A HITRUST certification is only valid for the system(s), facility(s) and supporting infrastructure included in-scope of an Assessed Entity’s validated assessment and the corresponding certification letter and validated report. However, HITRUST understands that Assessed Entities may have fast-changing environments which require maintaining a continuous HITRUST certification. As a result, HITRUST has developed a collaborative process that enables Assessed Entities to maintain their certification when they have identified developments that may impact their current certification (“Significant Changes”).
15.6.1 When an Assessed Entity has identified a significant change that may impact its current certification, it must notify HITRUST (support@hitrustalliance.net) to determine the steps that can be taken to maintain its certification.
15.6.2 A change is considered significant when it is likely to impact the security or privacy posture of the Assessed Entity’s system(s), facility(s) or supporting infrastructure in-scope of its certification. Examples of activities that might be considered a significant change include:
- Moving from an on-premises data center into a public cloud environment.
- Moving an in-scope facility to a different physical location.
- Decommissioning a data center and moving all assets to a different data center.
- Replacing in-scope platforms (e.g., moving from SAP to Oracle EBS).
- Changing an in-scope system to use a different back-end system (e.g., using a NoSQL backend instead of a relational database).
- Moving away from an outsourced IT model by standing up an internal IT function.
- Changes in responsibility for performance or oversight of the in-scope control activities (e.g., outsourcing, insourcing, change in service providers).
- New functionality in an in-scope platform enabling it to be accessed from a public location.
- Acquisitions, divestures, mergers, or other changes in control of an Assessed Entity where controls over in-scope systems are no longer being operated by the Assess Entity who originally obtained the certified report.
- Change in a “Factor” question response within the validated assessment.
Significant changes are reported so HITRUST certifications continue to accurately reflect the assessed environment, benefitting both the Assessed Entity and its relying parties. The path required to maintain certification is highly dependent on the nature of the change, timing of the change (within the Assessed Entity’s certification cycle), and impact on the certification.
If additional testing is required by the Assessed Entity due to the significant change, HITRUST may reach the conclusion to include additional testing as part of the interim assessment. Such additional testing is dependent on the timing of the change within the Assessed Entity’s certification cycle (as not all changes occur close to interim) and nature of the change (there may not be sufficient time to complete all necessary additional testing by the interim deadline).
If an Assessed Entity introduces a new system and/or facility not currently in-scope of its HITRUST certification, this is considered a scope expansion. Scope expansions are not considered significant changes since the current certification remains accurate by reflecting the in-scope environment included in the initial certification report. Although the new scope may potentially be introduced into the same environment included within the current HITRUST certification, the new scope would not be HITRUST certified as it was not in-scope of the corresponding validated assessment.
15.6.3 If the Assessed Entity requires the new scope to be HITRUST certified, this will require a new validated assessment on the areas within the scope expansion.
15.6.4 If there are requirement statements in this new assessment which were addressed in its corresponding validated assessment, the Assessed Entity may have the ability to utilize reliance or inheritance from the previously completed HITRUST assessment to avoid re-testing those requirement statements. The certification being relied upon or inherited must be an active certification prior to submission date to be able to utilize this capability. For additional details on reliance, see Chapter 12 Reliance and Third-party Coverage.