Common misconceptions from a HITRUST Authorized External Assessor

Your organization may be interested in HITRUST CSF Certification, but chances are you’ve probably heard different things about this security and privacy framework, who it’s meant for and what it involves. As a HITRUST Authorized External Assessor, we can help clear up some of these myths and misconceptions. 

Here are nine common misconceptions:

1. HITRUST® is meant for only healthcare business associates.

False. The HITRUST CSF® framework can be applied to multiple industries, and in healthcare it can be used by both business associates and covered entities. 

Some background: Originally, HITRUST designed its framework for all of healthcare — without differentiating between business associates or covered entities. But then payors started mandating that their business associates needed to be HITRUST certified. So, for a while, the focus was on business associates. 

More recently, HITRUST has expanded the scope of the HITRUST CSF to include other industries. It used to be when you created an assessment it automatically included HIPAA. Now HIPAA has been made  a separate regulatory requirement. Going forward, the tool will include more industry regulatory and statutory factors that are not healthcare-specific.

2. All systems containing protected health information (PHI) must be included in the HITRUST CSF Validated Assessment to become certified.

False. At the outset of an assessment, we work with clients to define the scope of what is to be certified. HITRUST advises not attempt to certify an entire organization. While this can be an end goal, to try and certify an entire organization and all of its systems and facilities would require an extreme amount of dedicated resources, not to mention it’s expensive due to the amount of time it would take an External Assessor firm to test all the controls during a validated assessment.  

Keep the scope relatively small. If this is your first time, focus on your most critical system. For most healthcare organizations, that’s their electronic medical record, or for small practices, that would be the practice management system. If you’re a business working with a payor, focus on whatever service the payor is contracting you to provide or perform.

You’re not certifying an organization; you’re certifying a defined environment. 

3. Process and procedure mean the same thing.

False. Procedures define how a policy will be implemented. Process is the actual workflow that happens to execute those procedures. To put it another way, policies and procedures are rules on paper. But process is how those rules actually get carried out. 

For example: 

• Your policy says that only authorized users will have access to PHI. 
• Your procedure says that you will go through an onboarding/offboarding process and include a process for handling access due to changes in responsibilities.
• The process is how that actually works. For example, what triggers an offboarding notice? What notifications, approvals and verifications are in place to make sure authorizations are removed in a timely manner?  

I tell clients to think of it visually. Processes can typically be captured in a workflow diagram.

4. Organizations need to be at 100% maturity for Policy, Process, and Implementation to become HITRUST certified. 

False. Organizations don’t have to be perfect to get certified. You can get certified with a minimum maturity score of 3 in each domain. Depending on your situation, you may get certified with a corrective action plan in place. 

HITRUST control requirement statements are scored based on five levels of maturity:

• Policy
• Process
• Implemented
• Measured
• Managed

HITRUST understands that gathering metrics and managing those metrics is a challenging component. Organizations can achieve certification without reaching that fully mature cycle of continuous improvement. While the goal should be to obtain 100% maturity under Policy, Process, and Implementation, for every requirement, that is not always possible. The goal should always be to obtain at least a 3 maturity score for each of the 19 domains.

5. It’s okay to develop and implement policies, procedures and processes right up to the start of the validated HITRUST assessment.

False. Before your External Assessor can start an audit, your policies and procedures must be formally documented, approved and in place for 90 days. This includes ensuring your workforce is aware of these policies and procedures and have acknowledged receipt and understanding. Additionally, the controls required by policy and process must have been implemented for 90 days. 

HITRUST does not consider policies, procedures, and implementations to be fully mature and testable unless they’ve been in place for at least 90 days prior to the start of the validated assessment. 

6. HITRUST is designed for only those organizations that handle PHI.

False. HITRUST is expanding beyond the healthcare industry, so the framework can be applied to other kinds of covered (i.e., sensitive/confidential) information (e.g., not public, non-public information).

Many organizations are now utilizing HITRUST’s products and services to manage their information security and privacy programs, regardless of whether their organization handles PHI. A financial services organization, for example, could apply the HITRUST CSF to their environment that manages client financial information.

7. External Assessors determine an organization’s score.

False. It’s common for organizations going through their first assessment to think that the External Assessor determines their maturity scores for each of the five maturity levels (Policy, Process, Implementation, Measured, and Managed). In actuality, organizations need to grade themselves on the following:

1. They have a current policy that specifically speaks to the requirement
2. They have a current procedure and defined process that details how the policy will be implemented
3. They can show that the policy/procedure/process has been implemented and is functioning as expected for a minimum of 90 days

The External Assessor then validates the requirements against the HITRUST CSF using defined scoring criteria. Organizations need to be brutally honest with themselves when doing their readiness assessment so they can avoid maturity level scores being downgraded, possibly jeopardizing their certification. HITRUST has made available all assessment scoring guidelines and criteria; organizations are encouraged to utilize available resources when self-evaluating, such as the whitepaper, Evaluating Control Maturity Using the HITRUST Approach, and the scoring rubrics.

8. HITRUST certification means the entire organization is certified.

False. Certification only covers the systems and facilities you choose to assess. See #2 above.

9. We have until re-certification to complete our corrective action plan.

False. Organizations can get certified with a corrective action plan in place. However, the expectation is that organizations will remediate the corrective actions in a progressive, planned manner. 

At your one-year interim assessment, your External Assessor will be looking to see if you’ve made sufficient progress on your corrective actions. If not, they’ll be expecting a logical business reason why plans haven’t been resolved. 

Wipfli: Experienced HITRUST External Assessors

Wipfli was one of the first HITRUST Authorized External Assessors in the country. Whether you are seeking HITRUST certification or want to use the HITRUST CSF as an internal governance tool, Wipfli’s risk advisory services team can help. 

If you are ready to start an assessment, or you would like to learn more about how Wipfli can help you manage risk and compliance, contact us.