Any organization that has completed a HITRUST assessment knows they represent a significant amount of effort and a significant commitment to compliance and certification. While many HITRUST levels of certification are only good for one year, HITRUST’s r2 certification is good for two years, but…the HITRUST r2 certification requires an ‘interim’ assessment every other year to keep the certification valid.
This process helps strike a balance between keeping the audit workload somewhat lighter for organizations but also validating that the controls, protections, and systems that were in place for the initial audit are still in place and functioning. It also validates that HITRUST Corrective Action Plans (CAPs) are on track. Navigating the process and understanding what to expect from your interim assessment can be confusing, though, so this document is designed to clarify if, when, how, and why an interim assessment can be conducted.
Understanding if An Interim Assessment Can Be Done
First and foremost, the interim assessment can only be conducted for an organization that has obtained a HITRUST r2 validated assessment in the last calendar year. The e1 and i1 certifications do not allow for an interim assessment, nor do HITRUST self-assessments or readiness assessments. Read this blog to learn more about the pitfalls to avoid during a HITRUST readiness assessment. (It is worth noting that a validated i1 assessment may be able to what HITRUST calls a “Rapid Recertification” but HITRUST considers it a different thing than an interim assessment so we will too.)
Secondly, the scope can’t change significantly. New products or services cannot be added to an r2 assessment during the interim assessment.
Third, there cannot have been a Security Event since the initial r2 assessment was issued.
Changes That Might Affect the Interim Assessment
While other significant changes may still allow an interim assessment to take place, the assessed entity will need to check with HITRUST to determine if the changes are too significant to allow an interim assessment. The changes that must be communicated to HITRUST include significant changes to processes, business or security policies, technologies, and major changes in functionality. Typically, those changes will be things like:
- Changing cloud providers or moving data centers into the cloud.
- Moving a facility to a different location.
- Replacing in-scope platforms (moving from Oracle EBS to SAP, for example).
- Outsourcing IT or security functions or bringing outsourced functions in-house.
- New functionality added to in-scope platforms or that changes the nature of data stored or from where it is accessed.
- Acquisitions, Mergers, or divestitures that result in a change in who is responsible for the controls assessed in the initial assessment.
In the event of significant changes, HITRUST will determine whether an interim assessment is possible, if any additional controls will need to be added, and what additional testing may be necessary.
When Do We Start An Interim Assessment?
The Interim Assessment can be started 120 days before the anniversary of the report issuance. HITRUST will automatically generate the assessment 90 days before the anniversary of the assessment and it can be submitted any time during the 90 days preceding the anniversary of the r2 report.
This external assessor recommends that you start as soon as you can. Starting early on a project with a deadline is seldom a bad thing. While the interim assessment isn’t nearly as time or effort-intensive as the initial r2 assessment, it still requires time, resources, and effort.
What’s the Interim Assessment Like?
For an interim assessment, two types of things will be assessed.
Initially, the External Assessor will inquire of management whether there have been any significant changes or security incidents. Once satisfied in this area, testing will begin.
HITRUST will randomly select certain requirement statements to be re-scored. This process will be exactly like the initial assessment, including the subscriber comments, external assessor review, evidence collection, and HITRUST scoring.
Also, all Corrective Action Plans (CAPs) will be reviewed and updated in MYCSF to reflect the current state of the CAP. It is also HITRUST’s expectation that at least 50% of the CAPs will be started and/or completed.
Once that’s completed, the submission is made to HITRUST for the typical QA review. Once QA is complete and HITRUST concludes that the entity should retain its certification, HITRUST will issue a letter to the assessed entity that indicates its certification is still valid.
HITRUST Interim Assessment – FAQs
- Which HITRUST assessments require an interim assessment?
- Only the r2 assessment requires an interim assessment. The interim assessment can be done every other year and is required to maintain the HITRUST-certified status for the 2nd year.
- How many requirement statements are on an interim assessment?
- HITRUST randomly picks 19 requirements, one from each domain, plus requires a review of any Corrective Action Plans (CAPs). The selected requirements are evaluated in the same manner as the initial assessment.
- When should we start our interim assessment?
- You can start 120 days before the anniversary of your initial certification. It MUST be submitted by the anniversary. For assessed organizations with HITRUST subscriptions, HITRUST will automatically create the interim assessment 90 days before the anniversary.
- Does the HITRUST interim assessment require an external assessor?
- Yes, it does. It can be the same assessor as your initial assessment, or it can be a different one.
- Who can help me with questions?
- HITRUST support will assist, or reach out directly to our team of audit professionals.
Summary
We hope this helps make the interim assessment a little easier to follow and prepare for. While it’s a significantly less intense process than the initiate assessment, it’s no less important…your certified status will not extend into the second year without it.
As Linford & Co is a HITRUST External Assessor Organization, we would be happy to assist with any of your HITRUST compliance needs. Please contact us to arrange a consultation or with any additional questions you might have about the HITRUST interim assessment or HITRUST Audit and Certification services in general.
Brian has over 2 decades of experience in System Administration and Information Security, having worked at all levels of Government (City, County, State, and Federal) and with companies ranging from startup to Fortune-20. He transitioned to auditing in 2018 and has delivered audits and attestations as varied as SOC 1 and 2, HITRUST, FISMA, FERPA, PCI, CSA-star and HIPAA. With Linford and Co, he focuses primarily on HITRUST and SOC 2.