Following months of hard work, you and your External HITRUST Assessor finally “complete” the assessment and the assessment dashboard now displays 100% of requirements under the “External Assessor Review Complete” status – now what? For most Assessed Entities, that phase is followed by formulating CAPs for requirement statements as part of a control reference required for certification that are deemed deficient. Need help understanding the difference between requirement statements and control references and how MyCSF scores requirement statements? See our posts What is HITRUST? and How to Score HITRUST CSF Controls?, respectively, for in-depth guidance.
Is a CAP Applicable to All Types of HITRUST Assessments?
Yes. The concept of CAP is applicable to both i1 and r2 validated assessments. In both the i1 and r2 assessment reports, CAPs are published under Appendix A and gaps under Appendix B.
However, due to the scoring differences between the two types of assessments, the determination of whether a CAP is required is somewhat different. We will explain the decisioning process in the following section.
What’s the Difference Between a Gap & a CAP?
At a high level, a gap is a deficiency against one or more requirement statements and one or more of its corresponding maturity levels. If a gap happens to be associated with a control reference that is required for certification, the Assessed Entities must have a CAP provided to HITRUST before the final report/certification can be issued. You might be surprised to learn that CAPs and gaps are listed in similar tables in the assessment report appendices with fields including point of contact, corrective action plans, scheduled completion dates, and status – the difference is that you have to complete all the fields for CAPs and you don’t for gaps in the final report.
How Does MyCSF Determine Whether a Deficiency Constitutes a Gap vs a CAP?
For an i1 assessment, HITRUST requires Assessed Entities to define CAPs for requirements with implemented maturity level scoring less than “fully compliant” and the associated control reference averages less than 80. Per HITRUST, “Any requirements where the implemented maturity level scores less than “fully compliant” and the associated control reference averages 80 or more, a gap is identified instead of a CAP.” Note that i1 assessments do not utilize the PRISMA control maturity rating such as 1-, 3, and 5+ like r2 assessments because only implementation maturity is assessed.
For an r2 assessment, any requirement statement that scores less than a 3+ requires either a CAP or a gap. If the requirements statement is part of a control reference required for certification that scores less than a 3+, HITRUST requires a CAP. Otherwise, it is considered a gap, and a plan is not required.
Note that effective June 24, 2021, HITRUST no longer requires a CAP for a gap identified in the Policy and/or Procedure maturity level if there is not a gap at the Implemented maturity level. This change is reflective of the overall trend of HITRUST shifting more focus to the implementation maturity level.
What are the Key Elements of a Corrective Action Plan?
Think of CAPs as management’s responses to requirement statements found to be deficient. Each CAP should address:
- Point of Contact (POC): The individual responsible for remediation
- Scheduled Completion Date: The approximate date the CAP will be completed. HITRUST suggests that “if the deficiency requires a project plan to complete, it may make more sense to commit to the creation of the project versus the actual completion of the deficiency itself.” Keep in mind that whatever deadline you commit to, you need to be able to demonstrate progress by the next assessment.
- Corrective Actions: The steps management is going to take to resolve the deficiency.
- Status: The status of the remediation effort. This should be one of the following: Not Started, In Progress, or Complete.
How to Submit & Maintain Corrective Action Plans
At the conclusion of the “Performing Validation” phase of the HITRUST assessment workflow, MyCSF will automatically calculate scoring and generate a list of deficiencies requiring CAPs, which then ushers in the “Inputting CAPs and Signing Rep Letter” phase of the workflow.
For any CAP related to a requirement statement with a score greater than 61.99 for i1 assessments or equal to 3 for r2 assessments, the Assessed Entity has the option to accept the risk rather than developing a CAP. HITRUST recognizes that each Assessed Entity has a limited amount of resources and must prioritize risk treatments accordingly. This option allows Assessed Entities the flexibility to accept a limited amount of residual risk wherever makes sense. Keep in mind that the CAPs and the Assessed Entity’s responses will appear on the final HITRUST report. So the Assessed Entity should be comfortable that any customers who see the report will see the CAP and that it was not addressed.
Once the Assessed Entity has entered all required CAPs and signed the management representation letter, the Assessed Entity is prompted to submit the assessment to the External Assessor for CAP review. The External Assessor has to review each CAP for clarity and measurability (the ability of the Assessed Entity to demonstrate progress against the CAP) and approve them before the assessment can be submitted to HITRUST. This CAP review process can be iterative similar to the validation process where the External Assessor may send a CAP back to the Assessed Entity for revision.
Note that this phase is not part of the 90-day fieldwork period – the Assessed Entity and External Assessor are allowed as much time as needed to input and review required CAPs directly in MyCSF prior to submitting the assessment to HITRUST.
How Can Corrective Action Plans Impact HITRUST Certification?
As you might have gathered from the previous section, once the MyCSF system scores the requirements statements and associated control references and determines there are deficiencies requiring CAPs, the assessment simply cannot move forward until the CAPs are developed by the Assessed Entity and approved by the External Assessor. Thus, for the very assessment from where the CAPs are raised, the path to HITRUST certification is blocked until all CAPs are in the approved state.
For subsequent assessments, the External Assessor will evaluate the status of each of your CAPs, which includes verification that the CAP is either completed or on track. The assessor is also obligated to evaluate the CAP-associated requirement statement as a whole to confirm the policy, the process, and the implementation evidence all still support the requirement statement. If the Assessed Entity misses the CAP timeline, the Assessed Entity will need to document the progress and update the timeline and the External Assessor will again need to review and approve the updated CAP before submitting the assessment to HITRUST.
Hopefully this has helped demystify how HITRUST determines whether CAPs are necessary and how to respond to one. Linford & Co is a Certified HITRUST CSF Assessor firm, and as such would be happy to assist you with any of your HITRUST compliance needs. Please contact us to arrange a consultation or to learn more about our HITRUST audit and certification services.
If you are interested in learning more about HITRUST, check out our other related articles:
- An Expert’s Guide to the HITRUST Framework
- The Benefits of HITRUST Certification: Understanding HITRUST vs HIPAA
- Navigating Compliance Frameworks: SOC 2 vs. HITRUST
- SOC 2 + HITRUST: How Your Organization Could Benefit From Both
- Avoiding HITRUST Self-Assessment Pitfalls
Jenny has been in risk advisory and compliance since 2008. She spent 7 years at Ernst & Young where she was responsible for both audit and advisory engagements across financial services, energy, technology, and healthcare sectors. Since 2015, she has been focusing on serving SaaS-based companies, assessing their control environments as part of SOC reporting, HIPAA compliance, and HITRUST certification initiatives. She is a certified information systems auditor (CISA), HITRUST assessor (CCSFP), information systems security professional (CISSP), and AWS cloud practitioner. Jenny received her Bachelor of Science and Master’s degrees in Information Systems Management from Brigham Young University.