If you’re new to the HITRUST CSF® assessment process, you might be wondering just how different the audit process is from other audits. The requirement of the interim assessment is one of the main ways that HITRUST® certification is unique. What happens during this interim review? Let’s take a look at what you can expect during a HITRUST interim assessment.
Overview of the HITRUST CSF Assessment Process
The HITRUST CSF is a security and privacy framework that is the foundation of all HITRUST programs. It leverages federal and state regulations, industry standards and frameworks, and a focus on risk management to create a comprehensive standard. The framework originally developed for the healthcare industry but now has applicability in financial services, travel and hospitality, media and entertainment, telecommunications, and with start-ups. HITRUST reports that because of its continued effort to improve and update the framework, the HITRUST CSF is the most widely-adopted security framework in the US healthcare industry.
When you engage in a HITRUST CSF Assessment and are seeking certification, the typical audit process with KirkpatrickPrice looks something like this:
- Undergo a Gap Analysis
- Perform a HITRUST Self-Assessment
- Remediate Findings
- Undergo a HITRUST Validated Assessment
- Go through HITRUST Quality Assurance
- Receive the Final Report
- Undergo a HITRUST Interim Assessment
What is a HITRUST Interim Assessment?
What sets the HITRUST CSF apart from many other frameworks is that the audit process isn’t a one-time engagement; it’s a continuous work-in-progress to maintain compliance. Recognizing this, part of the HITRUST CSF certification process includes an interim assessment, a review that takes place exactly a year after the initial HITRUST Validated Assessment takes place. So, what will your auditor be assessing during the HITRUST interim assessment?
What Can You Expect During a HITRUST Interim Assessment?
During a HITRUST interim assessment with KirkpatrickPrice, we will:
- Review your policies, procedures, systems design, personnel, and inventory to determine whether significant changes to your organization have occurred. If significant changes have taken place, HITRUST requires a full re-assessment. If no significant changes have taken place, organizations are eligible to be re-certified without re-assessment.
- Select 19 controls – one randomly from each domain – and re-test that control statement completely. This process typically takes 1-2 weeks.
- Review all Corrective Action Plans (CAPs) for appropriate physical security and conduct any required interviews to reach reasonable assurance the control environment continues to meet the CSF requirements.
- Document and submit the interim assessment results in MyCSF®. From there, HITRUST makes the final decision on whether or not to issue the re-certification.
- Discuss your organization’s upcoming full assessment renewal and plan a strategy for a successful renewal engagement. Each full assessment is often under a new version of the CSF and will include new or changed requirements. Because of this, the sooner your organization begins to self-assess against the new requirements, the better.
Has your organization been asked to demonstrate HITRUST compliance? Are you unsure where you need to start? We’re here to help! Contact us today to learn more about our HITRUST assessment process and how we can assist you on your journey toward HITRUST certification.