Objectivity is essential for both External and Internal Assessors. However, there may be a level of complexity when an External or Internal Assessor attempts to determine their independence and objectivity during a HITRUST assessment as it involves both the fact and appearance of the specific circumstances. HITRUST has defined the following independence guidance for External and Internal Assessors during performance of a validated assessment. However, these requirements may not consider all potential situations so HITRUST encourages External and Internal Assessors to consult with HITRUST as necessary prior to performing ancillary services for an Assessed Entity:
3.3.1 The External Assessor firm used for a validated assessment must be a separate legal entity from the Assessed Entity.
3.3.2 The External or Internal Assessor function must be independent of the business functions being assessed. Independence requires there be no overlap in responsibilities, staffing, ownership of the controls, or reporting between the business functions being assessed and the External or Internal Assessor function.
3.3.3 Ownership of the policies and procedures being assessed must be independent from the External or Internal Assessor function.
3.3.4 Management of the Assessed Entity must not be able to restrict the nature, scope, and extent of testing determined to be required by the External or Internal Assessor.
3.3.5 External Assessor personnel involved (in the prior 12 months) in the implementation or operation of Assessed Entity controls evaluated within a HITRUST validated assessment may not work on the validated assessment for that Assessed Entity. A separate team (including a separate engagement executive / partner) must be brought in for the validated assessment effort.
3.3.6 External Assessor personnel involved in a HITRUST validated assessment may perform consulting or evaluation services for the Assessed Entity, such as the following:
- HITRUST policy and/or procedure consulting assessments (excluding remediation activities, such as writing an Assessed Entity’s policies and/or procedures)
- Penetration testing (excluding remediation activities that involve implementation or operation of a control)
- Vulnerability scanning (excluding remediation activities that involve implementation or operation of a control)
- HITRUST readiness / gap assessments (excluding remediation activities that involve implementation or operation of a control)