The assessment workflow for HITRUST r2, i1, and e1 validated assessments is comprised of 16 workflow phases. The following diagram displays the workflow phases, including the primary owner of each phase. All phases are performed sequentially, and each phase owner should allot the necessary time to perform the corresponding responsibilities in each phase to complete their assessment in a timely manner. A brief description and summary of each phase is included below, but note that many of the phases are described in more detail with the necessary requirements in corresponding sections of this Handbook.
Answering Pre-Assessment
When an Assessed Entity creates a new assessment object, they begin the assessment process by entering key preliminary information. After completing these fields, MyCSF will be able to generate its assessment.
The Assessed Entity (or optionally the External Assessor for i1 and e1 assessments) must complete each of the following pre-assessment webforms within MyCSF:
- Name & Security
- Organization Information
- Assessment Options
- Scope of the Assessment
- Default Scoring Profile
- Factors (r2 only)
For additional information on the pre-assessment, see Chapter 6 Pre-Assessment.
Answering Assessment
The Assessed Entity, or its designee, must accurately respond to each requirement statement in the assessment based upon the PRISMA maturity model (the i1 and e1 only utilize the Implemented PRISMA level). For additional information on the PRISMA maturity levels, see Chapter 9 PRISMA Maturity Levels.
The Assessed Entity will use the HITRUST Control Maturity Scoring Rubric to determine scores for each PRISMA maturity level across the assessment. When a requirement statement is marked “not applicable”, the Assessed Entity includes commentary within the ‘Subscriber Comment’ field in MyCSF explaining why the requirement statement is not applicable to the scope of the assessment. This commentary will appear in the assessment report. For additional information on requirement statements and scoring, see Chapter 8 Requirement Statements and Chapter 10 HITRUST Scoring Rubric.
The Assessed Entity will resolve all triggered potential quality issues (PQIs) by either following the recommendations to address the issue or by choosing to override / accept the issue (with explanation). All overridden / accepted PQIs are subject to HITRUST QA review (see Chapter 13.4 Automated Quality Checks for additional information on PQIs). During this phase, the Assessed Entity is advised, but not required, to book its QA Reservation and begin the process of completing the Validated Report Agreement webform.
Performing Validation
In this phase, the External Assessor will validate the information input by the Assessed Entity. First, the External Assessor must review and approve the content of each pre-assessment section before being allowed to link documentation or agree to requirement statement scoring within the assessment. The External Assessor must review requirement statements scoring, link relevant documentation, and address any PQIs that have been triggered. The External Assessor is required to complete the Test Plan, Audits and Assessments Utilized page, External Assessor Time Sheet, and the QA Checklist. The QA Checklist should be utilized throughout this process to ensure all the necessary activities are being properly completed. The External Assessor should remind the Assessed Entity to complete the Validated Report Agreement and Management Representation letter (“Rep Letter”) during the upcoming phases.
For details on the guidance on External Assessor expectations see Chapter 13 Assessment Submission Process.
Inputting CAPs and Signing Rep Letter
In this phase, the Assessed Entity must complete the Validated Report Agreement and Rep Letter. Any requirement statements requiring CAPs will be identified in MyCSF, and the Assessed Entity must enter the required CAPs. For additional information on CAPs, see Chapter 13.9 CAPs and Gaps.
Reviewing CAPs
In this phase, the External Assessor must review the linked CAPs. The Assessed Entity can also demonstrate progress against the CAPs. All CAPs must include the information defined in criteria 13.9.4 (see Chapter 13.9 CAPs and Gaps) for the External Assessor to document its approval using the “thumbs up” button in MyCSF. Clicking the “thumbs up” button will change the requirement statement-level response status to “CAP Review Completed.” For CAPs that do not meet the review criteria, the External Assessor will disapprove, using the “thumbs down” button, which reverts the requirement statement back to the Assessed Entity. Once the External Assessor agrees with all the CAPs, they will submit the assessment to HITRUST. For additional information on CAPs, see Chapter 13.9 CAPs and Gaps.
Performing Check-In
During this phase, HITRUST performs automated Quality Assurance (QA) checks and a high-level review of the assessment, accompanying required documents, and webforms (Organization Information, Scope of the Assessment, Factors, Validated Report Agreement, Rep Letter, Test Plans, External Assessor Time Sheet, QA Checklist, and Audits and Assessments Utilized) to determine if the assessment is ready for a HITRUST QA Analyst to review.
For additional information on the check-in process and potential scenarios, see Chapter 13.10 Check-in Process.
Addressing Check-In Tasks
During this phase, the Assessed Entity and/or External Assessor must address and send back all the tasks to HITRUST if any were identified during the Performing Check-In phase.
Reviewing Pending Check-In Tasks
In this phase, HITRUST reviews all tasks addressed by the Assessed Entity and External Assessor. HITRUST will close the tasks that have been resolved and, if all tasks have been resolved, accept the assessment after which the assessment moves into the Pending Quality Assurance phase. HITRUST will send any tasks requiring additional attention back to the External Assessor with additional comments or instructions. If a task is assigned to the External Assessor or Assessed Entity during this phase, the assessment automatically returns to the Addressing Check-In Tasks phase. All check-in items must be resolved by the beginning of the reserved QA block or the assessment’s QA reservation will be canceled and the Assessed Entity will be required to make a new QA reservation.
For additional information on check-in tasks, see Chapter 13.11 Addressing Check-in Tasks.
Pending Quality Assurance
In this phase, HITRUST assigns the assessment to a HITRUST QA Analyst. The HITRUST QA Analyst will begin QA during the week of the reserved QA Block.
Performing QA
In this phase, the HITRUST QA Analyst will begin QA and review the following:
- The Pre-Assessment
- Required Documents and Webforms
- Risk-based sample of scored requirement statements
- All requirement statements marked as Not Applicable (N/A)
- Requirement statements with Measured and Managed scores
- Overridden PQIs
- CAP Responses
The HITRUST QA Analyst creates and enters all tasks from their review in MyCSF and the assessment moves to the Addressing QA Tasks phase.
If the QA review identifies more significant QA concerns than normal, HITRUST will notify the External Assessor and Assessed Entity that the assessment will require further internal management review within HITRUST. After the internal management review has been completed, the assessment will either continue the normal QA process or move to Escalated QA. For further details on the QA process, see Chapter 14 Undergoing QA.
Addressing QA Tasks
In this phase, the Assessed Entity and External Assessor address the tasks opened by HITRUST. If the action taken to address a task adds new required CAPs to the assessment, those CAPs must be entered by the Assessed Entity and reviewed by the External Assessor. Similarly, if an action taken to resolve a task adds additional requirement statements those must be scored by the Assessed Entity and validated by the External Assessor. When all tasks have been returned to HITRUST and all new requirement statements and / or CAPs have been reviewed by the External Assessor, the assessment automatically enters the Reviewing Pending QA Tasks phase. For further details on the QA process, see Chapter 14 Undergoing QA.
Reviewing Pending QA Tasks
During this phase, the HITRUST QA Analyst will review the QA Tasks addressed by the Assessed Entity and External Assessor. HITRUST will send any tasks that still require attention back to the External Assessor with additional comments or instructions. If a task is assigned to the External Assessor or Assessed Entity during this phase, the assessment automatically returns to the Addressing QA Tasks phase. HITRUST will close all tasks that have been resolved. After all QA Tasks have been resolved by the Assessed Entity and /or External Assessor and closed by HITRUST, the assessment will move to the Preparing and Reviewing Deliverables phase. For further details on the QA process, see Chapter 14 Undergoing QA.
Preparing and Reviewing Deliverables
In this phase, HITRUST will prepare and review the draft reports. If any questions arise during this phase, the HITRUST QA Analyst creates additional tasks and the assessment returns to the Addressing QA Tasks phase. The HITRUST QA Analyst will upload the draft report(s) to MyCSF once the draft reports are internally reviewed by HITRUST and all follow-up questions are resolved. The assessment will then enter the Reviewing Draft Deliverables phase. For additional information on reporting, see Chapter 15 Reporting & Maintaining a HITRUST Certification.
Reviewing Draft Deliverables
In this phase, the Assessed Entity has up to 30 days to review the draft reports. After the Assessed Entity has reviewed the draft reports, it may either:
- Approve the draft reports by clicking the “Approve HITRUST CSF Draft Report” button within the HITRUST CSF Reports section of the assessment.
- Request Revisions in MyCSF (see Chapter 15.1 HITRUST Reporting for additional details on the revision process).
If the Assessed Entity does not approve the draft reports or request revisions within 30 days, the draft reports are automatically approved by MyCSF, and the assessment enters the Revising Draft phase.
For additional information on reporting, see Chapter 15 Reporting & Maintaining a HITRUST Certification.
Revising Draft
In this phase, the HITRUST QA Analyst reviews any requested revisions and updates the status of each request to Not Started, Completed, or Not Accepted by HITRUST. After processing any revision requests, HITRUST will return the assessment to the Reviewing Draft Deliverables phase for the Assessed Entity to either approve the revised draft reports or request additional revisions.
The HITRUST QA Analyst will also provide an explanation within the “Rationale” section if any revision request is Not Accepted.
When the assessment enters the Revising Draft phase due to the Assessed Entity approving the draft reports, the HITRUST QA Analyst builds the final reports and uploads them into MyCSF. For additional information on reporting, see Chapter 15 Reporting & Maintaining a HITRUST Certification.
Complete
When the final reports are uploaded, the assessment enters the Complete phase.
Press Kit Distribution
When an Assessed Entity receives its first certification (and upon request for additional certifications), the HITRUST Marketing team will distribute a HITRUST certification press kit within 10 business days that includes:
- HITRUST Certification Announcement Guidelines comprised of instructions for a customized press release, logo usage, and additional media support information.
- HITRUST Certification Press Release Template containing approved content and pre-approved quotes from a HITRUST executive. NOTE: The scope of the Assessed Entity’s HITRUST certification is required to be included in the press release.
- Certification Logo
The HITRUST certification press release requires a final approval from HITRUST prior to publishing. The Assessed Entity must send the press release draft to PR@hitrustalliance.net for final review.
Assessment Object Archiving
The MyCSF archive process for assessment objects is initiated only if the Assessed Entity’s account has expired for 60 days OR a user attempts to delete an object that is certified. After the archive process is initiated:
- For all certified assessment objects, the deletion date is set to 2 years + 6 months after the final report date.
- For all other assessment objects (e.g., readiness assessments, validated-only (i.e., non-certified) assessments, or assessments in progress) the deletion date is set to 6 months after the current date. NOTE: For non-certified assessments, the user may mark the object for deletion on the current day.