HITRUST provides reports for each of the following assessments:
- HITRUST Essentials, 1-year (e1) Readiness Assessment
- HITRUST Essentials, 1-year (e1) Validated Assessment
- HITRUST Implemented, 1-year (i1) Readiness Assessment
- HITRUST Implemented, 1-year (i1) Validated Assessment
- HITRUST Risk-based, 2-year (r2) Readiness Assessment
- HITRUST Risk-based, 2-year (r2) Validated Assessment
15.1.1 For HITRUST Essentials, 1-year (e1) Validated, HITRUST Implemented, 1-year (i1) Validated and HITRUST Risk-based, 2-year (r2) Validated Assessments, the requirement statements average scores per domain must meet the threshold required to attain a certification.
15.1.2 The i1 and e1 require each domain to score at least an 83, while the r2 requires each domain to score at least a 62 to achieve certification. For scoring examples, see Appendix A-15: Certification Threshold Scoring Examples.
Upon achieving the required score, the corresponding Certification Report (HITRUST Essentials 1-year (e1) Certification Report, HITRUST Implemented 1-year (i1) Certification Report or HITRUST Risk-based, 2-year (r2) Certification Report) and copies of the certification letter are issued. The copies of the certification letter include one copy with the certification letter and scope of the assessment and one copy with only the certification letter. This is intended to allow Assessed Entities to share only the necessary details of the certification with their relying parties.
15.1.3 For assessments that do not meet the required certification average score threshold, a HITRUST Essentials, 1-year (e1) Validated Assessment Report, HITRUST Implemented, 1-year (i1) Validated Assessment Report or HITRUST Risk-based, 2-year (r2) Validated Assessment Report are issued, respectively. HITRUST refers to these non-certified reports as “validated-only” reports and each report will state that certification thresholds were not met.
15.1.4 The HITRUST Essentials, 1-year (e1) Certification Report and HITRUST Implemented, 1-year (i1) Certification Report are valid for 12 months if there are no significant changes or security events related to the in-scope environment.
15.1.5 The HITRUST Risk-based, 2-year (r2) Certification Report is valid for 24 months, with a requirement to complete an interim assessment at the 12 month anniversary (see Chapter 15.4 Interim Assessment), and if there are no significant changes
(see Chapter 15.6 Significant Changes) or security events (see Chapter 15.3 Security Events & Fraud) related to the in-scope environment.
A separate NIST Cybersecurity Framework Report is provided with each completed HITRUST Risk-Based, 2-year (r2) Validated Assessment. HITRUST certification of the Organization’s NIST Cybersecurity Framework implementation is based on the NIST Cybersecurity Framework and presented via HITRUST’s NIST Cybersecurity Framework Scorecard. The Scorecard reflects the aggregated scores for the underlying HITRUST CSF controls as they are mapped by HITRUST to the NIST Cybersecurity Framework Core Subcategories.
15.1.6 A NIST Cybersecurity Framework Certification Report is issued if the average score of the NIST-mapped HITRUST CSF requirements is 70 or higher on each Core Function and Category.
15.1.7 A NIST Cybersecurity Framework validated-only (i.e., non-certified) report is issued if the average score of the NIST-mapped HITRUST CSF requirements does not achieve a score of 70 on one or more Core Functions and Categories.
15.1.8 The NIST Cybersecurity Framework Report is not available with a HITRUST Essentials, 1-year (e1) Validated Assessment or HITRUST Implemented, 1-year (i1) Validated Assessment.
NOTE: A HITRUST Risk-based, 2-year (r2) Validated Assessment may meet the required threshold to attain HITRUST certification and not meet the required threshold to attain NIST Framework certification report – and vice versa. Therefore, an Assessed Entity may attain one of the certification reports and not the other.
HITRUST Reporting Process
When the QA process is complete the draft reports are built, reviewed, and posted by HITRUST. At that time, the assessment will enter the Reviewing Draft Deliverables phase and the Assessed Entity will be notified.
15.1.9 The Assessed Entity has 30 days to review the draft reports.
15.1.10 Changes to scope, factors, and scoring may not be requested via draft report revisions. Additionally, new evidence may not be introduced during the reporting phases.
15.1.11 After the Assessed Entity has reviewed the draft reports, they may either:
- Approve the Draft Reports: If the Assessed Entity does not request revisions to the draft reports, it can approve the draft reports by selecting the “Approve HITRUST CSF Draft Report” button within the HITRUST CSF Reports section of the assessment. When the draft reports are approved, the assessment enters the Revising Draft phase.
- Request Revisions: If the Assessed Entity would like to request revisions to the draft reports, it may do so by selecting the “Request Revision” button within the HITRUST CSF Reports section of the assessment. This initiates a webform that allows the Assessed Entity to prepare each revision request individually. After the Assessed Entity submits its revision requests to HITRUST, the assessment enters the Revising Draft phase.
15.1.12 If the Assessed Entity does not approve the draft reports or request revisions within 30 days, the draft reports are automatically approved by MyCSF, and the assessment enters the Revising Draft phase.
Upon approval from the Assessed Entity, HITRUST will prepare and post the final reports, the assessment will automatically enter the Complete phase and the Assessed Entity and External Assessor will be notified that the final reports are available. Additionally, the HITRUST marketing team will send a press kit to the Assessed Entity.