HITRUST Updates – June 2021

HITRUST made several announcements in June of 2021 which could impact your HITRUST assessment.  

Policy and Process Documentation

Detailed policies and procedures are a key requirement of demonstrating your compliance with the HITRUST CSF. On June 7, 2021, HITRUST issued HITRUST Assurance Advisory: HAA 2021-002, which provided new guidance on the maturity requirements for policy and process documentation. For policies and procedures to achieve full maturity, they will now be required to be in place for 60 days when the control is tested. Previously HITRUST required the policy and process documentation to be in place for 90 days at the time of testing.

HITRUST also provided guidance on the policy and procedure scoring. For a policy, the revised guidance indicates that the organization must have written documented policies that specify the mandatory nature of the control requirement. For a process, the revised guidance indicates a process must provide a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement. The requirement for implementation of the control did not change from 90 days in order to achieve full maturity.

HITRUST also made a change to the Corrective Action Plan (CAP) requirements for gaps that are related solely to issues with the policy and process documentation. In HAA 2021-003, it was announced that if the gap is solely related to policy and procedure documentation, organizations will not be required to complete a required CAP. If you already have a Validated Certification, then you may contact HITRUST to have your report re-issued without the mandatory CAPs related only to your policy and process documentation.

Assessment Scoping Update 

HITRUST continues to work to implement scoping factors that more accurately tailor the assessment to the organization.   

HITRUST Assurance Advisory HAA 2021-004, issued on June 7, 2021, has implemented rules to help avoid inconsistent responses as noted below:

Scoping Factor	Response	Impact
Is any aspect of the scoped environment hosted in the cloud?	Yes	A “Yes” here will will automatically default the next two questions to “Yes”
Is the system(s) accessible from the internet?	Yes	A “Yes” here will automatically default the next question to “Yes”
Does the system allow users to access the scoped environment from an external network that is not controlled by the organization?	Yes	A “Yes” here will automatically default the previous question to “Yes”

HITRUST will also allow the entity to determine if they want to include Measured and Managed levels in their assessment. If an organization does not have any documentation for Measured and Managed, they may indicate that, and the levels will not appear in their assessment.   

CompliancePoint’s CCSFP personnel can assist you with establishing an internal function or performing periodic measurements and documenting your management responses to help you meet the HITRUST standards. For any questions regarding our services, please feel free to reach out to us at connect@compliancepoint.com.