In a HITRUST assessment, carve-out means that a third-party responsible for managing a portion of the Assessed Entity’s control environment is excluded from assessment scoring.
7.3.1 For r2 assessments, HITRUST does not accept any carve-outs of third-parties. As a result, if a third-party manages any of the scope components, as defined in Chapter 7.2 Required Scope Components, they must be included as part of the assessment. For further information on potential testing approaches for third-parties, see Chapter 12 Reliance & Third-Party Coverage.
For i1 and e1 assessments, third-parties relevant to the in-scope environment may be excluded from testing (i.e., carved-out). In order to exclude the third-party:
7.3.2 The Assessed Entity must clearly document in the organizational overview and scope section the responsibilities of the third-party and that they were not included in scope of testing.
7.3.3 The third-party being excluded from scope must be completely removed from scoring throughout the assessment. They cannot be addressed partially during the assessment.
7.3.4 Within the assessment, requirements that are completely the responsibility of the third-party should be documented as Not Applicable (N/A) and include the corresponding rationale.
7.3.5 If any elements in a requirement statement are the responsibility of the Assessed Entity and/or another included third-party, that part must be scored.
For additional information on carve-out scoring, see A-1: Carve-out Scoring Details.