Headed to RSA in San Francisco? May 6-9 | Join us!

HITRUST Updates Scoring Rubric in Support of i1 Assessment

In January of 2022, HITRUST released an advisory for their updated Control Maturity Scoring Rubric, which was immediately enforced for the i1 assessment. For any organization undergoing the r2 assessment, the new rubric was enforced on May 1, 2022. This updated rubric assists assessed entities and their external assessors in assessment scoring to ensure they are implementing maturities at an appropriate level.  

Scoring Rubric Key Changes 

The scoring rubric has been updated by HITRUST to provide a more streamlined approach. Designed as a reference aid, this has frequently become a tool that organizations use to determine their scores across the various levels of control maturity. 

Key changes to the HITRUST Control Maturity Scoring Rubric include: 

  • A reduction in the tiers for Policy and Procedures maturity levels from five to three. Please note the levels of coverage remain the same, ranking from ‘very low’ to ‘very high’. The new tiers are as follows:
    • Tier 0 = No documented Policy and/or Procedure 
    • Tier 1 = Undocumented Policy and/or Procedure 
    • Tier 2 = Fully documented Policy and/or Procedure  
  • Organizations will now have to address the illustrative procedures for all of the control requirements and policy statements.  Previously, organizations only addressed the requirements they met. They will now need to go a step further and look at illustrative procedures within the policy and procedure documents to address all elements for that requirement.  
  • The addition of evaluative elements into the rubric. Organizations are now required to address evaluative elements in the policy document and in the procedure document for every requirement for the policy maturity and procedure maturity. 

In addition to these key changes, HITRUST also made minor adjustments to the scoring rubric. 

  • HITRUST reformatted the guidance for supporting documentation to qualify as a measure by clarifying the metrics and adding context. 
  • The timeframe table was revised to note if the information refers to r2 or i1 as previously there was no delineation.  
  • The addition of the current Bridge Certificate timing guidance into the rubric and sampling guidance as a visual. 
  • Although guidance was not modified, several sections were removed from the timeframe table in order to streamline the presentation of key timeframes. 
  • HITRUST added and updated links on the rubric where additional guidance can be located. 

How Organizations Can Prepare 

To ensure organizations aren’t caught off-guard it’s important that they continuously ensure that the controls that could impact their compliance score have been properly implemented. A-LIGN can conduct a HITRUST Gap Assessment to help organizations benchmark the implementation of their controls to the updated scoring rubric to ensure certification will be achieved or maintained. In addition, A-LIGN can help identify any gaps and recommend new controls that will need to be implemented. 

A-LIGN is one of only a few globally recognized cybersecurity and privacy compliance providers that offer a single-provider approach for organizations. A-LIGN is a HITRUST CSF Assessor firm, Qualified Security Assessor Company, Accredited ISO 27001 and ISO 22301 Certification Body, Accredited FedRAMP 3PAO and licensed CPA firm. 

For more information regarding HITRUST Certification contact us at[email protected] or call 1-888-702-5446. Our experienced assessors can answer your cybersecurity and privacy compliance questions.

Download our HITRUST checklist now!