Assessment Handbook

14.2 QA Tasks

As a HITRUST QA Analyst performs the QA review of the assessment described above, QA Tasks are created for the External Assessor and Assessed Entity to address in MyCSF. The following sections describe the process to respond to QA Tasks.

Each HITRUST validated, interim, bridge, and readiness assessment contains an Assessment Task Management page that can be accessed within an assessment. The Assessment Task Management page is where all tasks for a particular assessment can be addressed and where the status of open and pending tasks can be tracked. When the Assessment Task Management page is accessed by an Assessed Entity or External Assessor user, the My Task Queue displays all open tasks assigned to the user’s group.

In addition to the assessment-specific Task Management page, Assessed Entity and External Assessor users may access a global Task Management page from the top navigation bar of MyCSF to view tasks within all assessments to which the user has access. When accessing either the global Task Management page or an assessment-specific Task Management page, the user may sort and filter the tasks displayed based on the task type, current assigned group, status, and more.

14.2.1 The External Assessor and Assessed Entity must address QA tasks promptly.

There are two types of tasks that may be assigned during the QA process:

  • General Tasks: HITRUST requests or instructions describing an action item for the External Assessor or Assessed Entity to address a QA concern.
  • Proposed Tasks: HITRUST proposed change that must be considered by the Assessed Entity or External Assessor to address a QA concern.

During QA, HITRUST initially assigns all General tasks to the External Assessor. This allows the External Assessor to review each general task and take one of the following next steps:

  • Address the task: When a general task is sent to the External Assessor, it may address the task by making the requested update on the relevant assessment page. After making the requested update, the External Assessor must leave a comment within the task to state the update that was made and should send the task back to HITRUST.
  • Leave a comment within the task and send it back to HITRUST: If the External Assessor would like to respond to the task by leaving a comment or question for the HITRUST QA Analyst, the External Assessor may enter its comment within the task and send the task back to HITRUST.
  • Send the task to the Assessed Entity to be addressed: When the general task is a request by HITRUST to update the Organization Information Webform, Scope of the Assessment Webform, Factors, requirement statement scoring or applicability, N/A rationale, Management Representation Letter, VRA, or a CAP response, the general task should be sent to the Assessed Entity for r2 assessments. For i1 and e1 assessments the External Assessor may be able to address these tasks directly after consultation with the Assessed Entity.

When the External Assessor has assigned a general task to the Assessed Entity, the Assessed Entity may take one of the following next steps:

  • Leave a comment within the task and send it back to the External Assessor: If the Assessed Entity would like to respond to the task by leaving a comment or question for the External Assessor or the HITRUST QA Analyst, the Assessed Entity may enter its comment within the task and send the task back to the External Assessor.
  • Address the task: When the general task includes a request from HITRUST to update the Organization Information Webform, Scope of the Assessment Webform, Factors, requirement statement scoring or applicability, N/A rationale, Management Representation Letter, VRA, or a CAP response, the Assessed Entity may address the task by making the requested update. Depending on the instructions within the task, the requested update is either made within the task itself or on the relevant page of the assessment. After addressing the task, the Assessed Entity must leave a comment within the task to state the update that was made and should send the task back to the External Assessor.

General tasks may be sent back and forth between the Assessed Entity and External Assessor as many times as needed for the task to be addressed. When the task has been addressed, the External Assessor must send the task to HITRUST. After the general task has been sent back to HITRUST by the External Assessor, HITRUST may close the task if it has been appropriately resolved or may leave a comment in the task to explain any additional action needed and send the task back to the External Assessor.

A proposed task allows HITRUST to propose a specific value for a field. For this type of task, the Assessed Entity or External Assessor can only apply the value proposed by HITRUST and cannot change any other fields within MyCSF.

For example, a proposed task can be used to change a:

  • Technical Factor answer from ‘No’ to ‘Yes’ or vice versa.
  • Geographical Factor answer from drop-down menu options.
  • Requirement statement which has been scored to Not Applicable.
  • Maturity level score to a specific proposed value.

During QA, HITRUST initially assigns all proposed tasks to the External Assessor. This allows the External Assessor to review each proposed task and take one of the following next steps:

  • Apply the Proposed Change: The External Assessor may apply any changes proposed by HITRUST. This includes proposed tasks to change factor responses and requirement statement scoring. The External Assessor must discuss any proposed changes with the Assessed Entity prior to applying them. After applying the change proposed within the task, the task is automatically sent back to HITRUST. If a proposed change adds additional requirements to the assessment (e.g., factor change) or additional required CAPs (e.g., certain scoring changes), the Assessed Entity users with access to the assessment are notified of the change via email and MyCSF notifications. The notifications outline whether a factor response or requirement statement score was changed, the email address of the individual who applied the proposed change, and whether there is a new requirement statement or CAP to be addressed.
  • Reject the Proposed Change: If the External Assessor does not agree with the proposed change, the External Assessor may reject the proposed change. When rejecting the proposed change, the External Assessor is required to enter a comment within the task to explain why the change was rejected. The task is automatically sent back to HITRUST.
  • Send the task to the Assessed Entity to be addressed: If the External Assessor would like the Assessed Entity to review the task and make the decision to either apply or reject the proposed change, the External Assessor may send the task to the Assessed Entity.

When the External Assessor has assigned a proposed task to the Assessed Entity, the Assessed Entity may take one of the following steps:

  • Apply the Proposed Change: The Assessed Entity may apply any changes proposed by HITRUST. This includes proposed tasks to change factor responses and requirement statement scoring. After applying the change proposed within the task, the task is automatically sent back to HITRUST. If a proposed change adds additional requirements to the assessment (e.g., factor change) or additional required CAPs (e.g., certain scoring changes), the Assessed Entity users with access to the assessment are notified of the change via email and MyCSF notifications. The notifications outline: whether a factor response or requirement statement score was changed; the email address of the individual who applied the proposed change; and whether there is a new requirement statement or CAP to be addressed.
  • Reject the Proposed Change: If the Assessed Entity does not agree with the proposed change, the Assessed Entity may reject the proposed change. When rejecting the proposed change, the Assessed Entity is required to enter a comment within the task to explain why the change was rejected. The task is automatically sent back to HITRUST.

When the proposed task has been either applied or rejected by the Assessed Entity or the External Assessor, it is automatically sent back to HITRUST. HITRUST may close the task if it has been appropriately resolved or may leave a comment in the task to provide additional explanation or answer a question and send the task back to the External Assessor. If a proposed task has been rejected and a different change needs to be proposed, HITRUST creates a new proposed task. Additionally, if any new issues are identified during QA, a new proposed task is created.

The Assessed Entity and External Assessor should also be aware that the actions taken to resolve a general or proposed task may generate additional requirement statements or CAPs that must be addressed before QA is completed. When any requirement statements or CAPs within the assessment require attention during QA, the Task Management page displays a banner to indicate that there are requirement statements or CAPs requiring input or validation. The banner contains a link to the assessment homepage where those requirement statements and CAPs are identified by the requirement statement response status. The following scenarios are examples of when a requirement statement or CAP may require attention during QA:

  • When a requirement statement score is updated via a task, the requirement statement will have a status of External Assessor Review Pending to allow the External Assessor to review and thumb up the updated score and link documents as needed.
  • When a factor response is updated via a task, additional requirement statements may be added to the assessment in the status Response Needed for New Statement to allow the Assessed Entity to score the requirement statement and the External Assessor to review and link documents.
  • When a requirement statement score is lowered via a task, new required CAPs may be generated. Any requirement statements requiring CAPs during QA have a status of CAP Required to allow the Assessed Entity to enter a CAP and the External Assessor to review the CAP.