1-9
HITRUST VALIDATED REPORT AGREEMENT
THIS HITRUST VALIDATED REPORT AGREEMENT (“Agreement”) is made by
and between ______________ (“Participant”) and HITRUST SERVICES CORP.
(“HITRUST”) (collectively the “Parties.”)
WHEREAS, Participant has engaged an Authorized HITRUST External Assessor
(“External Assessor”) to assess its information security systems listed below against the
standards of the HITRUST CSF, and wishes the External Assessor to submit its findings to
HITRUST® for Validation and possible Certification, according to the terms and conditions
of this Agreement. The assessment for Validation and possible Certification is:
MyCSF Account Number
MyCSF Assessment (Object) Name
NOW THEREFORE, in consideration of the following covenants and commitments,
the receipt and sufficiency of which are hereby acknowledged and confessed, the Parties agree
as follows:
I. DEFINITIONS. As used within this Agreement, the following terms shall have the
definitions set forth in this Article I:
a. “HITRUST Assurance Program” means the programs and systems for use of the
HITRUST CSF and CSF Tools in connection with information protection
assurance assessments according to standards set forth by HITRUST.
b. “HITRUST CSF Tools” means the HITRUST CSF and related materials
HITRUST deems necessary for an authorized external assessor to perform
assurance engagements assessing the information protection program of
organizations in accordance with the HITRUST Assurance Program. HITRUST
CSF Tools may include, but not be limited to, Information Protection Control
Specifications, a Standards and Regulations Mapping Device, Assessment and
Reporting Tools, an Implementation Manual, and a Readiness Assessment Tool.
c. “HITRUST CSF” means the information protection framework for organizations
that is owned, marketed, and licensed by HITRUST as the “HITRUST CSF.”
d. “HITRUST CSF Submission” means the electronic submission to HITRUST of
an object containing complete, accurate factual findings from a HITRUST CSF
Assessment delivered by an Authorized HITRUST External Assessor via
HITRUST CSF Tools.
2-9
e. “Requirements and Procedures” means the HITRUST CSF Assessor
Requirements, the HITRUST Risk Analysis Guide, the HITRUST CSF
Assessment Methodology outlined in the HITRUST Training for HITRUST CSF
Practitioners program, the HITRUST CSF Assurance Program Requirements, the
HITRUST CSF Assessment Methodology, the HITRUST CSF Assurance Program
Documentation Requirements, the Evaluating Control Maturity Using the
HITRUST Approach whitepaper, and the CSF Assurance & Implementation
Bulletins; all of which are hereby incorporated by reference as if set forth in full
herein, and any and all amendments, restatements, modifications or replacements
of any of the foregoing after the Effective Date.
II. HITRUST REVIEW AND REPORTING
(a) Validation and Certification Process. For review and evaluation, HITRUST
will accept materials submitted by the Participant’s External Assessor via a HITRUST CSF
Submission. Upon receipt of the Participant’s HITRUST CSF Submission as delivered by the
Participant’s External Assessor, HITRUST shall subject the HITRUST CSF Submission to
initial check-in procedures. If the check-in procedures are completed successfully, the
HITRUST CSF Submission will undergo quality assurance procedures and HITRUST will
either (a) reject the submission based on concerns raised during the quality assurance review,
(b) issue a Validated HITRUST CSF Report, or (c) issue both a Validated HITRUST CSF
Report with Certification and a National Institute of Standards and Technology (NIST)
Cybersecurity Report (hereinafter collectively known as “Report”). The Report will represent
only that the Participant has provided the Participant Information (defined below) on which
the Report is based; that External Assessor has submitted its methods and findings as stated;
and that the compliance status announced in the Report (e.g., HITRUST “Validated,”
“Certified,” etc.) (“Compliance Status”) results from applying these components to the
compliance criteria established in the HITRUST CSF.
(b) Independent Review. In order to perform a quality assurance review, in
response to any circumstances which may arise during effective dates of any HITRUST CSF
Certified Report (“Certified Report”), or as a result of questions or concerns raised by during
HITRUST’s quality assurance review, HITRUST may deem an independent evaluation
necessary to validate External Assessor’s findings, the underlying information provided by
Participant on which the findings are based (“Participant Information”), or whether External
Assessor actually followed the methods stated. If such review is deemed necessary,
Participant will cooperate with HITRUST in the performance of the review.
(c) Effective Date. Certified Report: If the Participant meets the criteria for
issuance of a HITRUST Certified Report, the report will be effective for either: (a) a one (“1”)
year term for a HITRUST e1 or i1 submission; or (b) a two (“2”) year term for a HITRUST r2
submission (“Term”) after its issuance, unless earlier suspended, revoked, or terminated. In
addition, the following two conditions must be met to continue the Term of an R2 Certified
Report: (1) an interim report must be performed and completed one year after the issuance of
the Certified Report; and (2) satisfactory progress must be made on any/all Corrective Action
Plan(s). HITRUST may contact the Participant regarding any questions or issues with respect
to the interim report and/or the status update on any Corrective Action Plan. Participant shall
cooperate with HITRUST and respond to any reasonable requests. Validated Report: I
f the
Participant does not meet the criteria for a Certified Report, HITRUST will issue a Validated
Report which is a point in time report which includes no extended effective date.
3-9
(d) No Assurances of a Favorable Compliance Status. HITRUST makes no
guarantee it will issue a Certified Report, or that a Compliance Status will be as favorable as
Participant desires.
(e) Rejections of HITRUST CSF Submissions. If in HITRUST’s sole discretion,
the Participant’s HITRUST CSF Submission is deemed not of proper quality or quantity to
allow sufficient quality assurance, HITRUST may work with the External Assessor and
Participant to attempt to cure the insufficiencies or an extension of time to obtain a validated
report. Participant acknowledges that the External Assessor is a third party, and HITRUST is
not responsible for any delays or rejection of submissions relating to evidence submitted
and/or testing provided by Participant and/or the External Assessor. HITRUST may also, at
HITRUST’s sole discretion, reject HITRUST CSF Submissions based on quality and/or
compliance issues identified during HITRUST’s quality assurance review. Upon rejection of a
HITRUST CSF Submission, HITRUST will identify the items (e.g., omissions, issues,
External Assessor’s nonadherence to HITRUST Requirements and Procedures) which led to
the rejection and will specify the remedial actions that must be performed by the Participant
and/or External Assessor—up to and including External Assessor’s reperformance of some or
all validated assessment procedures. At HITRUST’s sole discretion and dependent on the
nature and volume of quality issues noted during HITRUST’s quality assurance review
process, HITRUST may convert a rejected HITRUST CSF Submission object within
HITRUST CSF Tools to a read-only state and specify that the Participant and an External
Assessor prepare a new HITRUST CSF Submission.
III. PARTICIPANT’S RESPONSIBILITIES.
As conditions of continued HITRUST Compliance Status during the Term, Participant
must comply strictly with the following responsibilities:
(a) Participant Information Must Be Complete, Truthful, and Accurate.
Participant Information provided to External Assessor and to HITRUST must be complete,
truthful, and accurate. Participant shall be solely responsible for any findings, methods, or
Compliance Status resulting wholly or partly from faulty Participant Information submitted to
HITRUST. HITRUST has the right to audit Participant’s systems at least once during any
Certified Report period, if applicable. If this review turns up additional abnormalities, a
further review may be undertaken by HITRUST.
(b) HITRUST CSF Subscription and Continuous Monitoring. As a condition of
participation in the HITRUST CSF Assurance Program, Participant shall obtain a license to
use the HITRUST CSF, available at no charge through the HITRUST website. In addition,
Participant shall continuously monitor its systems and procedures to ensure effective privacy,
security and ongoing compliance with the HITRUST CSF, as applicable, including without
limitation (i) documenting any significant changes in business practices or procedures that
may impact privacy, if applicable, or security, and (ii) keeping privacy as applicable, security
and corrective action plans updated to reflect changes in Participant’s systems or posture. All
changes in security or privacy, if applicable, procedures must be reported to the External
Assessor and/or HITRUST during the interim review.
(c) Prompt Reporting of Event(s). Subject to any legal or contractual restrictions
applicable to Participant, Participant shall promptly advise External Assessor and HITRUST
of (i) any adverse deviation or departure from the information contained in the HITRUST
MyCSF Questionnaire as previously reported to External Assessor or HITRUST; (ii) any
4-9
attempted breach for which the investigation has been open or ongoing for sixty (60) days or
confirmed breaches (as defined below) of privacy, if applicable, or security; or confirmed
breaches (as defined below) of privacy, if applicable, or security; (iii) any changes in its
systems or procedures; (iv) acquisitions or divestitures which affect its systems or; (v) any
other event which may reasonably call into question Participant’s continued compliance with
the HITRUST CSF as announced in the issued Report or which leads to unauthorized access
to the Participant’s system or data housed therein (any of which being an “Event”).
HITRUST will determine the impact and significance of the Event. Actual unauthorized
access to a system will be deemed to suspend the Participant’s Compliance Status
automatically. References to Participant’s “systems or procedures” shall be deemed to include
only those Participant systems and/or procedures referenced in the Report. HITRUST may
investigate any Event and determine its impact on the Participant’s Compliance Status.
Participant shall cooperate with HITRUST’s investigation into any Event. (Breach, for use in
this Agreement, means an incident in which sensitive, protected or confidential data is
copied, transmitted, viewed, stolen, used, disclosed or accessed in an unauthorized fashion
and/or by an individual unauthorized to do so through the system that is identified above as
the Scope for this Agreement. Compliance Status, for use in this Agreement means the
systems under the coverage of this Agreement and any other Participation Agreement(s)
executed by this Participant where controls at play in the breach were inherited.)
(d) “Safe Harbor” for Reporting Gaps in the HITRUST CSF. HITRUST is
committed to the continual improvement of the HITRUST CSF and related materials, and
recognizes that entities being assessed in accordance with the HITRUST CSF may be a
valuable source of information for the HITRUST CSF’s improvement. Participant is therefore
encouraged to identify “gaps” in the HITRUST CSF or other means for its improvement, and
to report those to HITRUST. Reports which identify such “gaps” or otherwise suggest means
of improving the HITRUST CSF, as opposed to Events as described above, will not
jeopardize Participant’s Compliance Status.
IV. RESTRICTIONS ON USE OF REPORT OR HITRUST MARKS
(a) Use Only in Term, While in Compliance. Participant may only publicize,
market, or otherwise promote its HITRUST Compliance Status during the Term, and only
provided that (i) Participant has materially complied with its obligations under this
Agreement, (ii) its Compliance Status has not been suspended, downgraded or withdrawn; and
(iii) no Event has occurred. Upon request, Participant will certify to HITRUST in writing that
these conditions continue to be met.
(b) Full Copies of Report. If Participant chooses to provide access to the Report to
a third-party, Participant must provide a full copy of the Report, or the letter verifying the
status of the Report. Information from an interim assessment may only be shared in
accordance with HITRUST policy. The Participant may require such third party to hold the
Report in confidence.
(c) No Alterations. Participant shall not edit, alter or modify, including, but not
limited to truncating, the Report in any way, including without limitation removing, reducing,
modifying or obscuring any proprietary legends, trademarks, restrictions or disclaimers which
HITRUST may attach.
5-9
(d) No Misrepresentation to Third Parties. Participant shall not misrepresent to
any person or entity the level, effective dates, extent or other material aspect of its HITRUST
Compliance Status and/or the scope of the assessment/certification.
V. FEES.
Fees for HITRUST’s services will be charged according to the pricing indicated by the
HITRUST Sales Team. A separate fee will be charged for each HITRUST CSF Submission
which HITRUST is asked to subject to quality assurance procedures and potentially issue a
Validated HITRUST CSF Report. Participant will be responsible for those fees upon
execution of this Agreement. Payment is not contingent upon whether a Participant receives a
Validated Report, Validated and Certified Report, or no report at all. All payments will be
considered final when the assessment information is submitted to HITRUST.
VI. EXCLUSIVE OWNERSHIP OF THE HITRUST CSF.
Participant acknowledges HITRUST’s sole and exclusive right, title and interest in and
to the HITRUST CSF and all related documentation, together with all changes, deletions,
additions, translations, or derivatives to it made by any party. Participant agrees that any and
all rights in or to inventions, discoveries, revisions or derivatives arising out of or related to
the HITRUST CSF or related documentation, and all rights to license, market or otherwise
develop or dispose of the HITRUST CSF or related documentation, are and shall be the
exclusive property of HITRUST. Participant agrees not to challenge or contest the validity or
enforceability of HITRUST’s intellectual property rights in the HITRUST CSF or related
documentation, now or as it may be amended in the future. This commitment is of the essence
of this Agreement and will survive its termination or expiration.
VII. CONFIDENTIAL INFORMATION
(a) Confidential Information. Each Party may obtain access to Confidential
Information of the other Party, such as (as to HITRUST) certain valuable, confidential
information, compilations, methods, techniques, procedures and processes incorporated within
the HITRUST CSF or (as to Participant) information regarding Participant’s business
processes or private healthcare information of its customers, which are not generally known or
readily ascertainable by proper means (“Confidential Information”). The Parties agree to
hold all such Confidential Information in strictest trust and confidence, and not to use or
disclose this information except as permitted under this Agreement or with the other party’s
express prior consent. This obligation will survive the termination or expiration of this
Agreement. Notwithstanding anything herein to the contrary, HITRUST will not access, use
or disclose any information retained by Participant that is “personally identifiable
information” or “protected health information” without Participant’s prior written consent.
(b) Definition of Confidential Information. “Confidential Information” means all
information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”),
whether orally or in writing, that is designated as confidential or that reasonably should be
understood to be confidential given the nature of the information and the circumstances of
disclosure. Confidential Information includes: data within your possession, Confidential
Information of each party including the terms and conditions of this Agreement and all related
Agreements, as well as business and marketing plans, technology and technical information,
product plans and designs, and business processes disclosed by such party. However,
Confidential Information does not include any information that (i) is or becomes generally
6-9
known to the public without breach of any obligation owed to the Disclosing Party, (ii) was
known to the Receiving Party prior to its disclosure by the Disclosing Party without breach of
any obligation owed to the Disclosing Party, (iii) is received from a third party without breach
of any obligation owed to the Disclosing Party, or (iv) was independently developed by the
Receiving Party.
(c) Protection of Confidential Information. The Receiving Party will use the
same degree of care that it uses to protect the confidentiality of its own confidential
information. The Receiving Party will not use any Confidential Information of the Disclosing
Party for any purpose outside the scope of this Agreement, and except as otherwise authorized
by the Disclosing Party in writing. Receiving Party will limit access to Confidential
Information of the Disclosing Party to its Affiliates’ employees and contractors who need that
access for purposes consistent with this Agreement and who have signed confidentiality
agreements with the Receiving Party containing protections no less stringent than those
herein. Neither party will disclose the terms of this Agreement or an Order Form to any third
party other than its Affiliates, legal counsel and accountants without the other party’s prior
written consent, provided that a party that makes any such disclosure to its Affiliate, legal
counsel or accountants will remain responsible for such Affiliate’s, legal counsel’s or
accountant’s compliance with this Section.
(d) Compelled Disclosure. The Receiving Party may disclose Confidential
Information of the Disclosing Party to the extent compelled by law to do so, provided the
Receiving Party gives the Disclosing Party prior notice of the compelled disclosure (to the
extent legally permitted) and reasonable assistance, at the Disclosing Party’s cost, if the
Disclosing Party wishes to contest the disclosure. If the Receiving Party is compelled by law
to disclose the Disclosing Party’s Confidential Information as part of a civil proceeding to
which the Disclosing Party is a party, and the Disclosing Party is not contesting the disclosure,
the Disclosing Party will reimburse the Receiving Party for its reasonable cost of compiling
and providing secure access to that Confidential Information.
(e) Exclusions. These prohibitions shall not apply to information, compilations,
methods, techniques, procedures or processes that are or have become generally known in the
industry through no fault of the receiving party, or which it can show from written records
were (i) known to it before entering this Agreement, (ii) independently developed by it
without use of or reference to the other party’s Confidential Information, or (iii) lawfully
obtained by it from a third party not in breach of any obligation to the disclosing party. They
will also not apply to residual knowledge retained in intangible, non-electronic form, such as
general ideas, concepts and know-how.
VIII. REPRESENTATIONS AND WARRANTIES.
HITRUST PROVIDES THE HITRUST CSF AND ITS SERVICES “AS IS,” WITH
ALL FAULTS. HITRUST AND ITS OFFICERS, EMPLOYEES, AGENTS,
REPRESENTATIVES AND AFFILIATES DISCLAIM ALL WARRANTIES AND
REPRESENTATIONS, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
TITLE OR NONINFRINGEMENT SECURITY, CONFORMITY TO DESCRIPTION,
ACCURACY, COMPLETENESS, OR RESULTS. THE ENTIRE RISK AS TO THE
QUALITY OR ARISING OUT OF THE USE OF THE HITRUST CSF OR THE SERVICES
7-9
CONTEMPLATED HEREUNDER REMAINS AT ALL TIMES WITH THE
PARTICIPANT.
IX. EXCLUSION OF INCIDENTAL AND CONSEQUENTIAL DAMAGES.
EXCEPT IN EVENT OF WILLFUL OR GROSS MISCONDUCT OR MISUSE OF
HITRUST’S INTELLECTUAL PROPERTY, IN NO EVENT SHALL EITHER PARTY OR
ANY OFFICER, AGENT, EMPLOYEE, REPRESENTATIVE OR AFFILIATE THEREOF
BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, INDIRECT OR
CONSEQUENTIAL DAMAGES WHATSOEVER ARISING FROM OR RELATED TO
ITS, HIS OR HER ACTIONS OR INACTIONS IN CONNECTION WITH THIS
AGREEMENT, EVEN IN THE EVENT OF ITS, HIS OR HER FAULT, TORT
(INCLUDING BUT NOT LIMITED TO NEGLIGENCE), MISREPRESENTATION,
STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY, AND
EVEN IF IT, HE OR SHE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
X. LIMITATION OF LIABILITY AND REMEDIES.
(a) No Liability for Good-Faith Exercise of Judgment. Under no circumstances
will either party or any officer, agent, employee, representative or affiliate thereof be liable to
the other party or any person or entity in privity with the other party for any loss, injury,
damage, cost, claim or expense arising from or relating directly or indirectly to the good-faith
exercise of his or its judgment in connection with this Agreement.
(b) EXCEPT IN EVENT OF WILLFUL OR GROSS MISCONDUCT OR
MISUSE OF HITRUST’S INTELLECTUAL PROPERTY, IN NO EVENT WILL THE
TOTAL LIABILITY OF EITHER PARTY OR ANY OFFICER, AGENT, EMPLOYEE,
REPRESENTATIVE OR AFFILIATE THEREOF EXCEED ONE MILLION DOLLARS.
(c) THESE DISCLAIMERS AND LIMITATIONS SHALL APPLY TO THE
MAXIMUM EXTENT PERMITTED BY LAW, EVEN IF ANY REMEDY FAILS OF ITS
ESSENTIAL PURPOSE.
XI. INDEMNIFICATION.
Participant will hold harmless, indemnify and defend HITRUST and its officers,
directors, shareholders, employees, agents, representatives and affiliates of, from and against
any and all suits, claims, actions, losses, costs, penalties and damages of whatsoever kind in
nature (collectively, “Costs”) directly caused by a material breach of this Agreement by
Participant. Notwithstanding the foregoing, except in event of willful or gross misconduct or
misuse of HITRUST’s intellectual property, the maximum amount of Participant’s total
indemnification obligation relating in any manner to this Agreement shall not exceed one
million dollars.
HITRUST will hold harmless, indemnify and defend Participant and its officers,
directors, shareholders, employees, agents, representatives and affiliates of, from and against
any and all suits, claims, actions, losses, costs, penalties and damages of whatsoever kind in
nature (collectively, “Costs”) directly caused by a material breach of this Agreement by
HITRUST. Notwithstanding the foregoing, except in event of willful or gross misconduct or
8-9
misuse of Participant’s intellectual property, the maximum amount of HITRUST’s total
indemnification obligation relating in any manner to this Agreement shall not exceed one
million dollars.
XII. TERM AND TERMINATION.
(a) Term. The term of this agreement is from the date of last execution, up to an
including the last day in which the HITRUST CSF Validated Report at issue, which is
identified by the scope listed above, is valid
(b) Termination. Participant may terminate this Agreement at any time for any
reason, provided it shall be liable for payment for all fees and expenses accrued up to the time
of notification. HITRUST may terminate this Agreement upon breach or threatened breach by
Participant (i) which occurs or remains uncured ten (10) days after notice from HITRUST, or
(ii) which relates to confidentiality of any HITRUST Confidential Information or HITRUST’s
intellectual property rights. In the latter event HITRUST may terminate this Agreement
immediately upon notice.
(c) Events upon Termination. Immediately upon termination or expiration of this
Agreement, or upon HITRUST’s request, Participant shall cease any external use of the
Report, and will remove and return to HITRUST all materials constituting or containing
HITRUST’s Confidential Information. Provisions related to protection of HITRUST’s
intellectual property and the Parties’ Confidential Information, and other provisions which by
their nature should survive, will survive termination or expiration hereof.
XIII. MISCELLANEOUS
(a) Notices. Notices required or permitted to be given under this Agreement shall
be deemed delivered when sent in writing to the address(es) for notices provided below, and
shall be deemed to have been delivered and given for all purposes (a) on the delivery date if
delivered personally to the Party to whom it is directed; (b) in one (1) business day after
deposit with a reputable overnight carrier with written verification of receipt; or (c) in the case
of emails, when transmitted without indication of failure in transmission. Either Party may
change its address for notices by written notice to the other party at any time as provided
herein.
IF TO PARTICIPANT:
__________________________
__________________________
__________________________
__________________________
IF TO HITRUST:
HITRUST Services Corp.
6175 Main Street, Suite 400
Frisco, Texas 75034
(469) 269-1100 (tel)
with a copy, which is required but shall not constitute notice, to:
(b) Entire Agreement. This Agreement contains the entire agreement of the Parties
relating to the subject matter, superseding all prior written or oral agreements, representations
or understandings. It may only be changed in writing signed by the Parties.
9-9
(c) Severability. If any provision of this Agreement is held by a court of competent
jurisdiction to be contrary to law, the provision will be deemed null and void, and the
remaining provisions of this Agreement will remain in effect.
(d) No Waiver. Failure or delay to require performance by the other party shall not
constitute a waiver of such performance, or of any other or later breach of such provision.
(e) Force Majeure. Neither party will be liable nor be deemed to have defaulted
under or breached this Agreement, for any failure or delay in fulfilling or performing any term
of this Agreement (except for any obligations to make payments to the other party hereunder)
for any delays, changes in performance, or nonperformance directly or indirectly resulting
from circumstances or causes, whether foreseeable or not so long as it is not known at the time
of execution, beyond its reasonable control, including, without limitation, fire, epidemic or
other casualty, act of God, strike or labor dispute, war or other violence, or any law, order, or
other requirement of any governmental agency or authority, or any problem, issue, order,
cancelation, or other similar act by a third party based on which the party is unable to perform
its obligations as described herein.
(f) No agency. Each party is acting as an independent contractor.
(g) Choice of Law; Jury Waiver. This Agreement and the Parties’ relationship
shall be interpreted and governed under Texas law, excluding its choice of law provisions and
the U.N. Convention on Contracts for the International Sale of Goods. THE PARTIES
WAIVE JURY TRIAL.
PARTICIPANT HITRUST SERVICES CORP.
Signature:
Name:
Title:
Date:
