Risk Advisory Services Blog

Service Provider

HITRUST for Service Providers

The Health Information Trust Alliance (HITRUST) recently released the Assurance Advisory Bulletin HAA 2016-010: Testing Protocols For Control Inheritance. This advisory clarifies the treatment of controls required for certification in situations when certain controls are outsourced to a third party and are inherited by the assessed entity.

“Organizations may not transfer risk or the obligation to obtain satisfactory assurances relating to HITRUST CSF controls. It is the assessed entity’s responsibility to ensure that all assessed controls, either supported directly or through use of a third party, are in place and functioning according to HITRUST CSF requirements.

This means that an organization may not rely on a service provider to provide assurance that controls required by the HITRUST CSF are in place and operating effectively unless tested by an approved CSF assessor. The CSF assessor has the option to determine if the controls have been satisfactorily tested by an independent third party consistent with the HITRUST CSF Assurance Program requirements.

“Where the testing involves inheriting the control from another HITRUST CSF Validated Assessment, the assessor should obtain the current status of the relied upon HITRUST CSF Validated Assessment to ensure it is still valid and in good standing. If that is the case, no further testing of the control should be required.”

This means that if you are a business associate supporting healthcare organizations, you can streamline their assessment process by not requiring them to re-test controls that were previously validated through your own HITRUST CSF Validated Assessment. This is of particular importance to hosting, infrastructure and software service providers that support assessed entities by allowing a more efficient assessment process for their clients, as well as a competitive market edge to acquire new clients by having their own HITRUST CSF Validated Assessment with Certification.

Skoda Minotti can help healthcare organizations and service providers with their HITRUST questions, assessments and certification path. Please contact us today at cshaffer@skodaminotti.com or 888-201-4484 to get started.

Data Security E-Book

This entry was posted in Mailchimp RSS, Risk Advisory Services and tagged , , , , , , , , . Bookmark the permalink. Follow any comments here with the RSS feed for this post. Comments are closed, but you can leave a trackback: Trackback URL.
© Copyright 2016 Skoda Minotti | Privacy Policy | Disclaimer | Remote Support
Cleveland 440-449-6800 | Akron 330-668-1100 | Tampa 813-288-8826
Website designed and developed by Skoda Minotti Strategic Marketing