During the assessment process, HITRUST understands that control gaps may exist in the environment. The HITRUST control maturity model allows an entity to achieve certification with a small amount of control gaps across PRISMA levels when other corresponding requirement statements have been met. When an Assessed Entity has not met certain requirements, this typically results in a Corrective Action Plan (CAP) or Gap in the assessment and final report. For more information on CAPs and Gaps, see Chapter 13.9 CAPs and Gaps.
11.5.1 Each exception noted by the External Assessor during testing must result in a corresponding action on the assessment results. The External Assessor must determine the impact of each exception within the overall scoring of the assessment results. Typically exceptions will result in a reduction in either “Strength” and/or “Coverage” scores when calculating the final maturity score using the HITRUST Scoring Rubric. For examples of calculating exceptions in scoring, see Appendix A-6: Rubric Scoring – Policy, Procedure, and Implemented.
11.5.2 Exceptions noted by the External Assessor during validated assessment fieldwork leading to scores of less than 100% (fully compliant) on the Policy, Procedure, or Implemented PRISMA maturity levels should be captured in MyCSF’s “Assessor Comment” fields and/or within accompanying work papers. The documentation should be at sufficient level to enable reviewers, such as the External Assessor’s QA Reviewer, the Engagement Lead, the Engagement Executive, and HITRUST Quality Assurance, to reconcile to PRISMA maturity levels, corrective action plans (CAPs), and working papers.
11.5.3 When documenting exceptions within the work papers, External Assessors must include the corresponding treatment of the exception and rationale.
11.5.4 Any conditions noted by the External Assessor necessitating a change in scoring should be discussed and agreed with management of the Assessed Entity.
For additional information on testing & evidence, see Appendix A-8: Testing and Evidence FAQs & Examples.