The assessment workflow for HITRUST e1 and i1 validated assessments is comprised of 24 workflow phases. The following diagram displays the workflow phases, including the primary owner of each phase. All phases are performed sequentially. Each phase owner should allot enough time to perform the corresponding responsibilities specified in each phase to complete the assessment in a timely manner. A brief description and summary of each phase is included below.
Answering Pre-Assessment
When an Assessed Entity creates a new assessment object, it begins the assessment process by entering key preliminary information. After completing these fields, MyCSF will be able to generate its assessment.
The Assessed Entity or the External Assessor must complete each of the following pre-assessment webforms within MyCSF:
- Name & Security
- Organization Information
- Assessment Options
- Scope of the Assessment
- Default Scoring Profile
- Factors
If the Assessed Entity would like to perform a combined assessment of an authoritative source within an i1 or e1, the Compliance factor for the authoritative source must be selected on the Factors page.
For additional information on the pre-assessment, see Chapter 6 Pre-Assessment.
Answering Assessment
The Assessed Entity or External Assessor must accurately respond to each requirement statement in the assessment based upon the Implemented control maturity model. For additional information on the control maturity levels, see Chapter 9 Control Maturity Levels.
The Assessed Entity and External Assessor will use the HITRUST Control Maturity Scoring Rubric to determine scores for each control maturity level across the assessment. When a requirement statement is marked “not applicable”, the Assessed Entity includes commentary within the ‘Subscriber Comment’ field in MyCSF explaining why the requirement statement is not applicable to the scope of the assessment. This commentary will appear in the assessment report. For additional information on requirement statements and scoring, see Chapter 8 Requirement Statements and Chapter 10 HITRUST Scoring Rubric.
The Assessed Entity will resolve all triggered potential quality issues (PQIs) by either following the recommendations to address the issue or by choosing to override / accept the issue (with explanation). All overridden / accepted PQIs are subject to HITRUST QA review (see Chapter 13.4 Automated Quality Checks for additional information on PQIs). During this phase, the Assessed Entity is advised, but not required, to book its QA Reservation and begin the process of completing the Validated Report Agreement webform.
Performing Validation
In this phase, the External Assessor will validate the information input during the Answering Assessment phase. First, the External Assessor must review and approve the content of each pre-assessment section before being allowed to link documentation or agree to requirement statement scoring within the assessment. The External Assessor must review requirement statements scoring, link relevant documentation, and address any PQIs that have been triggered. The External Assessor is required to complete the Test Plan, Audits and Assessments Utilized page, External Assessor Time Sheet, and the QA Checklist. The QA Checklist should be utilized throughout this process to ensure all the necessary activities are being properly completed. The External Assessor should remind the Assessed Entity to complete the Validated Report Agreement and Management Representation Letter (“Rep Letter”) during the upcoming phases.
For details on the guidance on External Assessor expectations see Chapter 13 Assessment Submission Process.
Pre-QA Assessment Results Review
In this phase, the Assessed Entity and External Assessor review and approve the pre-QA assessment results page. The pre-QA assessment results are an indication of the point-in-time results of the assessment and are subject to change based on the HITRUST QA review of the assessment. Additionally, the pre-QA assessment results do not guarantee that the assessment will successfully pass QA and result in report issuance (see Chapter 14.4 Escalated QA).
The Pre-QA Assessment Results page includes:
- For the i1 or e1 core requirement statements:
- The average score for each Assessment Domain (considering only the i1 or e1 core requirement statements) and an indication of whether CSF certification can be achieved based on the domain scores.
- Listing of Requirement Statements that will be identified as CAPs and gaps in the i1 or e1 HITRUST CSF Report.
- In combined i1 or e1 assessments, for each Compliance factor:
- Listing of Requirement Statements that will be identified as control observations in the associated Insights Report.
The Assessed Entity and External Assessor must both review and approve or reject the pre-QA assessment results. If either party rejects the results, the assessment will automatically return to the Performing Validation phase. If both parties approve the results, the assessment will automatically move to the Inputting CAPs and Signing Rep Letter phase.
Inputting CAPs and Signing Rep Letter
In this phase, the Assessed Entity must complete the Validated Report Agreement and Rep Letter. Any requirement statements requiring CAPs will be identified in MyCSF, and the Assessed Entity must enter the required CAPs. For additional information on CAPs, see Chapter 13.9 CAPs and Gaps.
Reviewing CAPs
In this phase, the External Assessor must review the linked CAPs. The Assessed Entity can also demonstrate progress against the CAPs. All CAPs must include the information defined in criteria 13.9.4 (see Chapter 13.9 CAPs and Gaps) for the External Assessor to document its approval using the “thumbs up” button in MyCSF. Clicking the “thumbs up” button will change the requirement statement-level response status to “CAP Review Completed.” For CAPs that do not meet the review criteria, the External Assessor will disapprove, using the “thumbs down” button, which reverts the requirement statement back to the Assessed Entity. Once the External Assessor agrees with all the CAPs, they will submit the assessment to HITRUST. For additional information on CAPs, see Chapter 13.9 CAPs and Gaps.
Performing Check-In
During this phase, HITRUST performs automated Quality Assurance (QA) checks and a high-level review of the assessment, accompanying required documents, and webforms (Organization Information, Scope of the Assessment, Factors, Validated Report Agreement, Rep Letter, Test Plans, External Assessor Time Sheet, QA Checklist, and Audits and Assessments Utilized) to determine if the assessment is ready for a HITRUST QA Analyst to review.
For additional information on the check-in process and potential scenarios, see Chapter 13.10 Check-in Process.
Addressing Check-In Tasks
During this phase, the Assessed Entity and/or External Assessor must address and send back all the tasks to HITRUST if any were identified during the Performing Check-In phase.
Reviewing Pending Check-In Tasks
In this phase, HITRUST reviews all tasks addressed by the Assessed Entity and External Assessor. HITRUST will close the tasks that have been resolved and, if all tasks have been resolved, accept the assessment after which the assessment moves into the Pending Quality Assurance phase. HITRUST will send any tasks requiring additional attention back to the External Assessor with additional comments or instructions. If a task is assigned to the External Assessor or Assessed Entity during this phase, the assessment automatically returns to the Addressing Check-In Tasks phase. All check-in items must be resolved by the beginning of the reserved QA block or the assessment’s QA reservation will be canceled and the Assessed Entity will be required to make a new QA reservation.
For additional information on check-in tasks, see Chapter 13.11 Addressing Check-in Tasks.
Pending Quality Assurance
In this phase, HITRUST assigns the assessment to a HITRUST QA Analyst. The HITRUST QA Analyst will begin QA during the week of the reserved QA Block.
Performing QA
In this phase, the HITRUST QA Analyst will begin QA and review the following:
- The Pre-Assessment
- Required Documents and Webforms
- Risk-based samples of scored requirement statements selected from the i1 or e1 core requirement statements and each Compliance factor, if a combined assessment was performed
- All requirement statements marked as Not Applicable (N/A)
- Overridden PQIs
- CAP Responses
The HITRUST QA Analyst creates and enters all tasks from their review in MyCSF and the assessment moves to the Addressing QA Tasks phase.
If the QA review identifies higher volume and/or severity of concerns in an assessment than is typically expected, HITRUST will notify the External Assessor and Assessed Entity that the assessment will require further internal management review within HITRUST. After the internal management review has been completed, the assessment will either continue the normal QA process or move to Escalated QA. For further details on the QA process, see Chapter 14 Undergoing QA.
Addressing QA Tasks
In this phase, the Assessed Entity and External Assessor address the tasks opened by HITRUST. If the action taken to address a task adds new required CAPs to the assessment, those CAPs must be entered by the Assessed Entity and reviewed by the External Assessor. Similarly, if an action taken to resolve a task adds additional requirement statements those must be scored by the Assessed Entity and validated by the External Assessor. When all tasks have been returned to HITRUST and all new requirement statements and / or CAPs have been reviewed by the External Assessor, the assessment automatically enters the Reviewing Pending QA Tasks phase. For further details on the QA process, see Chapter 14 Undergoing QA.
Reviewing Pending QA Tasks
During this phase, the HITRUST QA Analyst will review the QA Tasks addressed by the Assessed Entity and External Assessor. HITRUST will send any tasks that still require attention back to the External Assessor with additional comments or instructions. If a task is assigned to the External Assessor or Assessed Entity during this phase, the assessment automatically returns to the Addressing QA Tasks phase. HITRUST will close all tasks that have been resolved. After all QA Tasks have been resolved by the Assessed Entity and /or External Assessor and closed by HITRUST, the assessment will move to the Preparing and Reviewing Deliverables phase. For further details on the QA process, see Chapter 14 Undergoing QA.
Preparing and Reviewing Deliverables
In this phase, HITRUST will prepare and review the HITRUST CSF i1 or e1 draft reports. If any questions arise during this phase, the HITRUST QA Analyst creates additional tasks and the assessment returns to the Addressing QA Tasks phase. The HITRUST QA Analyst will upload the draft report(s) to MyCSF once the draft reports are internally reviewed by HITRUST and all follow-up questions are resolved. The assessment will then enter the Reviewing HITRUST CSF Draft Deliverables phase. For additional information on reporting, see Chapter 15 Reporting & Maintaining a HITRUST Certification.
Reviewing HITRUST CSF Draft Deliverables
In this phase, the Assessed Entity has up to 30 days to review the HITRUST CSF i1 or e1 draft reports. After the Assessed Entity has reviewed the draft reports, it may either:
- Approve the draft reports by clicking the “Approve HITRUST CSF Draft Report” button within the HITRUST CSF Reports section of the assessment.
- Or Request Revisions in MyCSF (see Chapter 15.1 HITRUST Reporting for additional details on the revision process).
If the Assessed Entity does not approve the draft reports or request revisions within 30 days, the draft reports are automatically approved by MyCSF, and the assessment enters the Revising HITRUST CSF Draft phase.
For additional information on reporting, see Chapter 15 Reporting & Maintaining a HITRUST Certification.
Revising HITRUST CSF Draft
In this phase, the HITRUST QA Analyst reviews any requested revisions. If updates within MyCSF are needed to address a revision request, the HITRUST QA Analyst will open a task and the assessment will enter the Addressing HITRUST CSF Report Tasks phase. If updates are not needed within MyCSF, the HITRUST QA Analyst updates the status of each request to Completed, or Not Accepted by HITRUST. After processing any revision requests and issuing revised draft reports, HITRUST will return the assessment to the Reviewing Draft Deliverables phase for the Assessed Entity to either approve the revised draft reports or request additional revisions.
The HITRUST QA Analyst will also provide an explanation within the “Rationale” section if any revision request is Not Accepted.
When the assessment enters the Revising Draft phase due to the Assessed Entity approving the HITRUST CSF draft reports, the HITRUST QA Analyst builds the final HITRUST CSF reports and uploads them into MyCSF. If no Compliance factors have been included within the assessment, the assessment then enters the Complete phase. If a combined assessment with included Compliance factors was performed, the assessment enters the Preparing Additional Report Draft(s) phase
For additional information on reporting, see Chapter 15 Reporting & Maintaining a HITRUST Certification.
Addressing HITRUST CSF Reporting Tasks
In this phase, the Assessed Entity and External Assessor address the tasks opened by HITRUST. When all tasks have been returned to HITRUST, the assessment automatically enters the Reviewing Pending HITRUST CSF Reporting Tasks phase.
Reviewing Pending HITRUST CSF Reporting Tasks
During this phase, the HITRUST QA Analyst will review the HITRUST CSF Reporting Tasks addressed by the Assessed Entity and External Assessor. HITRUST will send any tasks that still require attention back to the External Assessor with additional comments or instructions. If a task is assigned to the External Assessor or Assessed Entity during this phase, the assessment automatically returns to the Addressing HITRUST CSF Reporting Tasks phase. HITRUST will close all tasks that have been resolved.
After all Tasks have been resolved by the Assessed Entity and/or External Assessor and closed by HITRUST, the QA Analyst updates the status of each request to Not Started, Completed, or Not Accepted by HITRUST. After processing any revision requests and issuing revised draft reports, HITRUST will return the assessment to the Reviewing Draft Deliverables phase for the Assessed Entity to either approve the revised draft reports or request additional revisions.
Preparing Additional Report Drafts
In this phase, HITRUST will prepare the Insights Report(s) drafts. When the Insights Reports drafts are uploaded to MyCSF, the assessment will enter the Reviewing Additional Report Drafts phase.
Reviewing Additional Report Drafts
In this phase, the Assessed Entity has up to 30 days to review the Insights Report drafts. After the Assessed Entity has reviewed the draft reports, it may either:
- Approve the draft reports by clicking the “Approve Draft Report” button within the HITRUST CSF Reports section of the assessment.
- Or Request Revisions in MyCSF (see Chapter 15.1 HITRUST Reporting for additional details on the revision process).
If the Assessed Entity does not approve the draft reports or request revisions within 30 days, the draft reports are automatically approved by MyCSF, and the assessment enters the Revising Additional Report Drafts phase.
Revising Additional Report Drafts
In this phase, the HITRUST QA Analyst reviews any requested revisions. If updates within MyCSF are needed to address a revision request, the HITRUST QA Analyst will open a task and the assessment will enter the Addressing Additional Reporting Tasks phase. If updates are not needed within MyCSF, the HITRUST QA Analyst updates the status of each request to Completed, or Not Accepted by HITRUST. After processing any revision requests and issuing revised draft reports, HITRUST will return the assessment to the Reviewing Additional Report Drafts phase for the Assessed Entity to either approve the revised draft reports or request additional revisions.
The HITRUST QA Analyst will also provide an explanation within the “Rationale” section if any revision request is Not Accepted.
When the assessment enters the Revising Additional Report Drafts phase due to the Assessed Entity approving the draft reports, the final Insights Reports are automatically uploaded into MyCSF and the assessment enters the Complete phase.
Addressing Additional Reporting Tasks
In this phase, the Assessed Entity and External Assessor address the tasks opened by HITRUST. When all tasks have been returned to HITRUST, the assessment automatically enters the Reviewing Additional Reporting Tasks phase.
Reviewing Pending Additional Reporting Tasks
During this phase, the HITRUST QA Analyst will review the Additional Reporting Tasks addressed by the Assessed Entity and External Assessor. HITRUST will send any tasks that still require attention back to the External Assessor with additional comments or instructions. If a task is assigned to the External Assessor or Assessed Entity during this phase, the assessment automatically returns to the Addressing Additional Reporting Tasks phase. HITRUST will close all tasks that have been resolved.
After all Tasks have been resolved by the Assessed Entity and/or External Assessor and closed by HITRUST, the QA Analyst updates the status of each request to Completed, or Not Accepted by HITRUST. After processing any revision requests and issuing revised draft reports, HITRUST will return the assessment to the Reviewing Additional Report Drafts phase for the Assessed Entity to either approve the revised draft reports or request additional revisions.
Complete
When all final reports are uploaded, the assessment enters the Complete phase.
Press Kit Distribution
When an Assessed Entity receives its first certification (and upon request for additional certifications), the HITRUST Marketing team will distribute a HITRUST certification press kit within 10 business days that includes:
- HITRUST Certification Announcement Guidelines comprised of instructions for a customized press release, logo usage, and additional media support information.
- HITRUST Certification Press Release Template containing approved content and pre-approved quotes from a HITRUST executive. NOTE: The scope of the Assessed Entity’s HITRUST certification is required to be included in the press release.
- Certification Logo
The HITRUST certification press release requires a final approval from HITRUST prior to publishing. The Assessed Entity must send the press release draft to PR@hitrustalliance.net for final review.
Assessment Object Archiving
The MyCSF archive process for assessment objects is initiated only if the Assessed Entity’s account has expired for 60 days OR a user attempts to delete an object that is certified. After the archive process is initiated:
- For all certified assessment objects, the deletion date is set to 2 years + 6 months after the final report date.
- For all other assessment objects (e.g., readiness assessments, validated-only (i.e., non-certified) assessments, or assessments in progress) the deletion date is set to 6 months after the current date. NOTE: For non-certified assessments, the user may mark the object for deletion on the current day.