HITRUST Scoring Basics
In 2019, HITRUST released an update to the HITRUST Scoring metrics.
HITRUST Scoring Implementation Requirements
Implementation levels are built upon three unique risk factors:
- Organization factors
For example, the type of organization, or the size of the organization.
- System factors
For example, internet connections, or the use of mobile devices in the organization.
- Regulatory factors
For example, state or specialized industry requirements.
The risk levels are placed into three different designations (Level 1, Level 2, and Level 3) dependent on the complexity and risk systems within the organization. Because of this, organizations would not have consistent levels across the board. The prescriptive system is as follows:
This is the minimum security requirement set for any system, of any size and serves as a baseline for the industry in order to meet all HIPAA Security Rule requirements.
All of the functionality and control of Level 1, but with additional functionality and/or an increase in the strength of a Level 1 control. Level 2 is only required for an organization that has a system with an increased risk due to the complexity of their organization, system or regulatory factors.
All of the functionality and control of Levels 1 and 2, but with additional functionality and/or an increase in the strength of Level 1 and 2 controls. Level 3 is only required for an organization that has a system with an increased risk due to the complexity of their organization, system or regulatory factors.
Each section is scored as a percentage of your final score. Scores are determined through the percentages available in Figure 1.
To receive a final score, you multiply the scoring category percentage (Fig. 1) by the score (Fig. 2). For example:
In the sample, the organization would serve a 68.75 in the access controls section. This percentage is then converted into a 15-level maturity rating in order to find your final score.
In the example from Figure 3, a score of a 68.75 would merit a maturity level of 3.
In order to receive a certified report, each domain MUST score at least a 3 on the HITRUST’s 1- to 5+ scale. If you do not earn a score of 3+ or higher, you will raise a Corrective Action Plan (CAP). You can still be certified with CAPs as long as the overall score of the domain is a 3. Any domains that do not receive at least a 3 will result in the generation of a validated report.
There are 64 controls required for certification, and the focus should be on continual improvement in all control groups.
Corrective Action Plans (CAPs)
Once HITRUST has delivered an organization’s draft report, certification CAPs will be entered into the tool. Basic Cap management functionality will be opened up for any organization that does not have the CAP management module. CAPs at that point can be entered for each control identified as deficient. Once the CAP is reviewed by HITRUST, the modifications are added to the next draft version of the HITRUST report.