HITRUST Results Distribution System FAQs
When will the RDS API Functionality be available?
April of 2023
What is the HITRUST Results Distribution System (RDS)?
The HITRUST RDS is an online portal that allows assessed entities to fulfill the requests of their relying parties by sharing designate which parties they want to share their assessment results via our application and/or API. The relying party can ingest specific elements they are seeking such as: assessment date, scope, control requirements, scores, and corrective action plans (CAPS), and more.
What are the benefits the HITRUST Results Distribution System (RDS) delivers over the outdated process of sharing and consuming third-party assurance reports in PDF form?
Across the industry, third-party assurance reports are distributed almost entirely as PDF documents. These PDFs must then be manually reviewed by relying parties to confirm various elements that are contained within the results. The relying party often needs to re-enter data present in the PDF report into their vendor risk management (VRM) system, third-party risk management (TPRM) system, or governance, risk, and compliance (GRC) system. At present, this process is manual and labor-intensive and is generally repeated annually for every third-party vendor. The HITRUST Results Distribution System (RDS) enables assessment results to be sent electronically from a highly secure portal where the relying party can consume and review available data elements through API directly in their TPRM, VRM, or GRC systems.
How will Relying Parties who use Vendor Risk Management (VRM) systems benefit?
For Relying Parties, RDS eliminates the need to manually review and re-enter information from an assessment report. RDS enables electronic receipt of assessment results and can enable a VRM system’s analytics capabilities to review results and provide alerts as specified. VRM integration will require the use of the RDS API.
Can results from all HITRUST Assessments be shared via the HITRUST Results Distribution System (RDS)?
Yes. Results from HITRUST e1, i1, and r2 Assessments can be shared electronically through the RDS online web portal using a web browser. This includes the i1 Readiness Assessment and r2 Readiness, Interim, and Bridge Assessments.
Is there an additional cost for RDS?
RDS is a value-added service available with all HITRUST MyCSF® subscription levels. Using the RDSapplication, assessed entities can fulfill requests sent by relying parties who are integrated with RDS to share HITRUST Assessment results to relying parties at no cost.
What is RDS Standard™?
RDS Standard is the most basic version of the HITRUST Results Distribution System. It is a no-cost value-added service that allows users to create an account to view HITRUST Assessment results in a preset view and share the results both internally within their organization and externally with relying parties and other stakeholders. Additional RDS subscription packages will be available in the second half of 2022, which will include advanced analytics and added API options.
Does the Relying Party receiving RDS data need to be a MyCSF subscriber?
No. The assessed entity must be a HITRUST MyCSF subscriber, but they can send results to external entities who are integrated with RDS through an API implementation.
Is the use of RDS required?
Use of RDS is not mandatory, and its usage is available after opt-in by the assessed entity. Those who don’t opt-in to RDS can still receive reports and certification letters in PDF format. In most cases, HITRUST believes that vendors and service providers will want to actively use RDS so they can be more responsive to requests from customers who need information security assurances.
Where can I get more information about RDS?