HITRUST identifies “Mixed Applicability” errors within an assessment when inconsistent responses have been identified in the submission. “Mixed Applicability” errors typically occur due to
- inconsistent responses to factor questions or
- inconsistent responses across requirement statements that address the same topic.
1. Inconsistent responses to factor questions
If a reductive factor question is answered ‘Yes’, the requirement statements related to that factor question topic are not removed from the assessment. In this case, if there are a significant number of requirement statements related to the reductive factor topic answered as N/A, HITRUST will check whether the related factor should actually be answered as ‘No’. A ‘No’ response will remove the requirement statements from the assessment.
For example, if the factor question related to electronic signatures “Does the organization allow the use of electronic signatures to provide legally binding consent within the scoped environment?” is answered ‘Yes’, but the corresponding requirement statements related to electronic signatures in the assessment are all marked N/A then HITRUST will check whether the factor should be answered as ‘No’.
2. Inconsistent responses across requirement statements that address the same topic
There will be a “Mixed Applicability” error if responses for related requirement statements were assessed inconsistently throughout the assessment object.
For example, a “Mixed Applicability” error will be raised if the requirement statement responses in domain 4 were scored as Not Applicable (N/A) with the rationale “mobile devices are not permitted in the environment”, but in domain 13, the requirement statement “Personnel using mobile computing devices are trained on the risks, the controls implemented, and their responsibilities (e.g., shoulder surfing, physical protections).” was scored.
The “Mixed Applicability” error will be flagged in the assessment, and HITRUST will review the inconsistencies with the External Assessor to ensure that all requirement statements were answered consistently.