HITRUST Releases Guidance for Reliance on the Work of Others

On September 11, 2019 HITRUST released updated guidance regarding the reliance of others as part of the HITRUST certification process. This includes a more defined scope for reliance on the results of audits, assessments, and inspections that have been completed in the past. In addition, the new guidelines introduce a new reliance option for those completing a HITRUST assessment. These new guidelines will go into effect for any HITRUST certifications submitted and accepted on or after December 31, 2019.

New Approaches and Guidelines for Third-Party Reliance

Historically External Assessors (previously referred to as “HITRUST CSF Assessors”) were afforded two approaches for reliance on the results of previously performed control testing:

  • Inheritance of results from other HITRUST CSF Assessments
  • Audit reports and certifications issued by third-party auditors

These two approaches are still afforded but will be updated to include specifics regarding associated timing, scope, and document requirements.

An additional approach is being introduced as a third reliance option:

  • “Internal Assessors” Work

The new role of “Internal Assessor” will perform in-house testing in advance of an External Assessor’s validated assessment fieldwork to aid in the HITRUST CSF Assessment process. These assessors could either be in-house (such as internal audit), contracted, or an outsourced Certified Common Security Framework Practitioner (CCSFP). An organization must have a minimum of two individuals identified as Internal Assessors if they want to use this approach. The Internal Assessors are required to:

  • Complete a HITRUST Internal Assessor application process which includes a management representative signature
  • Be CCSFPs with valid work experience
  • Demonstrate they are objective from CSF control areas

As a result of this new role the definition of External Assessors will be updated to reflect that of the previously defined role of “Authorized HITRUST CSF Assessors.”

External Assessor Requirement Changes

The following new requirements will be in place when relying on third-party audit reports:

  • The External Assessor and HITRUST Services Corporation must be authorized recipients of the third-party audit report
  • As part of the reliance strategy, applicable/scoped HITRUST CSF requirement statements must be mapped to the controls/requirements tested in the third-party audit
  • To assist with HITRUST QA, the mapping and third-party audit report must be made available to HITRUST

The following should be considered and observed when relying on the work of an Internal Assessor:

  • 100% of hours incurred by the Internal Assessor function must be incurred by a CCSFP. The Internal Assessor cannot use a non-CCSFP to help complete their testing. If the 100% of hours threshold is not met, the External Assessor cannot rely on the Internal Assessor’s functions testing.
  • External Assessors are not required to utilize the work of others during a validated assessment. The decision to rely on the work of others lies solely with the External Assessor, as they are ultimately accountable for validating management’s implementation of the HITRUST CSF.
  • When using the work of others, External Assessor are still required to design a validated assessment strategy which includes a detailed Test Plan and Workpapers that ensure they are still sufficiently involved in the validated assessment.
  • Finally, External Assessors must re-perform any Internal Assessors testing by either participating in Internal Assessors walkthroughs or performing their own walkthroughs.

Benefits of New Guidance

  • Minimizes over-reliance, or unwarranted reliance, on the work of other auditors or external assessors
  • Provides clarity and transparency around HITRUST’s expectations of timing, scope, and documentation when reliance is placed on the work of others
  • Delivers opportunities for greater assessment efficiency and client cost savings as duplicate testing can be reduced through the use of Internal Assessors
  • Creates a more defined role in the HITRUST process for Internal personnel with knowledge of the organization’s controls

A-LIGN’s Recommendation Regarding Internal Assessors

  • Ensure that all the requirements of getting and maintaining an Internal Assessor are met. Refer to HITRUST CSF Assurance Program Requirements and HITRUST CSF Assessment Methodology.
  • Perform a cost-benefit analysis of using an Internal Assessor. You could also discuss the impact on your validated assessment cost with your External Assessor upfront.
  • Disclose the use or intention to use an Internal Assessor to your External Assessor early during the scope planning phase of the assessment.
  • Review the work of the Internal Assessor on a periodic basis for reasonableness and completeness to avoid any unforeseen surprises during the External Assessors’ testing.
  • Finally, start with a gap/readiness assessment if it is your first time performing a HITRUST validated assessment, or if you are moving to a CSF version with significant changes. The Internal Assessor should be involved during the gap/readiness assessment phase.

Need more information or have further questions about HITRUST? Talk to one of our HITRUST professionals now by emailing [email protected] or call 1-888-702-5446.