HITRUST Results Distribution System FAQs
When will the RDS be available?
RDS was released for General Availability in May of 2022.
What is the HITRUST Results Distribution System (RDS)?
The HITRUST RDS is an online portal that allows assessed entities to designate which parties they want to share their assessment results with, how the results can be accessed (via a PDF, web browser and/or API), and the specific assessment detail reports they want to share (such as: certification letter, expanded scope description, and findings). The relying party can review and search online for specific elements they are seeking such as: assessment date, scope, control requirements, scores, and corrective action plans.
To further enhance efficiency and leverage analytics, in the second half of 2022, HITRUST will begin offering RDS subscription packages that include advanced analytics and added API options.
What are the benefits the HITRUST Results Distribution System (RDS) delivers over the outdated process of sharing and consuming third-party assurance reports in PDF form?
Across the industry, third-party assurance reports are distributed almost entirely as PDF documents. These PDFs must then be manually reviewed by relying parties to confirm various elements that are contained within the results. The relying party often needs to re-enter data present in the PDF report into their vendor risk management (VRM) system, third-party risk management (TPRM) system, or governance, risk, and compliance (GRC) system. At present, this process is manual and labor-intensive and is generally repeated annually for every third-party vendor. The HITRUST Results Distribution System (RDS) enables assessment results to be sent electronically from a highly secure portal where the relying party can review and search online for the specific elements they are seeking and set up customizable views and alerts. In addition, relying parties can leverage an API to have the results sent directly to their VRM, TPRM, or GRC systems.
How will Relying Parties who use Vendor Risk Management (VRM) systems benefit?
For Relying Parties, RDS eliminates the need to manually review and re-enter information from an assessment report. RDS enables electronic receipt of assessment results and can enable a VRM system’s analytics capabilities to review results and provide alerts as specified. VRM integration will require the use of the RDS API.
Can results from all HITRUST Assessments be shared via the HITRUST Results Distribution System (RDS)?
Yes. Results from HITRUST bC, i1, and r2 Assessments can be shared electronically through the RDS online web portal using a web browser and/or API. This includes the i1 Readiness Assessment and r2 Readiness, Interim, and Bridge Assessments.
How does an Assessed Entity use MyCSF to designate recipients and share their results to a relying party?
The assessed entity will have the ability to select specific elements that can be shared, and invite a relying party to view assessment results in the RDS.
Is there an additional cost for RDS?
RDS is a value-added service available with all HITRUST MyCSF® subscription levels. Using RDS Standard, assessed entities can send their HITRUST Validated Assessment results to relying parties at no cost and relying parties can access these results at no cost. Optional enhanced functionality, including advanced analytics and API integration, will be available in RDS for an additional cost (coming second half of 2022).
What is RDS Standard™?
RDS Standard is the most basic version of the HITRUST Results Distribution System. It is a no-cost value-added service that allows users to create an account to view HITRUST Assessment results in a preset view and share the results both internally within their organization and externally with relying parties and other stakeholders. Additional RDS subscription packages will be available in the second half of 2022, which will include advanced analytics and added API options.
Does the Relying Party receiving RDS data need to be a MyCSF subscriber?
No. The assessed entity must be a HITRUST MyCSF subscriber, but they can send results to external entities who are not subscribers.
Is the use of RDS required?
Use of RDS is not mandatory, and its usage is available after opt-in by the assessed entity. Those who don’t opt-in to RDS can still receive reports and certification letters in PDF format. In most cases, HITRUST believes that vendors and service providers will want to actively use RDS so they can be more responsive to requests from customers who need information security assurances. However, in some cases organizations might choose NOT to share assessments results through RDS.