If you’re learning about the HITRUST CSF®, you probably already know that certification doesn’t last a lifetime. The beauty of the HITRUST approach is its focus on continual improvement. This means that organizations must work to maintain and regularly renew their certification. Guided by the HITRUST CSF Maturity Model, they are actively involved in sustaining and strengthening their security controls over time.
The HITRUST Interim Assessment is an additional verification required for certified companies. It serves to ensure that the scope of an organization’s HITRUST CSF Certification is still valid and that the security controls are still effective.
When Does the HITRUST Interim Assessment Happen?
An interim assessment is required to be performed one year (12 months) from the date of the HITRUST Validated Assessment in order to maintain certification. It must be completed within the 90-day window before the one-year anniversary of the date that certification was issued.
For organizations that are subscribed to the HITRUST MyCSF® tool, the interim assessment is generated automatically 90 days before the submission deadline for certification renewal. For those who want to get a head start, it’s accessible up to 120 days before the required submission date.
Process of Generating a HITRUST Interim Assessment
The HITRUST Interim Assessment is a review carried out by a HITRUST Authorized External Assessor, like I.S. Partners.
1. Organizational Review
First, assessors will look for significant changes in the organization. Together with management of the assessed entity, they will update the MyCSF object and take note of any changes to the environment and control requirement responses.
They will consider the policies, procedures, systems design, workforce, and inventory in determining if significant changes have affected your organization over the past 12 months. Significant changes will indicate the need for a full re-assessment; if there have not been any significant changes, the organization is eligible to maintain their certification with an interim assessment.
2. Review of Security Controls
To maintain certification, the organization must maintain its security controls. Assessors will re-test a subset of the prior year’s control statements to confirm the scores and ensure their ongoing effectiveness. The subset includes one randomly chosen control requirement statement from each of the 19 HITRUST control domains. If a control requirement or domain has been changed significantly, it will need to be tested to determine the related impact are re-validated.
3. Review of the Scope
Changes to an assessment’s scope are not generally permitted during the interim assessment. So, any scope changes occurring over the past year should be communicated to the assessors so that they can advise you on how to proceed.
4. Review of Corrective Action Plans
To maintain certification, the organization must also show improvement across HITRUST requirements. For that reason, the interim assessment includes any CAPs contained in the previous validated assessment report. Assessors may perform interviews of key personnel to reach reasonable assurance that the control environment still meets the HITRUST CSF requirements and that the organization is making progress.
Learn more about CAPs and other relevant HITRUST terms.
HITRUST Quality Assurance Review for Interim Assessments
When these items have been verified, assessors compile the interim assessment documentation and submit the results to MyCSF. HITRUST then reviews the information and makes the final determination about whether the assessed entity should retain certification. HITRUST Assurance and Compliance teams implement the same level of quality assurance checks as those done for validated assessments.
- If HITRUST confirms that the organization can retain certification, it will issue a letter confirming certification validity.
- If HITRUST determines that reassessment is necessary, the organization’s HITRUST CSF Certified status will be set as pending until the results of the re-assessment confirm the results.
- If the re-assessment results are satisfactory, HITRUST will issue a letter confirming certification validity for one year.
- In the case that HITRUST determines that requirements are no longer being met by the organization, a letter will be issued requesting the entity to remove any references to HITRUST certification in its printed material and on its website.
After the completion of the interim assessment, the HITRUST CSF Certification is valid for one more year. HITRUST certification expires after two years and the organization must go through the process of recertification.
Benefits of the HITRUST Interim Assessment
While it’s true that HITRUST certification is valid for two years, reviewing the scope and security controls annually provides ongoing assurance.
I.S. Partners, LLC. – Authorized HITRUST External Assessor
Our firm is an authorized HITRUST external assessor with experience assisting organizations around the country through the HITRUST preparation, readiness, certification, and remediation phases of HITRUST.
Get more information about I.S. Partners’ full range of consulting and assessment services. Contact our office by calling 215-675-1400 or filling out the request form below.
Get the information you need about the HITRUST Certification Process