As described in Chapter 13.10 Check-in Process, when HITRUST’s check-in process identifies that the assessment is ready for QA review, HITRUST accepts the assessment, and it enters the Pending Quality Assurance phase. During the week of the reserved QA block, the QA process will begin. This process takes place within seven phases of the validated assessments workflow process outlined in the following diagram.
All accepted assessments are assigned to a HITRUST QA Analyst, and the assessment enters the Performing QA phase when the HITRUST QA Analyst begins the QA review of the assessment. At this time, Assessed Entity personnel and External Assessors assigned to the assessment, are notified via email and MyCSF homepage notification that the QA review has begun. The email notification contains the name and email address of the HITRUST QA Analyst assigned to the assessment.
During this phase, the HITRUST QA Analyst reviews the following:
- Pre-Assessment: A review of information captured on the Organization Information, Scope of the Assessment, Assessment Options, and Factors pre-assessment pages.
- Required Documents and Webforms: A review of information captured in the Management Representation Letter, Test Plans, External Assessor Time Sheet, and Audits and Assessments Utilized required documents and webforms.
- Risk-based Sample of Core Requirement statements (Core QA): A selection of requirement statements where HITRUST reviews the External Assessor’s testing against the stated control maturity scoring.
- Sample of Measured and Managed Scores: A selection of requirement statements containing scoring on the Measured and Managed levels are subject to additional QA procedures (only applicable for r2 assessments utilizing the Measured or Managed maturity levels).
- Not Applicable Rationales: A review of all requirements marked as Not Applicable. For HITRUST expectations on N/A rationale, see Chapter 8.3 Not Applicable (N/A) Requirement Statements.
- CAPs: A review of all CAP responses. For HITRUST expectations on CAP responses, see Chapter 13.9 CAPs and Gaps.
- Overridden Potential Quality Issues (PQIs): A review of all PQIs that were overridden by the Assessed Entity or External Assessor to ensure that the override is appropriate.
If the HITRUST QA Analyst identifies any exceptions or questions during its review, QA Tasks will be prepared in MyCSF for the External Assessor and Assessed Entity to address (see Chapter 14.2 QA Tasks). Once the HITRUST QA Analyst enters all QA tasks, the assessment is moved to the Addressing QA Tasks phase.
NOTE: If the QA review identifies more significant concerns within the assessment than normal, the assessment will be submitted to the HITRUST Quality team to enter the escalated QA process, See Chapter 14.4 Escalated QA.
14.1.1 During the Addressing QA Tasks phase, the Assessed Entity and External Assessor must address the QA tasks created by HITRUST.
14.1.2 If the action taken to address a task adds requirement statements to the assessment, those requirement statements must be scored by the Assessed Entity and validated by the External Assessor.
14.1.3 If the action taken to address a task adds required CAPs to the assessment, those CAPs must be entered by the Assessed Entity and reviewed by the External Assessor.
When all tasks have been returned to HITRUST and all new requirement statements and/or CAPs have been reviewed by the External Assessor, the assessment automatically enters the Reviewing Pending QA Tasks phase.
HITRUST reviews the QA Tasks addressed by the Assessed Entity and External Assessor, closes all tasks that have been resolved, and sends any QA tasks still needing more information back to the External Assessor with additional comments or instructions. If a task is assigned to the External Assessor or Assessed Entity during this phase, the assessment automatically returns to the Addressing QA Tasks phase.
After all QA Tasks have been resolved by the Assessed Entity and External Assessor and closed by HITRUST, the QA review of the assessment is complete, and the assessment moves to the Preparing and Reviewing Deliverables phase.
During the Preparing and Reviewing Deliverables phase, HITRUST prepares and reviews the draft reports. All draft reports will be submitted for additional review by Assurance management and Quality team. If there no concerns from the review of the draft report, the HITRUST QA Analyst uploads the draft reports to MyCSF. This causes the assessment to enter the Reviewing Draft Deliverables phase. For additional information on reporting and draft report requirements, see Chapter 15.1 HITRUST Reporting.