HITRUST typically raises questions to the External Assessor related to questions and concerns throughout the QA process. However, the HITRUST QA Analyst occasionally identifies a higher volume and/or severity of concerns in an assessment than is typically expected. When this occurs, the submission enters HITRUST’s Escalated QA process (EQA). An assessment only enters Escalated QA if HITRUST believes that the nature of the concerns may be pervasive enough to affect scoring across the validated assessment.
HITRUST’s EQA process is in place to:
- Determine whether the control maturity scores accurately reflect the Assessed Entity’s implementation of the HITRUST CSF
- Identify whether the External Assessor sufficiently validated the Assessed Entity’s implementation of the HITRUST CSF using its testing procedures for the scope of the assessment
- Determine that the HITRUST methodology outlined in this Assessment Handbook was followed throughout the assessment process
When concerns are noted that can impact the issuance of a report meeting HITRUST’s quality standards, HITRUST works to resolve these concerns. As a result of the additional inspection and investigation required during EQA, the expected delivery of the Assessed Entity’s report will be delayed due to the extended process outlined below.
14.4.1 In the EQA process, the External Assessor team must respond to HITRUST’s identified questions and concerns. HITRUST allows the External Assessor team multiple opportunities to describe its validation procedures and scoring rationale. The EQA process includes the following steps:
i. HITRUST communicates the identified concerns in writing to the External Assessor team.
ii. The External Assessor team provides responses in writing back to HITRUST for review.
iii. HITRUST will set up a meeting with the External Assessor to discuss HITRUST’s evaluation of the provided responses.
iv. The External Assessor will provide a second set of responses in writing back to HITRUST for review.
v. HITRUST will set up a second meeting with the External Assessor to discuss HITRUST’s final evaluation of the provided responses.
14.4.2 In EQA, the HITRUST Quality team is attempting to understand the procedures performed by the External Assessor during fieldwork to validate the assessment scoring. As a result, the External Assessor must not perform any new procedures to validate the assessment scores.
14.4.3 When providing responses to HITRUST’s questions, the External Assessor may not introduce new evidence that was not assessed during fieldwork.
14.4.4 HITRUST’s EQA process allows the External Assessor team up to two “rounds” (following the above steps) to resolve HITRUST’s questions and concerns. If HITRUST’s questions and concerns are not resolved after the first round, HITRUST notifies the Assessed Entity that its validated assessment is undergoing EQA and encourages them to work closely with the External Assessor team for the remainder of the process.
14.4.5 The External Assessor can resolve HITRUST’s questions or concerns by demonstrating that the scores are supportable. This can be achieved using a variety of methods depending on the noted concerns. Examples of resolutions for typical concerns include:
- Referencing the exact location of the evidence reviewed by the External Assessor that supports the assessment scoring.
- For policies and procedures, mapping each requirement statement’s evaluative elements to the corresponding wording in the policy or procedure where the evaluative element(s) is addressed.
- For sampling concerns, demonstrating the rationale and sampling approach used follows HITRUST sampling guidance.
- For non-occurrence of controls, referencing the additional procedures (beyond inquiry) that were performed to validate the non-occurrence.
- For third-party coverage, referencing the testing or reliance procedures that were performed which addresses the corresponding requirement statement’s evaluative elements.
14.4.6 Potential outcomes from HITRUST’s questions and concerns may include:
- HITRUST agreeing the score is supportable by the additional information provided by the External Assessor. No change will be required to the assessment.
- HITRUST confirming with the External Assessor that the score should be lowered. This score must be lowered when the assessment is returned to the Assessed Entity.
- HITRUST agreeing with the External Assessor that a requirement should be Not Applicable, rather than scored. This change must be made when the assessment is returned to the Assessed Entity.
- HITRUST confirming with the External Assessor that a requirement should have been scored rather than marked as Not Applicable. This change should be made, and the corresponding testing performed when the assessment is returned to the Assessed Entity.
14.4.7 The External Assessor should maintain communication with the Assessed Entity throughout the EQA process on the status and issues. While the questions are related to the procedures performed by the External Assessor, the Assessed Entity is welcome to participate in the meetings and/or it may request to be included on messages to the External Assessor throughout the process.
NOTE: HITRUST will provide regular communication to the Assessed Entity throughout the EQA process of the current assessment status.
Possible EQA Outcomes & Options
14.4.8 If HITRUST’s questions and concerns are sufficiently resolved, the assessment exits the EQA process and re-enters HITRUST’s normal QA process.
14.4.9 HITRUST determines whether the concerns were or were not sufficiently resolved by considering whether the outcomes of HITRUST’s questions and concerns are likely to be pervasive across the validated assessment, or if any remaining concerns are likely isolated occurrences. This determination is agreed upon by HITRUST Quality and Assurance management.
14.4.10 In cases where a determination is unclear, HITRUST may review an additional sample of requirements with the External Assessor.
14.4.11 When HITRUST agrees that the assessment may move back to the normal QA process, no additional QA will be performed. The assessment will be handed over to a HITRUST QA Analyst who will work with the External Assessor on any necessary changes resulting from the EQA process, and validate all other information needed to prepare the draft report.
14.4.12 If the External Assessor is unable to sufficiently resolve HITRUST’s questions and concerns, HITRUST will not issue a HITRUST validated assessment report or HITRUST certification. Instead, HITRUST presents the following options (detailed below) to both the External Assessor and the Assessed Entity:
i. Appeal the EQA Decision
ii. Remediate the Assessment
iii. Re-perform the Assessment
Appeal the EQA Decision
In this Option, the Assessed Entity can appeal the Quality team’s evaluation of the assessment. At the Assessed Entity’s request, HITRUST will convene the appeals board of HITRUST personnel consisting of HITRUST leadership team members who are familiar with the certification process, but who were not involved in the QA of the validated assessment. HITRUST expectations for appealing the decision include the following:
14.4.13 The Assessed Entity may appeal if it does not agree with HITRUST’s conclusion that there were pervasive issues in the External Assessor’s testing across the validated assessment.
NOTE: HITRUST QA does not determine if an Assessed Entity’s environment is certifiable so an appeal should not use that as a basis. HITRUST QA is performed to determine whether the External Assessor testing is sufficient to support the validated assessment’s scores.
14.4.14 The Assessed Entity and/or External Assessor must prepare a written statement documenting the basis for the appeal that includes:
- The specific requirements that were sampled for QA and control maturity levels that were considered to have unresolved concerns.
- The rationale why the Assessed Entity and/or External Assessor believes the existing documentation in the assessment supports the scoring in the assessment and/or addresses the concerns identified by HITRUST during QA.
- References to evidence mentioned during the EQA process that demonstrate how the scoring is supported.
- Any additional information that will assist the HITRUST appeals board with making its determination.
14.4.15 When an Assessed Entity selects the ‘Appeal’ option, the Assessed Entity will submit its documentation to the VP of Quality, who will provide all documentation to the HITRUST Appeals Board. The Appeals Board will provide its response back to the Assessed Entity via email within 30 days of submission.
If the appeal is successful, the assessment will move back to normal QA processing. The date of the report and/or certification which may result from this assessment will still be the original Management Representation Letter date.
If the appeal is unsuccessful, the Assessed Entity will be required to select one of the remaining two options outlined below.
Remediate the Assessment
In this option, the Assessed Entity will adjust the maturity scoring within the necessary requirement statements to lowered scores reflecting the testing performed during the assessment, or additional documentation will be added from the fieldwork period supporting the requirement statement’s score.
14.4.16 The Assessed Entity will remediate the assessment by either lowering scores to supportable levels and/or adding “historical” documentation from the fieldwork period that supports the Assessed Entity’s scores.
14.4.17 Lowering scores to supportable levels – In this remediation technique:
- The scores across the entire assessment must be reviewed to determine whether they should be lowered, not just the requirements sampled during EQA.
- The assessment’s control maturity scores can be lowered to those that the External Assessor believes are supportable by the existing, previously collected assessment documentation (e.g., screenshots, policies, access listings) linked to each requirement at the time the assessment was submitted to HITRUST.
- Lowering requirement maturity scoring has its drawbacks that include (i) several CAPs will likely result, and (ii) certification may not be possible if the control maturity scores are lowered past a certain point.
14.4.18 Adding “Historical” Documentation – In this remediation technique:
- The External Assessor may retain requirement maturity scoring by bolstering the assessment’s documentation across the entire assessment.
- “Historical” assessment documentation, which reflects the environment during the time of the previously performed validated assessment up to the Management Representation Letter date, can be used to provide better support for the existing requirement maturity scores.
- This “historical” assessment documentation must depict the control environment during the time of the validated assessment. Examples include previous copies of written policies and procedures, help desk tickets created within the period, populations spanning the period, point-in-time screenshots paired with change logs spanning the period, etc.
- All newly collected historical evidence must be collected in accordance with the requirements outlined in Chapter 11 Testing & Evidence Requirements.
- Upon re-submission, the Assessed Entity and/or External Assessor must notify HITRUST of the requirement statements where evidence was added to bolster the scoring.
14.4.19 When using the option to remediate the assessment, the date of the report and/or certification will retain the original Management Representation Letter date.
The Assessed Entity may choose this option if it and the External Assessor agree that (i) the scores in the assessment accurately depict the environment’s control maturity, (ii) newly collected supporting evidence will increase the likelihood of a successful QA outcome, and (iii) newly collected supporting evidence can be demonstrated as being reflective of the control environment as it was during the assessment fieldwork period.
Re-perform the Assessment
In this option, the Assessed Entity will fully re-perform the validated assessment. Brand new assessment documentation (e.g., freshly collected screenshots, updated policies, current access lists) reflective of the current environment can be used to provide better support for the control maturity scores. This option should be chosen if the External Assessor thinks (i) the scores in the assessment accurately depict the environment’s control maturity, and (ii) newly collected supporting evidence will increase the likelihood of a successful QA outcome. If this option is chosen:
14.4.20 The External Assessor must:
- Test and document all newly collected evidence in accordance with the requirements outlined in Chapter 11 Testing & Evidence Requirements,
- Ensure all supporting evidence in the revised submission, not just those associated with the requirements selected for QA, is not older than 90 days
- Agree with (i.e., “thumbs-up”) the control maturity scores reflected in MyCSF.
14.4.21 The date of the report and/or certification which may result from this revised assessment object will not be the original Management Representation Letter date; instead, a new representation letter will need to be signed and dated after the end of the new fieldwork period.
Assessment Re-submission
If either the “Remediate the Assessment” or “Re-perform the Assessment” options are selected, HITRUST will re-perform QA on a new sample of requirements after assessment remediation is completed and has been re-submitted to HITRUST.
If the Assessed Entity chooses to move forward on any of the assessment options other than Appeal:
- HITRUST will revert the assessment object so it can be amended.
- The Assessed Entity is free to continue to use its current External Assessor, or the Assessed Entity may engage a new HITRUST External Assessor of the Assessed Entity’s choosing.
- After the desired changes are made within the assessment object, and the External Assessor has completed its validation procedures, HITRUST will again perform a QA review. If significant QA concerns again arise, the assessment will once more enter the EQA process a second (and final) time.
- HITRUST cannot guarantee that remediation performed against the assessment object will result in a favorable outcome. If the re-submission moves into EQA and HITRUST’s concerns are unable to be resolved during the second EQA process, HITRUST will not return the assessment back to the Assessed Entity. Instead, the Assessed Entity may appeal (if not previously appealed after the first EQA outcome) or agree to declare the assessment as a “Failed QA”.
After a “Failed QA”, HITRUST will provide a “Failed QA” letter to the Assessed Entity and close the assessment object without issuing a report. To obtain a HITRUST certification, the Assessed Entity will need to perform a new validated assessment effort using a new object in MyCSF with new supporting evidence.