There are certain circumstances that may result in HITRUST certifications being suspended or revoked. These circumstances can include a security event at the Assessed Entity (including data breaches), fraud from either the Assessed Entity and/or External Assessor, or misrepresentations by the Assessed Entity and/or External Assessor.
15.3.1 When the Assessed Entity identifies a security event (including any data breaches), involving the environment in-scope of its HITRUST certification, it is required to notify HITRUST when either: a) the Assessed Entity has confirmed the security event, or b) the investigation has been open or ongoing for sixty (60) days from the date when the Assessed Entity identified the incident as a potential security event or data breach.
15.3.2 A data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, used, disclosed, or accessed in an unauthorized fashion and/or by an individual unauthorized to do so and compromises the privacy or security of the data.
15.3.3 In case of a reported security event, an investigation by HITRUST will take place within 30 days of the Assessed Entity notifying HITRUST. The duration of the investigation may be extended by HITRUST if more time is required to determine the cause and assess the significance of the control failure(s) and its impact on Assessed Entity’s certification.
15.3.4 During the investigation, the Assessed Entity must provide additional information requested by HITRUST related to the cause and/or scope of the security event. If necessary, HITRUST may request the Assessed Entity to have an independent Assessor perform an investigation to provide further clarity on the root cause of the security event as it relates to the requirement statements and environment under certification.
15.3.5 During the investigation, HITRUST will request the Assessed Entity and/or External Assessor to identify and re-evaluate requirement statement(s) related to the security event. HITRUST will evaluate the Assessed Entity’s maturity score(s) for those requirement statement(s), at time of failure, to determine if it deviated from the requirement statement(s)’ maturity score(s) during the Assessed Entity’s validated assessment.
15.3.6 If the maturity score(s) deviated to a level below what was required for certification, HITRUST may suspend or revoke the Assessed Entity’s certification. If the maturity score(s) deviated below the Assessed Entity’s prior maturity score(s), but not below the certification threshold, HITRUST may suspend the certification.
15.3.7 If HITRUST suspends the Assessed Entity’s certification, HITRUST will provide the Assessed Entity with the necessary process for removal of the suspension. For example, if certain requirement statement(s) were found to no longer be operational resulting in the security event, HITRUST may request the Assessed Entity to remediate the impacted requirement statement(s) and have the requirement statement(s) re-tested by an External Assessor (after any necessary incubation period). The requirement statement(s) must achieve scores greater than or equal to the scores from the validated assessment prior to removal of the suspension.
15.3.8 During suspension of the HITRUST certification, the Assessed Entity may not allow external or internal inheritance and may not communicate that they are HITRUST certified.
15.3.9 If HITRUST revokes the Assessed Entity’s certification, the Assessed Entity may perform a new full validated assessment 90 days after remediation of all controls related to the security event. If the Assessed Entity performs a new r2, i1, or e1 validated assessment after a security event, it must modify the Management Representation Letter in the new assessment to reflect the circumstances of the security event. HITRUST will review and approve the necessary Management Representation Letter updates.
15.3.10 If the security event occurred prior to the Assessed Entity’s interim assessment, the External Assessor must include a “thumbs down” to the question in MyCSF stating “The External Assessor inquired of management of the Assessed Entity and was told that no security breaches have occurred within the scoped and assessed environment that required reporting to a federal or state agency by law or regulation since the certification effective date.” In addition, the External Assessor must include a document stating the procedures performed as a result of the security event and results of its procedures.
15.3.11 If fraud and/or misrepresentation is suspected at any time during the validated assessment process or certification period, HITRUST will investigate the activity and circumstances surrounding the concern. The Assessed Entity and/or External Assessor is expected to cooperate with HITRUST throughout the investigation.
15.3.12 When fraud and/or misrepresentation has been identified at any point during the validated assessment process or certification period, HITRUST will revoke the certification and reserves the right to remove either the Assessed Entity and/or External Assessor from the HITRUST program.