HITRUST Assessment Scoping Guidelines
We are asked routinely “which controls will A-LIGN test as part of the HITRUST assessment?”. The answer to that question depends on the environment and the outcome of the scoping process. Scoping occurs in the initial phases of your HITRUST assessment process in order to determine which controls will be included in your assessment.
When determining the scope of an assessment, there are three major factors that affect the risk within an organization. These are the type and size of an organization, the system that is being utilized, and what external regulations affect the organization. In combination, these three factors determine the appropriate implementation requirements.
However, one of the first things an organization should determine before attempting to configure their scope is why they are seeking HITRUST compliance. Are they seeking to satisfy the requirements of business associates? Are they looking to utilize the certification to demonstrate their level of information security and increase marketability through differentiation? Is it a regulatory requirement?
By determining this information, it makes the scoping process much easier by developing a better understanding of the needs of your organization and those affected by its decision to receive a HITRUST assessment.
Type and Size of an Organization
The type and size of the organization affects the risk and complexity of the organization being assessed. The organizational factors impact the controls which are included in the scope. This is driven by the volume of business, which is determined by factors such as the number of transactions or number of records. It is also driven by the geographic location of the organization, whether in one state, multiple states or even global.
It may be helpful for large companies to break down the organization into the different business units. Because many healthcare organizations have many different functions within the entity, they should be broken down by their distinct operational differences. At times, it is also necessary to separate the organization by geographic segments in order to more appropriately comply with regional differences in regulation.
Systems in Use
Once the organizational size and type are clear, determining which systems are in use is the next step. When referring to the systems that are in use, focus on those that are used in the transmission, storage, or processing of electronic protected health information (ePHI) or other types of PHI.
Important factors include the accessibility of the systems:
- From the Internet or other remote access operation.
- Through a third-party of any kind.
- From any public location.
- From other systems.
Regulatory factors have also affect the scope of the assessment and can be dependent on geographic determinations, as well as the other compliance needs of an organization. For example, if the organization also processes payment card data, the PCI DSS standard may be included in scope, or a state specific data security standard may be included in the assessment.
Setting the proper scope is an important first step when pursuing HITRUST certification. The scope drives the subsequent steps in the process. If you have questions or would like additional information on HITRUST or how to establish the proper scope, please contact one of A-LIGN’s HITRUST CSF assessors to learn more.