Overview of the HITRUST Quality Assurance Review Process

The HITRUST® Quality Assurance Review is the fourth phase of the journey towards certification. During this phase, the HITRUST Assurance and Compliance teams will both check the validated assessment and determine whether the organization has met the requirements to achieve certification.

In this in-depth series of articles about the process to achieve HITRUST CSF Certification, we aim to provide a clear understanding of the five phases involved:

1. Readiness Assessment
2. Remediation
3. Validated Assessment
4. HITRUST Quality Assurance Review
5. HITRUST CSF Certification

This article focuses on the quality assurance review phase.

Importance of the HITRUST Quality Assurance Review

The HITRUST Quality Assurance Review provides an added layer of reliability to entities that rely on the assurances provided by an organization undergoing an assessment. When a validated assessment is completed and submitted for review, a range of testing strategies is utilized to ensure that security controls are in fact implement and operating effectively. Then, a final HITRUST CSF Validated Assessment Report is issued, whether with or without certification.

HITRUST Quality Assurance Procedures

1. Pre-submission Quality Assurance Review

Before submitting the validated assessment to HITRUST, two key Certified HITRUST Quality Professionals (CHQPs) appointed by the authorized external assessor must carry out a quality assurance review of the documentation. For this pre-submission QA process, the Engagement Executive and the External Assessors QA reviewer follow the HITRUST External Assessor Quality Checklist which helps ensure that proper methodology was used throughout the assessment.

Here are some examples of what is included in the initial HITRUST QA checklist:

• All required documents are included,
• Validation procedures listed in the test plan are appropriate for the requirement statements,
• Sampling details are documented,
• External Assessor comments support the scoring levels,
• Working papers support the scoring levels,
• The timesheet in the MyCSF® platform shows the hours worked by the External Assessor team,
• If the 90-Day Assessment Window Rule has been respected.

Role of the Engagement Executive

Prior to submission of the validated assessment, the Engagement Executive is responsible for compiling the engagement hours and economics. This figure also reviews the test results to make sure that engagement results accurately reflect the work carried out.

Role of the HITRUST Quality Assurance Reviewer

The HITRUST Quality Assurance reviewer is a CHQP who works for the External Assessor and who has not been involved in the assessment procedures. This independent reviewer provides assurance related to the engagement quality and execution. This figure is responsible for reviewing the engagement documents and the working papers from the validated assessment. He or she also checks that the efforts laid out in the test plan have been carried out and implemented thoroughly.

2. Submission to HITRUST

At the end of the validated assessment phase, the External Assessor will provide the results from interviews, examination and testing, as well as the working papers to HITRUST. This documentation will be submitted through the MyCSF portal for the quality assurance check.

Watch this video from HITRUST to learn more about how the MyCSF portal helps organizations manage, assess, and report upon their information risk management and compliance programs.

3. Assessment Scoring by the HITRUST QA Reviewer

The HITRUST’s PRISMA-based Maturity Model is used to score each security control within the scope of assessment. The average total score of controls within each domain is then compared to HITRUST’s final scoring ranges to get a maturity level rating.

Each level of the maturity model builds on the previous cycle to ensure continuous improvement. The five levels include:

1. Policy,
2. Process/Procedure,
3. Implemented,
4. Measured,
5. Managed.

By quantifying the maturity levels (i.e. policy is equivalent to a score of 1 and managed gets a score of 5) the overall score for the validated assessment can be calculated.

4. Determination of Certification

To get a HITRUST CSF Validated Assessment Report with Certification, each domain must get a rating of 3 or higher. Assessments that meet or exceed the current HITRUST CSF Assurance scoring on the validated assessment achieve HITRUST CSF Certification. The MyCSF tool automatically generates scores, but understanding how they are calculated is helpful.

What If Certification Is Denied?

The process is rigorous and certification isn’t guaranteed. If scores don’t meet requirements, certification will not be issued.

Whether or not certification is achieved, HITRUST will provide a validated Assessment report with the related control scores. This report shows that an independent validated assessment has been completed and will also outline the gaps that require remediation. At this point, the organization will need to prepare a Corrective Action Plan (CAP) for any security controls that did not achieve a rating of 3 or higher.

It is still possible to obtain HITRUST CSF Certification with an approved CAP addressing those controls with lower scores.

Maintaining HITRUST Certification

An organization’s HITRUST certification is valid for 24 months. Yet, annual review of the organization’s status is necessary to maintain certification. The External Assessor will need to complete an interim review within 12 months of the original assessment. This verifies that no breach or significant change has affected the scoped control environment in that period of time.

After two years, the organization must repeat the process, completing and submitting a new validated assessment for the HITRUST quality assurance review. Because the HITRUST approach to evaluating control maturity promotes the concept of continual improvement, the prescriptive illustrative procedures associated with each control requirement statement provide a guideline for increasing security over time.

Look up the terms that have you confused in our HITRUST Glossary.

Authorized External Assessors You Can Trust

Partner with our certified HITRUST quality professionals to achieve certification for your organization. I.S. Partners will work with you to ensure that the entire process – from assessment preparation through the quality assurance review – is anxiety-free. Contact I.S. Partners at 215-675-1400 for a consultation and audit.

Go on to find out more about Phase 5: HITRUST Certification

About The Author

Robert Godard

Robert is a Principal with I.S. Partners, LLC’s Business Process/Advisory Services practice in Horsham, PA. Robert has conducted a variety of Financial Statement Audits for a range of industries such as banking, healthcare, payroll, employee benefit plans (Pension, Health and Welfare), Unions and Construction.

Robert’s specialty is in audits of IT Controls and Infrastructure, Financial Statements, SOC 1 and SOC 2 audits, HITRUST CSF Assessments, Model Audit Rule (MAR), including evaluating business process as well as IT General Controls surrounding the reporting of financial information. He also has experience with analyzing Health Insurance information from AmeriHealth, Blue Cross Blue Shield, Express Scripts and Delta Dental. Additionally, Robert has performed audits for Construction and Special Tax related credits (Historical Tax Credits). He has prior work experience using ISSI, Great Plains and Peach Tree.

Prior to joining I.S. Partners, LLC, Robert was employed with Novak Francella in the Financial Statement Audit division, where he worked as an associate on external audit engagements in accordance with GAAP and DOL requirements.

Robert has a Bachelor of Science degree in Finance and Accounting from LaSalle University, Philadelphia, PA.