In certain cases, an Assessed Entity may determine that a requirement statement is not applicable. The following steps must be followed to determine and document the non-applicability:
8.3.1 In situations where an Assessed Entity determines a requirement statement is not applicable, the Assessed Entity must document the corresponding rationale within the assessment in the ‘Subscriber Comments’ and select the ‘N/A?’ checkbox. The rationale must specify what causes the requirement statement to be not applicable for the in-scope environment.
8.3.2 The rationale for the “N/A” must be consistent across the assessment. If a requirement statement is marked “N/A” because the Assessed Entity does not perform that service, but that service is part of a scored requirement in another part of the assessment, HITRUST will identify a concern related to ‘mixed applicability’ for the Assessed Entity and/or Assessor to clarify. For more information on the Quality checks performed by HITRUST during submission, see Chapter 13.4 Automated Quality Checks. For more information on ‘mixed applicability,’ see Appendix A-2: Mixed Applicability Errors.
8.3.3 The “N/A” rationale must fully address all aspects of the assessment scope, including systems, facilities and third parties.
8.3.4 A requirement statement being performed by a third-party is not appropriate rationale for a “N/A”, unless the assessment type is an i1 or e1 and there is a documented carve-out for the third-party (See Chapter 7.3 Carve-outs).
8.3.5 Non-occurrence of a requirement statement cannot be used as rationale to mark the requirement as “N/A.” For additional information on the correct testing approach when there has been no occurrence of a requirement statement, see Chapter 11 Testing & Evidence Requirements.
8.3.6 The “N/A” rationale should relate to the requirement statement where the rationale is documented, and it should address all evaluative elements for the requirement.
8.3.7 The “N/A” rationale should not include descriptions of test procedures or test results, or include references to supporting evidence.
8.3.8 The “N/A” rationale must be clear, concise, and free of spelling and grammatical errors.
8.3.9 It is possible that only certain elements in a requirement statement are considered “N/A.” In those cases, the elements considered as “N/A” should be documented in the corresponding testing with the rationale and the scoring determined based on testing of the remaining evaluative elements (excluding the non-applicable elements from any scoring calculation).
There are certain requirement statements that typically cannot be marked “N/A.” These are often monitoring requirements that HITRUST expects all Assessed Entities to implement. For other examples, see Appendix A-4: Never N/A Examples. HITRUST Quality Assurance will notify the Assessed Entity and External Assessor upon submission if they are unable to “N/A” a particular requirement. For “N/A” examples and a decision tree that follows the above guidance, see Appendix A-3: Not Applicable (N/A) Examples and Appendix A-5: N/A Decision Tree.