HITRUST Scoping Update

On June 1st HITRUST made significant changes to the technical scoping factors. The technical scoping factors are used by the HITRUST Control Framework to identify the controls applicable to your assessment. These changes are designed to help reduce the number of “not applicable” controls within your assessment and to increase the clarity of the scoping factors.

What are the new scoping factors?
HITRUST added more than ten additional factors related to the following:

  • Use of cloud service providers
  • Access to the scoped environment from an external network
  • Use of dial-up services
  • Use of fax machines
  • Use of hardware tokens
  • Use of personally owned devices
  • Use of wireless access points
  • Electronic commerce
  • Electronic signatures
  • Use of mail services

HITRUST also modified the scoping factor related to third-party access to provide more information by breaking it into two questions relating to accessibility by third-party personnel and transmission of data with a third-party.

For any scoping factor that is assessed as not being applicable to your assessment, you will need to document the rationale behind that selection. The rationale will need to be sufficiently detailed to allow your assessor and HITRUST to evaluate the decision that the factor was not applicable. You also need to be aware the rationale will be a part of your final HITRUST CSF Validated Report.

These changes to the scoping factors should help reduce the amount of effort involved in responding to and validating controls that are not applicable to your environment resulting in a more efficient assessment.

Additional information on the changes to the scoping factors can be found On HITRUST Assurance Advisory HHA 2020-003.

CompliancePoint’s CCSFP personnel can assist you with establishing an internal function or performing periodic measurements and documenting your management responses to help you meet the HITRUST standards. For any questions regarding our services, please feel free to reach out to us at consulting@compliancepoint.com.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.