Listen to: "HITRUST CSF 90-Day Rules: Maturation and Assessment Period Review"
Gaining HITRUST CSF Certification is vital for a healthcare organization or a vendor working with a healthcare-related agency to show that they are compliant with keeping health information secure and private on systems and exchanges. Hospitals, health plans, and medical practices will accept this certification as they will not have to perform an audit on the vendor. Yet recent rule changes brought into effect have caused hurdles with businesses obtaining this certification.
On April 1, 2019, HITRUST introduced changes that impacted a CSF External Assessor firm’s testing period. The rules also addressed the testing period for health information systems, exchanges, controls, and policies. These changes were placed into the HITRUST CSF Assessor Quality Checklist. Learning these rules and putting into place best practices can help an organization be prepared when obtaining a validated assessment while maintaining quality and consistency with their HITRUST CSF engagement.
90-Day Maturation Rule of Tested Items
The 90-day maturation rule change will have an impact on when procedures, policies, and controls must be approved and/or implemented before the third-party assessment testing. The rule is, “All items tested had been approved and/or implemented for 90 days before being tested.”
This rule means that all items that will undergo testing, such as controls, procedures, and policies, must be put into place 90 days before the third-party assessment testing. The practicality of this rule is to ensure that enough time has been given so that the items have been in full effect and are operating as desired. So, the assessor can gain a complete and accurate picture of the operating controls and procedures within the healthcare system and exchange environment to provide an accurate score.
This aspect of the checklist may prove to be the most difficult for organizations and self-assessors as they have to determine which items fall into the rule change. Will software patches or change management processes performed during the 90-day maturation period impact when testing can be performed? What if a policy was modified in the last 30 days?
What organizations have to keep in mind is that the rule applies to all items that are not considered normal, everyday management of the health information system environment. So, if the organization plans to update their firewall rules, this procedure will not impact the 90-day maturation period. However, adding a new security procedure to the controls would be included in the maturation rule, as this procedure has to be approved and implemented for the assessor to determine the operation’s effectiveness in the system environment.
90-Day Assessment Window Rule
The 90-day assessment window on the Quality Assurance Checklist involves when the assessment has to be completed. The rule states, “All testing was performed within 90 days of the submission date.” This rule simply means that when testing begins, it must be concluded, and the assessment submitted to HITRUST within 90 days. It provides enough time for all the controls, procedures, and policies to be assessed for their operational effectiveness and scored based on the HITRUST CSF rubrics without having it be prolonged due to the implementation of controls or procedures during that time frame. This rule is in place to prevent outdated testing from being submitted to HITRUST. Without this rule, an assessor could perform a test in 2019 and submit it in 2020, by which time the assessed environment could have drastically shifted.
Best Practices When Tackling the 90-Day Maturation and Assessment Rules
An organization will know months in advance about when a CSF Validated Assessment will take place for them to receive their HITRUST CSF Certification. During this period, the organization should establish deadlines on when any planned changes to the environment need to be approved and implemented. Any policies, controls, or procedures that are not in place before the 90 days should be held off until after the current assessment . Organization can still make changes to their environment during this time. They simply cannot use those new policies as evidence to support the scoring of controls. Then they will be put into place during the remediation period so that the items are included in a later assessment. Another option is for the organization to implement the controls and policies immediately as the assessment is held off for the required 90 days.
In addition, self-assessments and bridge assessments are also recommended before the validation phase. A self-assessment will ensure that all items undergoing testing will adhere to the new CSF version requirements. For organizations who have received a prior CSF assessment, a bridge assessment is recommended to determine if there are any procedure or policy documentation gaps. The bridge assessment can help discover additional controls that need to be scored or uncover any documentation issues and offer the organization guidance when implementing the new requirements.
Review the Dictionary of HITRUST Terminology put together by I.S. Partners.
Guidance for HITRUST CSF Self-Assessments and Validated Assessments
Getting your HITRUST CSF Certification can be a confusing process for new businesses who are getting certified for the first time as well as veteran organizations trying to keep up with the new assessment validation rules. Having trusted HITRUST CSF Specialists and qualified assessors from I.S. Partners can help you get through the entire process. For more information on HITRUST CSF and how this platform can work for your organization, call us at 215-675-1400 or request a quote today.