HITRUST expects all Assessed Entities and External Assessors to meet the criteria described within this Assessment Handbook. Assessed Entities and External Assessors may contact their HITRUST CSM or HITRUST Support (support@hitrustalliance.net) with questions on the criteria.
15.10.1 If criteria are not met that impact the scoring and/or certification results in an assessment, the Assessed Entity and/or External Assessor must make any corrections requested by HITRUST.
15.10.2 If criteria are not met that may mislead the reader of a HITRUST report to reach inaccurate conclusions, the Assessed Entity and/or External Assessor must make any corrections requested by HITRUST.
15.10.3 If an External Assessor does not meet the HITRUST assessment or testing criteria defined in this Assessment Handbook, HITRUST may request or perform one or more of the following actions based on the nature, quantity, and severity of the infractions:
- Remediation of the non-compliant assessment
- Rejection of the non-compliant assessment
- Written warnings of non-compliance
- Non-compliance meetings between HITRUST and External Assessor firm’s leadership
- External Assessor firm corrective action plans
- Tracking and reporting of non-compliance in External Assessor performance reports
15.10.4 If an Assessed Entity or External Assessor has questions on the Assessment Handbook content or believes it is unable to meet certain criteria it may contact their CSM or HITRUST Support (support@hitrustalliance.net) for additional guidance.
15.10.5 Requests for exceptions to criteria within this Assessment Handbook must be sent to HITRUST Support (support@hitrustalliance.net). Any request for an exception to criteria in this handbook must include:
- Criterion number for which the exception is being requested
- Rationale for the exception
- Where possible, description of an alternative approach or mitigating factors which may address risks of not adhering to the HITRUST criterion
15.10.6 At HITRUST’s discretion, it may provide alternatives to achieving the defined criteria in this Assessment Handbook. Any alternative solutions approved by HITRUST are granted on a one-time basis.