Live QA is a process which differs from the normal QA process because supporting evidence for an assessment is provided via screen share sessions. Due to the requirements necessary to perform Live QA, this process will extend the length of time for an assessment to traverse the QA process and for an Assessed Entity to receive its report.
14.3.1 An assessment qualifies for a Live QA session if the Assessed Entity, due to legal, regulatory, or corporate policies, is not able to upload the supporting evidence required for each requirement statement within the MyCSF portal.
14.3.2 If required supporting documentation was not provided during check-in, the HITRUST QA Analyst will review with the Assessed Entity and/or External Assessor if Live QA is necessary for the assessment. If so, the assessment is accepted and tagged for Live QA.
14.3.3 Only supporting evidence and/or narratives that violate the Assessed Entity’s legal, regulatory, or corporate policies may be withheld from MyCSF. All other required assessment documentation, including completed Test Plans, testing results (after removing proprietary data) and file names of linked evidence (see criteria 14.3.4), must be included. HITRUST will not accept the assessment or perform Live QA until all necessary information has been included with the assessment.
14.3.4 The External Assessor must link in each requirement statement the references to the supporting documents which were reviewed during the assessment. These references must indicate the corresponding maturity level for each document.
14.3.5 When QA starts, the HITRUST QA Analyst will perform the initial review of the assessment excluding the Core QA or “Measured & Managed” sampled requirement statements and submit the initial feedback to the External Assessor via MyCSF tasks. In parallel the HITRUST QA Analyst will initiate the process of scheduling the Live QA sessions via tasks.
NOTE: Live QA sessions are scheduled after the initial QA review is completed.
14.3.6 Prior to the Live QA session, the External Assessor and/or Assessed Entity may address the tasks the HITRUST QA Analyst has sent related to scope, organization information, N/A requirement statements, CAP response details, and any other questions related to the assessment.
14.3.7 The External Assessor team must be prepared to display any working papers / supporting documentation reviewed during the assessment’s fieldwork that are requested by HITRUST during the Live QA session.
NOTE: The Assessed Entity may optionally attend the Live QA session with the External Assessor.
14.3.8 During the Live QA session, the HITRUST QA Analyst will perform the following:
- The Core QA and Measured & Managed (if necessary) sampled requirement statements will be selected during the session.
- The HITRUST QA Analyst will review one requirement at a time. For each selected QA sample item, the Analyst will ask to see the documents linked to a requirement statement for the maturity level being reviewed.
- The External Assessor will share the screen and display documents as requested by the HITRUST QA Analyst.
- The HITRUST QA Analyst will discuss their questions about the content being displayed with the External Assessor.
- The outcome will either be that the HITRUST QA Analyst agrees with the scoring or proposes scoring adjustments. If scoring adjustments are proposed, these must be agreed upon before moving to the next requirement statement.
The steps will be repeated continuously for each requirement statement until the support evidence for all maturity levels of the sampled requirement statement have been verified.
NOTE: The scoring evaluation by the HITRUST QA Analyst is final. Additionally, if the HITRUST QA Analyst notes additional concerns than normal in the assessment or with the scoring of sampled requirements during the Live QA, the assessment may be escalated to the HITRUST Quality team as part of the Escalated QA process (see Chapter 14.4 Escalated QA).