13.9.1 For i1 or e1 validated assessments, HITRUST requires Assessed Entities to define Corrective Action Plans (CAPs) for all requirement statements meeting the following criteria:
i. Requirement statements that score less than “fully compliant” and
ii. Associated control reference average score is less than 80.
Instances in which a requirement statement scores less than “fully compliant” and the associated control reference averages 80 or higher are identified as gaps instead of CAPs. The following diagram illustrates the process for identifying gaps and CAPs in i1 or e1 validated assessments.
13.9.2 For r2 validated assessments, HITRUST requires Assessed Entities to define corrective action plans (CAPs) for all requirement statements meeting the following criteria:
i. Requirement statement’s overall score is less than 71,
ii. Requirement statement’s Implemented maturity level scores less than “fully compliant”,
iii. Associated control reference (e.g., 00.a) is required for HITRUST Risk-based, 2-year (r2) certification, and
iv. Associated control reference averages less than 71.
Instances in which a requirement statement scores less than 71 and one or more of the CAP criteria are not met are identified as gaps instead of CAPs. The following diagram illustrates the process for identifying gaps and CAPs in r2 validated assessments.
13.9.3 When an r2, i1, or e1 assessment enters the Inputting CAPs and Signing Rep Letter phase, any requirement statements requiring CAPs are identified in MyCSF using the “CAP Required” requirement statement-level response status.
13.9.4 For each requirement statement with the status “CAP Required”, the Assessed Entity must enter a corrective action plan which describes the specific steps that are planned to correct the identified deficiency. The Assessed Entity enters its corrective action plans by completing the CAP form in MyCSF, which includes (at a minimum) the following information:
- Name – A name to identify the CAP.
- Corrective Action – A description of the planned corrective action that is specific, measurable, and clear enough to provide value to readers of the HITRUST report. All deficient levels and evaluative elements must be addressed by the corrective action.
- Status – The current status of the corrective actions; selected from the following:
- Not Started: Corrective actions have not yet begun
- Started – At Risk: Corrective actions have begun, but are at risk to not be completed by the scheduled completion date
- Started – On Track: Corrective actions have begun and are on track to be completed by the scheduled completion date
- Completed: Corrective actions have been completed
- Point of Contact / Owner – The name and/or job title of the point of contact or owner of the corrective action plan.
- Scheduled Completion Date – The date when the planned corrective actions are scheduled to be completed.
For additional information on writing CAPs, see Appendix A-13: Well-written CAP Examples.
13.9.5 For requirement statements with the status “CAP Required” that have a score of 62 or higher, the Assessed Entity may optionally accept the risk rather than plan for the remediation of the deficiency. To determine whether to accept the risk of a deficiency or define a corrective action plan, the Assessed Entity must perform and document a risk analysis, taking into consideration the likelihood and impact of the risk as well as the existence of mitigating controls.
13.9.6 When the assessment enters the Reviewing CAPs phase, any requirement statements for which the Assessed Entity has entered a required CAP are identified by the requirement statement-level response status “Awaiting CAP Review”.
13.9.7 For each requirement statement identified as “Awaiting CAP Review,” the External Assessor must review the linked CAPs for specificity, clarity, spelling, and grammar. Additionally, for each CAP where the Assessed Entity has not elected to accept the risk, the External Assessor must review the ability of the Assessed Entity to demonstrate progress against the CAP.