Even though compliance is an on-going process, each individual assessment has its own lifecycle, which begins with a self-assessment of scoping factors. This can be a tedious process to complete for every audit, especially if the same questions get asked more than once, or continue to show up in assessment requirements. Fortunately, HITRUST has introduced a strategic approach to its scoping factors, which it announced in its Assurance Advisory: 2020-003.
HITRUST made multiple changes to its scoping factors, streamlining the audit process by mapping scoping factor questions to assessment requirements – eliminating unrelated requirements. The scoping factor now includes additional context to questions to avoid the typical back-and-forth that could occur during QA of the assessment.
This Assurance Advisory is set to minimize unrelated requirements when a scoping factor is marked “no” and to curtail the constant flow of “this is not applicable because…” responses currently captured in HITRUST CSF assessment reports. According to HITRUST, “Assessed entities will instead be asked to explain the absence of inherent risk factors once rather than multiple times throughout the assessment, thus reducing the level of effort required to complete and review the assessment.”
HITRUST is adding more than ten additional scoping factor questions to identify risk factors for assessment, and adding additional requirements to existing scoping factors. The HITRUST portal, MyCSF, will require additional explanation for each question answered “No,” so that an External Assessor, such as A-LIGN, and the HITRUST QA can better evaluate each response. Additionally, HITRUST is adding more information to its help page and clarifying its definition of a third-party.
The process of streamlining assessment requirements is a key component of strategic compliance, which seeks to centralize, standardize and consolidates audits. Our compliance management platform, A-SCEND, could already deduplicate redundant assessment requests to help our clients achieve strategic compliance. If you also appreciate the value of eliminating superfluous workflows, then we suspect that you will also be happy to see this update from HITRUST.
If you have any questions or if you would like to learn more about undergoing a cybersecurity or compliance assessment, please reach out to one of A-LIGN’s experienced assessors today.