HITRUST has announced the creation of an assessment exchange to automate and streamline the process customers engage in when requesting and receiving third-party security and privacy risk assessment information from their vendors. View the official press release here.

The HITRUST Assessment Exchange (XChange) replaces the inefficient, time-consuming and labor-intensive approaches often found by customers who seek to obtain risk management information from their business partners, associates and vendors.

Just as the HITRUST Third Party Assurance Program has benefited thousands of vendors and been instrumental in reducing redundant and inconsistent assessment requests, the HITRUST Assessment XChange will benefit customers by simplifying the vendor risk management process, enabling organizations of any size, type or industry segment to effectively manage their third-party vendor risk.  This is particularly relevant in the healthcare industry where customers (or Covered Entities) are required by regulation to ensure their vendors with access to protected health information (or Business Associates) have appropriate privacy and security controls.

Any program designed to streamline the vendor risk management process must avoid assessment shortcuts and be based on a comprehensive, transparent, scalable and broadly adopted assessment approach such as the HITRUST CSF Assurance Program. Until now, assessment exchanges have lacked widespread acceptance, comprehensive assessment criteria, transparency and consistency, or simply haven’t supported exchanging the right level of assessment details with the company’s existing vendor risk management systems.

The HITRUST Assessment XChange helps customers by:

  • Streamlining and simplifying the process of managing and maintaining risk assessment and compliance information from third-party vendors
  • Offloading the administrative and time-consuming activities, including identifying the appropriate individual or function at a vendor, communicating assurance requirements and receiving status information
  • Removing the unnecessary administrative burden and related distractions for information security and procurement departments
  • Delivering a HITRUST CSF Assessment report in a format that can be consumed for review, analysis and input into existing vendor risk management systems

Leveraging HITRUST CSF Assessments for vendor risk management program standardizes the expectations, requirements and format for obtaining information privacy and security program information from vendors, making it much more efficient. The HITRUST Assessment XChange can automate the entire process and free precious resources in obtaining vendor security and privacy risk assessment information.

The HITRUST Assessment XChange also provides customers with updates on progress and allows engagement when a vendor is not appropriately meeting their requirements, allowing the customer to focus on managing risk rather than the administrative process. The HITRUST Assessment XChange is intended to integrate with, not replace, an organization’s existing vendor risk management system, allowing specific vendors and assessments to be assigned to the HITRUST Assessment XChange and to receive the HITRUST CSF Assessment report in a fully consumable format. This eliminates the manual posting of key assessment details.

HITRUST is currently working to integrate the HITRUST Assessment XChange with leading vendor risk management systems, such as RSA Archer and Rsam, with others being added in the future. Additionally, HITRUST will offer an online portal for those not currently using a vendor risk management system.

Since most vendors do business with multiple organizations, the HITRUST Assessment XChange streamlines and simplifies the process. And, given the wide adoption and success of the HITRUST CSF Assessment and HITRUST CSF Assurance Program already covering thousands of vendor assessments and thousands more in process, vendors are ensured they can truly achieve “assess once, report many” benefits – unlike other third-party assessment approaches and exchanges.

With HITRUST’s ability to engage with a vendor on behalf of multiple organizations, communications and interactions for that vendor are streamlined via a reduction in the number of organizations that make similar requests. The automation of the process also helps make business engagements much more efficient.

The HITRUST Assessment XChange integrates with the HITRUST MyCSF assessment tool and ensures the vendor is in complete control of their assessment information; information is only shared with their business partner if and when they choose to share it.

The HITRUST Assessment XChange is priced based on the number of vendors managed for a customer through the exchange. HITRUST is currently contracting with customers and anticipates the HITRUST Assessment XChange being operational in Q3 of this year. Any valid CSF Assessment can be made available to the HITRUST Assessment XChange when operational later this year.