A HITRUST bridge assessment allows an organization to maintain a form of HITRUST certification status for an additional 90 days even if its validated assessment recertification date has passed. A HITRUST bridge assessment results in a HITRUST bridge certificate if all the conditions in this Chapter are met. The HITRUST bridge certificate links an Assessed Entity’s expiring HITRUST r2 validated assessment with its re-certification by offering a limited level of assurance during the period when the next HITRUST r2 validated assessment is being completed. Bridge certificates do not extend the expiration date of HITRUST validated reports with certification and are considered a separate certification.
The HITRUST bridge assessment is:
- A forward-looking certificate issued by HITRUST.
- Valid for 90 days from the expiration date of the Assessed Entity’s previous HITRUST r2 certification.
- A letter meant to accompany the previous/expired HITRUST certification report.
- A means for the organization to demonstrate that:
- The scoped control environment is unlikely to have degraded since the expiration of the prior certification,
- The scoped control environment is unlikely to degrade significantly for the duration of this certificate, and
- It intends to complete the next HITRUST validated r2 assessment prior to the expiration of the HITRUST bridge certificate.
The HITRUST bridge assessment is not:
- An extension to the Assessed Entity’s existing certification which still expires on the two-year certification anniversary, or
- A replacement for a traditional HITRUST certification as it does not provide an equivalent level of assurance.
- Available for an i1 or e1 certification.
15.8.1 Eligibility for a bridge assessment is determined based on the following criteria:
i. The Assessed Entity must currently hold an active HITRUST r2 validated report with certification.
ii. The Assessed Entity has not already missed its recertification date by more than 30 days.
iii. No reportable breaches at the Assessed Entity have occurred in the scoped control environment since the HITRUST certification was issued.
iv. No significant changes in the scoped control environment have occurred since the HITRUST certification was issued (see Chapter 15.6 Significant Changes).
v. The Assessed Entity intends to complete a full validated r2 assessment prior to the expiration of the HITRUST bridge certificate.
15.8.2 To obtain a HITRUST bridge assessment object, the Assessed Entity must contact its HITRUST Customer Success Manager for approval.
15.8.3 HITRUST bridge assessment objects can be created and submitted no more than 60 days before and up to 30 days after the expiration date of the Assessed Entity’s HITRUST r2 certification.
Bridge Assessment Process
15.8.4 A HITRUST Authorized External Assessor tests 19 requirement statements randomly selected by the HITRUST MyCSF platform. The External Assessor is expected to test all maturity levels that will be included in the r2 validated assessment for the 19 requirement statements.
15.8.5 Requirement statements that were inherited in the expiring validated assessment must demonstrate that the assessment that was inherited is still active and in good standing. The External Assessor should acquire the interim letter from the service provider(s) if the HITRUST certification is still active. The External Assessor should acquire the HITRUST certification letter if the service provider(s) certification has been renewed. In these cases, the scoring and evidence from the bridge assessment may not be transferred to the new HITRUST r2 validated assessment but will require a new inheritance request be submitted during validation.
15.8.6 HITRUST will perform a QA review of the External Assessor’s testing. QA will be performed to the same level and rigor and against the same scoring rubric as full assessments.
Upon successful completion of the QA review, HITRUST issues a HITRUST bridge certificate, which is dated the expiration date of the prior HITRUST r2 validated report. The test results used during the bridge assessment may be included for the corresponding requirement statements in the validated assessment without needing to be reperformed (i.e., HITRUST does not require re-testing of these 19 requirement statements).
15.8.7 The Assessed Entity must submit its completed validated assessment to HITRUST prior to expiration of the HITRUST bridge certificate (i.e., no later than 90 days after the previous certification’s expiration). The 90 days covered by the HITRUST bridge certificate are deducted from the new HITRUST certification’s 24-month validity period resulting in the new certification being dated as of the original re-certification date.
For additional information on bridge assessments, see HITRUST CSF Bridge Assessment.