HITRUST Updates Aim to Make Assessment Process More User-Friendly To Healthcare, “Growth-Mode” Companies

In response to client feedback, HITRUST recently announced enhancements to its MyCSF SaaS platform. Per HITRUST, the updates are designed to accelerate the assessment process by providing clearer and more relevant communications to users, streamlining the administrative aspects of the assessment and improving transparency.

For business owners, particularly those in the healthcare space, and others that may require risk mitigation for third-party relationships, the updates should be seen as welcome news.

What you need to now about the HITRUST platform enhancements

What about the assessment process changed, exactly? According to HITRUST, the following is a summary of the recently announced enhancements.

• New Assessment Option – The Validated i1 Assessment option will be available in 2022 as an option that focuses on maintaining a good security posture and leading security practices that is suitable for entities with moderate assurance requirements. The level of effort to achieve certification through the i1 is much lower than a standard Validated Assessment, now referred to as the “Validated r2 Assessment.”  The most notable difference in requirements for i1 assessments include the option to validate a fixed set of controls (approximately 200) and the option to only validate implementation of controls. The other maturity levels (policy, procedure, measured and managed) typically evaluated in a r2 assessment are not considered. While pursuing an i1 assessment is a simplified process, it leads to a certification that is valid for 1 year rather than 2 years.
• New Workflow – New assessment workflows for HITRUST CSF Validated, Interim, Bridge and Basic, Current-state (bC) (previously known as a readiness assessment) Assessments with defined phases replace legacy assessment states.
• Webforms – Make it possible to enter organizational and scope information into MyCSF, electronically sign key documents and allow assessed entities to easily request and track draft report revisions.
• Notifications – Notifications that are more informative, clearly communicate action items, identify owners and remind users when an item has been open for an extended period of time.
• QA Tasks – QA questions and follow-up items post directly into MyCSF as individual tasks to give assessed entities and their Authorized External Assessor organizations the ability to track and respond to each QA item within MyCSF. The new QA reservation systems allows organizations to gain more visibility into the process. This facilitates the planning of resources through controlling the timing of the QA phase. 
• Status Dashboards – New status dashboards provide insight into an assessment’s status, providing transparency into open action items, their ownership and next steps in the assessment workflow.
• Results Distribution System (RDS) – The HITRUST RDS will be available by the end of 2021 and offers a platform to allow assessed entities to grant third-party access to their report stored in RDS. RDS streamlines the sharing of assessment results through providing a centralized method of authenticating, requesting, sharing and analyzing assessment results.
• API Integration with GRC and TPRM/VRM Systems – The RDS API integration with GRC and VRM platforms will be a future enhancement. A key feature includes the ability to leverage analytics capabilities of GRC and VRM platforms.
• Enhanced Data Analytics – HITRUST plans to add an additional RDS feature in the future to enable enhance data analysis tools for replying parties to analyze the assessment results of multiple vendors.  

What does this mean for my healthcare organization?

While not every company needs HITRUST, healthcare organizations often look to HITRUST Certification to provide risk mitigation for third-party relationships. Those working with an insurance provider are often contractually obligated to maintain a HITRUST assessment. The base set of controls HITRUST requires go a long way towards achieving HIPAA and other regulatory compliance standards. It’s truly designed for the healthcare industry. If you provide services or technology to insurance payers, healthcare providers or other players in the healthcare market, HITRUST may be a requirement you’ll encounter during the contracting and proposal process.

“This is the first time HITRUST has offered a new assessment option and shifted its strategy in quite some time,” said Anna Fowler, manager, EisnerAmper Technology Consulting. “Through offering the Validated i1 Assessment option, we can cater to organizations with lower risk that may not have a requirement to handle the rigor of a Validated r2 Assessment. This could be a game-changer for smaller organizations.”

Fowler added, “Achieving a HITRUST certification is known to be a grueling process and requirements are perceived by many to be strict. The i1 Assessment is an option to simplify the process through evaluating a limited number of controls and maturity levels and we’re excited to see more companies achieve certification without exhausting their resources. HITRUST is also moving towards producing results rather than producing reports and offering industry agnostic options. Entities can tailor their assessments based on risk level and regulatory requirements through the ability to customize the scope or applicable frameworks.”