The Health Information Trust Alliance (HITRUST) recently released the Assurance Advisory Bulletin HAA 2016-010: Testing Protocols For Control Inheritance. This advisory clarifies the treatment of controls required for certification in situations when certain controls are outsourced to a third party and are inherited by the assessed entity.
“Organizations may not transfer risk or the obligation to obtain satisfactory assurances relating to HITRUST CSF controls. It is the assessed entity’s responsibility to ensure that all assessed controls, either supported directly or through use of a third party, are in place and functioning according to HITRUST CSF requirements.”
This means that an organization may not rely on a service provider to provide assurance that controls required by the HITRUST CSF are in place and operating effectively unless tested by an approved CSF assessor. The CSF assessor has the option to determine if the controls have been satisfactorily tested by an independent third party consistent with the HITRUST CSF Assurance Program requirements.
“Where the testing involves inheriting the control from another HITRUST CSF Validated Assessment, the assessor should obtain the current status of the relied upon HITRUST CSF Validated Assessment to ensure it is still valid and in good standing. If that is the case, no further testing of the control should be required.”
This means that if you are a business associate supporting healthcare organizations, you can streamline their assessment process by not requiring them to re-test controls that were previously validated through your own HITRUST CSF Validated Assessment. This is of particular importance to hosting, infrastructure and software service providers that support assessed entities by allowing a more efficient assessment process for their clients, as well as a competitive market edge to acquire new clients by having their own HITRUST CSF Validated Assessment with Certification.
Skoda Minotti can help healthcare organizations and service providers with their HITRUST questions, assessments and certification path. Please contact us today at email@example.com or 888-201-4484 to get started.