Organizations that would like to become HITRUST certified are expected to meet the HITRUST CSF requirements within their information protection framework. An organization becomes an Assessed Entity once they have started the assessment process (regardless of assessment type). Under the HITRUST Assurance Program, an Assessed Entity’s responsibilities include:

3.1.1 Implementing the information protection controls as required in the HITRUST CSF.

3.1.2 Maintaining the information security management program via continuous monitoring, continuous review, and periodic re-assessments of the information protection controls.

3.1.3 Responding honestly, accurately, and completely to inquiries made throughout the assessment process and certification lifecycle.

3.1.4 Providing the HITRUST External Assessor with accurate and complete records and necessary documentation related to the information protection controls included within the scope of its assessment.

3.1.5 Disclosing all design and operating deficiencies in its information protection controls of which is it aware throughout the assessment process, including those where it believes the cost of corrective action may exceed the benefits.

3.1.6 Performing the necessary readiness and/or validated assessments to determine they are sufficiently meeting the HITRUST CSF requirements.

3.1.7 Accurately defining and communicating the scope of readiness and/or validated assessments to both its External Assessor and HITRUST.

3.1.8 Coordinating and supporting the performance of assessments and implementing corrective actions and organizational transformations, as necessary. This includes collecting evidence, personnel availability, timely and truthful communication, and overseeing the assessment timeline.

3.1.9 Funding its HITRUST assessment effort, including assessments for readiness, validation and/or certification, internal and/or external resources, and completing any corrective actions.

3.1.10 Communicating significant changes to its certified environment to HITRUST on a timely basis (For additional details on what constitutes a significant change, see Chapter 15.6 Significant Changes).

3.1.11 Communicating actual or suspected security events involving the certified environment to HITRUST and its External Assessor (see Chapter 15.3 Security Events & Fraud).

3.1.12 Performing its own due diligence prior to engaging with an External Assessor to perform its HITRUST assessment. Although HITRUST employs processes to confirm External Assessors continue to meet HITRUST standards, HITRUST cannot guarantee that any External Assessor will be successful in its role on any specific engagement.