Interim Review FAQs
When is an Interim Assessment for an r2 Certification due?
An r2 Interim Assessment needs to be submitted by the one-year anniversary of the certification date. Exceptions may be requested prior to the anniversary date to account for extraordinary circumstances that prohibit completion. Since the i1 Certification is valid for one year, there is no Interim Assessment (or Bridge Assessment).
What type of MyCSF access do non-subscribers receive when purchasing an Interim Assessment?
Non-subscriber’s access will be the same as the “report only” option, currently set at 1 object and 3 users.
How do we know which requirements will be sampled, and can we get advance notice of which ones will be included?
The requirements are randomly selected by MyCSF upon creation of the Interim Assessment. MyCSF subscribers may create their Interim Assessments up to 120 days in advance of their due date.
Do you have to score each requirement statement selected in an Interim Assessment?
Yes.
For the requirements selected in an r2 Interim Assessment, do you need to gather evidence?
Yes, evidence is required for each selected requirement in the r2 Interim Assessment.
Does the 90-day rule for evidence apply for r2 Interim Assessments?
- Yes, for control requirements that are not associated with required CAPs, they must have been in place for 90 days in order to be scored and they must have been tested within in the preceding 90 days from submission to HITRUST. This should not be an issue as the controls should have been scored during the supporting full assessment.
- Changes in scores for control requirements that are associated with a required CAP are considered demonstration of progress and are not subject to the 90-day rule.
What is the QA process for an Interim Assessment?
Interim Assessments must be submitted to HITRUST for QA. Similar to r2 Validated Assessments the QA analyst will select a sample of requirements to review and follow up with the External Assessor as necessary.
Does the Interim Assessment have to be performed by the same assessor firm that performed the r2 Validated Assessment?
No. Any Authorized External Assessor can perform the Interim Assessment.
Is there a fee for HITRUST to process the Interim Assessment?
- Yes, there is a fee but this is waived for active MyCSF subscribers.
- The fee includes 60 days of access to MyCSF for non-subscribers to recreate and submit their Interim Assessment, processing of the Interim Assessment and, upon successful completion, issuance of an Interim Letter.
How is the existing r2 Validated Assessment utilized for the interim review?
The interim review is generated from the original certified assessment object.
My Interim Assessment is coming up, how do I get started?
- MyCSF subscribers will automatically receive an interim assessment notice 90 days prior to the required submission date. MyCSF subscribers may manually generate the interim assessment up to 120 days prior to the submission date.
- Non-subscribers will automatically receive an interim assessment notice 90 days prior to the required submission date and will need to contact our sales department to obtain access to MyCSF to generate their interim assessment. The access purchased will last for 60 days and you will be required to reconstruct your r2 Validated Assessment scores, as well as the comments for all original control requirements marked as N/A.