF Assessment determined to be relevant to compliance with the authoritative source (e.g., HIPAA) that is the focus of the Compliance Insights Report?
Gaps highlighted in Compliance Insights Reports are identified during the HITRUST Validated Assessment process through an evaluation of control maturity of the HITRUST CSF requirements mapping to the authoritative source that is the focus of the Compliance Insights Report (e.g., HIPAA). For a gap to be highlighted in the “Observations” appendix of a Compliance Insights Report, the following criteria must be met:
- The policy, process, or implemented control maturity level of a HITRUST CSF requirement scored less than “Fully Compliant” during the assessed entity’s validated assessment.
- The HITRUST CSF requirement that is mapped to one or more standards or implementation specifications within the included parts of HIPAA (security, privacy, and/or breach).
Note that a HITRUST CSF requirement identified as deficient in the policy, process, and/or implemented control maturity levels may have been identified as a gap (not a CAP) in the HITRUST r2 Assessment.
How are the compliance levels communicated in the Compliance Insights Report’s scorecard section determined?
The scorecard section of Compliance Insights Reports lists each element of the authoritative source that is the focus of the report (e.g., the scorecard section of a HIPAA Compliance Insights Report lists all standards and implementation specifications of the considered portions of HIPAA—security, privacy, and/or breach. For each authoritative source element listed, compliance levels (Not Compliant through Fully Compliant) are presented. The presented compliance levels are based on the validation results of the HITRUST CSF requirement(s) which map to the associated authoritative source element (using a straight average if multiple mappings exist).
Can the Compliance Insights Report for HIPAA be used to satisfy the HIPAA Security Rule’s risk analysis requirement at § 164-308(a)(1)(ii)(a)?
The Compliance Insights Report for HIPAA is based on a compliance gap assessment. While these results can provide valuable input to complement Security Rule risk analysis, they are not a substitute for the HIPAA-required risk analysis.
The HIPAA Security Rule requires healthcare organizations to conduct a risk analysis: “an accurate and thorough assessment of the potential risks to the confidentiality, integrity, and availability of electronic protected health information” … [to] “protect against any reasonably anticipated threats or hazards to the security and integrity of such information.”
While numerous HITRUST CSF requirements dealing with the organization’s performance of risk analyses are evaluated during HITRUST CSF assessments, HITRUST CSF assessments are not risk assessments. Management of the Organization is responsible for performing and maintaining a risk analysis that adheres to § 164-308(a)(1)(ii)(a) of the HIPAA Security Rule.
The HITRUST Compliance Insights Report for HIPAA can provide important input into the organization’s risk analysis, but having a HIPAA Compliance Insights Report alone does not provide evidence that the organization completed a risk analysis adherent to §164-308(a)(1)(ii)(a) of the HIPAA Security Rule.
How does the new HIPAA Compliance Insights Report compare to the MyCSF Compliance and Reporting Pack for HIPAA?
The HIPAA Compliance Insights Report is a paid offering while the MyCSF Compliance Reporting Pack for HIPAA is free of charge to subscribers. They are separate types of reports with different functions and use cases.
The HIPAA Compliance Insights Report is a single PDF report designed for a broad audience of internal and external stakeholders. The Compliance Insights Report includes a detailed scorecard that shows compliance status against multiple individual HIPAA requirements. The Compliance Insights Report runs against HIPAA Security, Privacy, and Breach Rules.
The MyCSF Compliance and Reporting Pack for HIPAA is a collection of files in a .zip archive that is designed for sharing compliance evidence with a HIPAA reviewer during an audit. It can be filtered to specific sections of HIPAA and configured to include certain types of evidence.
Is there a way to know ahead of time whether a Compliance Insights Report for HIPAA that is generated against my HITRUST Assessment will contain any HIPAA-relevant control observations/findings impacting the HIPAA compliance levels shown in the Compliance Insights Report?
Yes. If the HITRUST Assessment that is used as the basis for the Compliance Insights Report for HIPAA is free of gaps and CAPs, any Compliance Insights Report for HIPAA generated against that assessment will also be free of gaps and CAPs. However, if any gaps and/or CAPs resulted from the HITRUST Assessment, these items may or may not stem from the HITRUST CSF requirements mapped to HIPAA — and therefore may or may not be communicated in the resulting Compliance Insights Report.
One easy way to determine in advance whether gaps and/or CAPs found in a HITRUST Assessment will show in a Compliance Insights Report is to simply run the free MyCSF Compliance and Reporting Pack for HIPAA against the assessment and review the assessment details spreadsheet; any yellows and reds shown in that spreadsheet will be communicated as a HIPAA-relevant observation in any HIPAA Compliance Insights Report run for that assessment.
I’d like to see HITRUST create a new Compliance Insights Report for another authoritative source (e.g., HICP, GLBA Safeguards Rule, etc.). What’s the best way for me to share this feedback with HITRUST?
Please share this feedback with us here: https://feedback.mycsf.net/forums/956852-insights-reports.