HITRUST Policy and Procedure Documentation Requirements

If you are considering a HITRUST Risk-Based, 2-year (r2) Assessment one of the areas you will need to evaluate is your policy and procedure documentation. As demonstrated by the table below, HITRUST policy and procedure documentation are critical to helping you obtain r2 certification.

Evaluative ElementPolicyProcedureImplementedMeasured/Managed*

For a control to be considered compliant with the framework it must score at least 61.99 and controls between 61.99 and 70.99 are identified by HITRUST as having a gap in implementation and may require your organization to prepare corrective action plans to obtain certification.  

As you can see, failure to have policy and procedure documentation that meet the HITRUST standards make it unlikely that you will achieve the goal of obtaining an r2 Certification.

So what type of documentation is required for policy and procedure documentation?

Policy: For each r2 statement there must be a documented policy that indicates the mandatory nature of the requirement statement. Policy statements can be documented in formal policies or other documents such as an employee handbook or code of conduct. They must address all the evaluative elements of a control requirement.  

Procedure: For each r2 statement the control implementation must be supported by a documented procedure that addresses the operational aspects of how to preform the requirement statement. The procedure should document detail to provide the control owner information required to perform the control requirement and should also identify the responsible party.  

HITRUST Policy and Procedure FAQs

Question – Isn’t it enough to demonstrate our intent to comply with the requirement statement?  

Answer – No! The recently released HITRUST Assessment Handbook states that if the policy and/or procedure does not specifically address all the control evaluative elements the External Assessor may not approve a score of fully implemented. 

Question – We have controls where the “how to” is obvious just by the nature of the control. Do we really need to have a formal procedure, doesn’t the policy address this?

Answer – Yes! Any procedure that is not formally documented will potentially lead to the procedure only receiving 5 of 20 available points.

Let’s look at an example!

Control: The organization has implemented and regularly updates mobile code protection, including anti-virus and anti-spyware.

Current Policy and Procedure: All end-user devices will comply with organization standards.

As currently written, the policy does not specifically address all the evaluative elements for this control as it specifically addresses the requirements. Additionally, there’s no guidance on the process to ensure the mobile code protection is fully implemented and updated. Based on the current documentation the control would receive only about 25% of the available maturity credit reducing the scoring from 35 points to 8.75.

To enhance the scoring the organization would need to clearly state in policy that end-user devices will have mobile code protection including anti-virus and anti-spyware which is updated regularly. Additionally, a procedure outlining how devices are provided with the appropriate protection and how the organization updates that protection needs to be documented.  

CompliancePoint is an authorized HITRUST CSF Assessor. Our experienced team of healthcare and cybersecurity professionals can guide you through every step of your HITRUST certification. Contact us at connect@compliancepoint.com to learn more.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.