What is the role of the External Assessor for HITRUST?

There are a lot of moving parts in the HITRUST® certification process. That’s why it is important that the role and responsibilities of each key figure be clearly defined. This article looks at external assessors, how they are involved in the certification process, and what it takes to become an external assessor for HITRUST engagements. 

What Is an Authorized HITRUST External Assessor? 

Firms and businesses that are specialized in providing security assessment, risk management, and consulting services to other organizations can become authorized external assessors. They must be approved by HITRUST in order to perform assessments and services related to the HITRUST Assurance Program and the HITRUST CSF framework, which outlines a comprehensive security attestation. 

External Assessors are essential to HITRUST’s efforts to support companies that are approaching the various engagements. The goal is to provide them with objective, yet skilled assistance in assessing compliance status with security control standards, defining the scope of the HITRUST engagement, and establishing a corrective action plan aimed at achieving certification. 

What Are the Requirements to Become a HITRUST External Assessor? 

Organizations that aim to become HITRUST Authorized External Assessors must provide the following for review: 

• Letter from management outlining their intent to support HITRUST member organizations with skilled services related to assessment and certification. 
• Declaration of observance for HITRUST’s documented policies and procedures related to integrity and ethics. 
• Completed HITRUST External Assessor application documents. 
• Documented policies and procedures that are meant to ensure the integrity and ethics of its employees. 
• The names and resumes of the practitioners who plan to be trained as CCSFPs and CHQPs. 

Even after receiving authorization, HITRUST also reserves the right to perform a peer review of the HITRUST External Assessor organization. 

What’s the Difference Between External Assessors and Internal Assessors? 

Essentially, external assessors are outside of the company engaged in the HITRUST assessment, while internal assessors are either employed or outsourced directly by the company.  

Internal Assessors are individual practitioners focused on moving the HITRUST assessment process forward. They are typically responsible for performing in-house testing before an external assessor is brought in to validate the assessment fieldwork. They are typically in-house or outsourced CCSFPs positioned within or engaged by an assessed entity’s internal audit department or team of security consultants. At the same time, this role requires a moderate level of objectivity, specialized training, as well approval from HITRUST. 

But not just anyone can act as an external or internal assessor. Individuals and partner firms must apply and show that they have met certain requirements before becoming authorized to perform HITRUST-related engagements. This includes HITRUST assessments and certification for other entities. 

What Is a Certified HITRUST Practitioner? 

Both external assessors and internal assessors must be authorized by HITRUST to guide an organization through the assessment process. These individuals are known as Certified CSF Practitioners, or CCSFPs. To become a CCSFP, a practitioner must meet the competence requirements, successfully complete the HITRUST training course, and pass the certification exam. 

CCSFPs can be employed by the HITRUST External Assessor organization in the role of an authorized external assessor; or work for the organization undergoing assessment in the role of an authorized internal assessor. 

What is a Certified HITRUST Quality Professional? 

Also known as CHQPs, Certified HITRUST Quality Professionals are practitioners who are authorized to act as the on-site project coordinator, engagement executive, and the engagement’s quality assurance reviewer. The responsibilities covered by CHQPs may include tracking finances, monitoring engagement, approving the scope, and performing quality assurance. Similar to CCSFPs, to become CHQPs individuals must meet the competence requirements, successfully complete the CHQP training course, and pass the CHQP certification exam.  

These types of practitioners usually work for a HITRUST External Assessor firm. Because CHQP certification is valid for only two years, they must pass a web-based refresher course and exam to get re-certified. 

What Authorized Roles Are Required for Submitting Assessments to HITRUST? 

Assessment teams that plan to submit validated assessments to HITRUST must have at least one CHQP who functions as the quality assurance reviewer. Additionally, they must show that at least half (50%) of all validated assessment engagement hours were performed by authorized CCSFPs. CHQP may include the project coordinator, engagement executive, and the quality assurance reviewer. 

What Are the Training Requirements for Certified CSF Practitioners? 

Before becoming authorized assessors as CCSFPs, or CHQPs, practitioners are required to complete the following: 

• HITRUST’s live-broadcasted, virtual training course. 
• Pass the CCSFP Exam offered by HITRUST. 
• Attend and pass the virtual CHQP training course after passing the CCSFP Exam (for CHQPs). 

In addition, practitioners are required to keep up their training and stay up to date on the latest techniques and technologies. To ensure this, they must: 

• Complete annual web-based refresher courses. 
• Complete virtual training sessions at least every three (3) years. 
• Pass an examination associated with each course to demonstrate competence. 
• Obtain a minimum of 120 CPEs every 3 years. 
• Continue to work in the field of information security. 

Even after achieving certification, HITRUST reserves the right to review documentation of the required training and continual learning credits. 

I.S. Partners – Your HITRUST Assessor Partner 

Since 2016, our firm has been an authorized HITRUST external assessor assisting companies of all different sizes through HITRUST preparation, readiness, certification, and remediation phases. Learn more about our HITRUST consultancy and assessment services. 

About The Author

Robert Godard

Robert is a Principal with I.S. Partners, LLC’s Business Process/Advisory Services practice in Horsham, PA. Robert has conducted a variety of Financial Statement Audits for a range of industries such as banking, healthcare, payroll, employee benefit plans (Pension, Health and Welfare), Unions and Construction.

Robert’s specialty is in audits of IT Controls and Infrastructure, Financial Statements, SOC 1 and SOC 2 audits, HITRUST CSF Assessments, Model Audit Rule (MAR), including evaluating business process as well as IT General Controls surrounding the reporting of financial information. He also has experience with analyzing Health Insurance information from AmeriHealth, Blue Cross Blue Shield, Express Scripts and Delta Dental. Additionally, Robert has performed audits for Construction and Special Tax related credits (Historical Tax Credits). He has prior work experience using ISSI, Great Plains and Peach Tree.

Prior to joining I.S. Partners, LLC, Robert was employed with Novak Francella in the Financial Statement Audit division, where he worked as an associate on external audit engagements in accordance with GAAP and DOL requirements.

Robert has a Bachelor of Science degree in Finance and Accounting from LaSalle University, Philadelphia, PA.