HITRUST Updates Aim to Make Assessment Process More User-Friendly to Health care, “Growth-Mode” Companies

October 13, 2022

By Kate Siegrist and Anna Fowler

Key Points

  • HITRUST recently announced enhancements to its MyCSF SaaS platforms.
  • The new, more simplified, Validated i1 Assessment option could be a game-changer for smaller organizations.
  • The HITRUST Results Distribution System (RDS), which streamlines the sharing of assessment results through a centralized method of authenticating, requesting, sharing and analyzing assessment results, will be available by the end of 2021.

In response to client feedback, HITRUST recently announced enhancements to its MyCSF SaaS platform. Per HITRUST, the updates are designed to accelerate the assessment process by providing clearer and more relevant communications to users, streamlining the administrative aspects of the assessment and improving transparency.

For business owners, particularly those in the health care space, and others that may require risk mitigation for third-party relationships, the updates should be seen as welcome news.

What you need to now about the HITRUST platform enhancements

What about the assessment process changed, exactly? According to HITRUST, the following is a summary of the recently announced enhancements.

  • New Assessment Option – The Validated i1 Assessment option will be available in 2022 as an option that focuses on maintaining a good security posture and leading security practices that is suitable for entities with moderate assurance requirements. The level of effort to achieve certification through the i1 is much lower than a standard Validated Assessment, now referred to as the “Validated r2 Assessment.”  The most notable difference in requirements for i1 assessments include the option to validate a fixed set of controls (approximately 200) and the option to only validate implementation of controls. The other maturity levels (policy, procedure, measured and managed) typically evaluated in a r2 assessment are not considered. While pursuing an i1 assessment is a simplified process, it leads to a certification that is valid for 1 year rather than 2 years.
  • New Workflow – New assessment workflows for HITRUST CSF Validated, Interim, Bridge and Basic, Current-state (bC) (previously known as a readiness assessment) Assessments with defined phases replace legacy assessment states.
  • Webforms – Make it possible to enter organizational and scope information into MyCSF, electronically sign key documents and allow assessed entities to easily request and track draft report revisions.
  • Notifications – Notifications that are more informative, clearly communicate action items, identify owners and remind users when an item has been open for an extended period of time.
  • QA Tasks – QA questions and follow-up items post directly into MyCSF as individual tasks to give assessed entities and their Authorized External Assessor organizations the ability to track and respond to each QA item within MyCSF. The new QA reservation systems allows organizations to gain more visibility into the process. This facilitates the planning of resources through controlling the timing of the QA phase. 
  • Status Dashboards – New status dashboards provide insight into an assessment’s status, providing transparency into open action items, their ownership and next steps in the assessment workflow.
  • Results Distribution System (RDS) – The HITRUST RDS will be available by the end of 2021 and offers a platform to allow assessed entities to grant third-party access to their report stored in RDS. RDS streamlines the sharing of assessment results through providing a centralized method of authenticating, requesting, sharing and analyzing assessment results.
  • API Integration with GRC and TPRM/VRM Systems – The RDS API integration with GRC and VRM platforms will be a future enhancement. A key feature includes the ability to leverage analytics capabilities of GRC and VRM platforms.
  • Enhanced Data Analytics – HITRUST plans to add an additional RDS feature in the future to enable enhance data analysis tools for replying parties to analyze the assessment results of multiple vendors.  

What does this mean for my health care organization?

While not every company needs HITRUST, health care organizations often look to HITRUST Certification to provide risk mitigation for third-party relationships. Those working with an insurance provider are often contractually obligated to maintain a HITRUST assessment. The base set of controls HITRUST requires go a long way towards achieving HIPAA and other regulatory compliance standards. It’s truly designed for the health care industry. If you provide services or technology to insurance payers, health care providers or other players in the health care market, HITRUST may be a requirement you’ll encounter during the contracting and proposal process.

“This is the first time HITRUST has offered a new assessment option and shifted its strategy in quite some time,” said Anna Fowler, manager. “Through offering the Validated i1 Assessment option, we can cater to organizations with lower risk that may not have a requirement to handle the rigor of a Validated r2 Assessment. This could be a game-changer for smaller organizations.”

Fowler added, “Achieving a HITRUST certification is known to be a grueling process and requirements are perceived by many to be strict. The i1 Assessment is an option to simplify the process through evaluating a limited number of controls and maturity levels and we’re excited to see more companies achieve certification without exhausting their resources. HITRUST is also moving towards producing results rather than producing reports and offering industry agnostic options. Entities can tailor their assessments based on risk level and regulatory requirements through the ability to customize the scope or applicable frameworks.”

How EisnerAmper can help

If your organization has sensitive health or personal data as part of its data processing services, you need to understand what’s required in terms of compliance and understand the options that may be available. Our team can help design customized compliance strategies based on your organization’s and your customers’ needs. 

About Kate M. Siegrist

Kate Siegrist is a Partner with over 20 years of combined experience advising CEOs, CISOs and CIOs. She helps her clients navigate highly regulated industries to ensure business opportunities are not missed due to compliance burden.