Organizations are required to perform a r2, i1, or e1 validated assessment to obtain a HITRUST certification. HITRUST validated assessments can be leveraged by organizations of any size or complexity and include testing performed by an authorized HITRUST External Assessor.
For a r2 validated assessment, the Assessed Entity begins by completing the risk-based scoping questionnaire in the MyCSF tool. Upon completion of the scoping questionnaire, a customized set of HITRUST CSF control references and requirement statements will be generated.
For an i1 or e1 validated assessment, the i1 and e1 requirement statements are pre-defined and the organization may optionally add authoritative sources to perform a combined assessment of the authoritative source alongside the i1 or e1 requirement statements.
For the r2, i1, and e1 validated assessments, the Assessed Entity, or its designee, responds to the requirement statements and determines the level of compliance for each of the five control maturity levels for the r2 and the Implemented maturity level for the i1 or e1 (see Chapter 9 Control Maturity Levels for additional information). Once the Assessed Entity, or its designee, has determined and entered compliance scores for each control maturity level across all requirement statements, it submits the populated MyCSF object to its External Assessor for validation.
The External Assessor will validate the scores using its testing procedures, which it documents within MyCSF (see Chapter 11 Testing and Evidence Requirements for additional details). Upon completion of the External Assessor validation procedures and any necessary score adjustments, the Assessed Entity will sign the Management Representation Letter and Validated Report Agreement, and provide any necessary Corrective Action Plans (CAPs). The External Assessor will validate the CAPs (see criteria 13.9.7 in Chapter 13.9 CAPS and Gaps) and submit the assessment to HITRUST.
After submitting the validated assessment, HITRUST will perform Quality Assurance (QA) procedures (during the Assessed Entity’s reservation block) to validate the submission. If there are questions during QA, HITRUST will coordinate directly with the Assessed Entity and/or External Assessor to address them. After successful completion of QA, the Assessed Entity will receive draft reports for their review (see Chapter 14 Undergoing Quality Assurance for additional details).
Upon successful completion of the validated assessment and meeting the scoring threshold for certification, Assessed Entities will receive their HITRUST certification reports along with any add-on certification reports. Additionally, after all other reports are finalized, if any Compliance Factors eligible for an Insights Report were included within an r2 assessment, the Assessed Entity may optionally request an Insights Report which details the organization’s coverage and conformity with the associated authoritative source. For the i1 and e1, if a combined assessment was performed, the Assessed Entity will receive Insights Report(s) corresponding to each authoritative source which was assessed.
For the any validated assessment, if the scoring thresholds for certification were not , the Assessed Entity will receive a ‘validated-only’ report, which does not include a certification letter. For additional information on the HITRUST reports issued for each assessment type, see Chapter 15.1 HITRUST Reporting.