e. “Requirements and Procedures” means the HITRUST CSF Assessor
Requirements, the HITRUST Risk Analysis Guide, the HITRUST CSF
Assessment Methodology outlined in the HITRUST Training for HITRUST CSF
Practitioners program, the HITRUST CSF Assurance Program Requirements, the
HITRUST CSF Assessment Methodology, the HITRUST CSF Assurance Program
Documentation Requirements, the Evaluating Control Maturity Using the
HITRUST Approach whitepaper, and the CSF Assurance & Implementation
Bulletins; all of which are hereby incorporated by reference as if set forth in full
herein, and any and all amendments, restatements, modifications or replacements
of any of the foregoing after the Effective Date.
II. HITRUST REVIEW AND REPORTING
(a) Validation and Certification Process. For review and evaluation, HITRUST
will accept materials submitted by the Participant’s External Assessor via a HITRUST CSF
Submission. Upon receipt of the Participant’s HITRUST CSF Submission as delivered by the
Participant’s External Assessor, HITRUST shall subject the HITRUST CSF Submission to
initial check-in procedures. If the check-in procedures are completed successfully, the
HITRUST CSF Submission will undergo quality assurance procedures and HITRUST will
either (a) reject the submission based on concerns raised during the quality assurance review,
(b) issue a Validated HITRUST CSF Report, or (c) issue both a Validated HITRUST CSF
Report with Certification and a National Institute of Standards and Technology (NIST)
Cybersecurity Report (hereinafter collectively known as “Report”). The Report will represent
only that the Participant has provided the Participant Information (defined below) on which
the Report is based; that External Assessor has submitted its methods and findings as stated;
and that the compliance status announced in the Report (e.g., HITRUST “Validated,”
“Certified,” etc.) (“Compliance Status”) results from applying these components to the
compliance criteria established in the HITRUST CSF.
(b) Independent Review. In order to perform a quality assurance review, in
response to any circumstances which may arise during effective dates of any HITRUST CSF
Certified Report (“Certified Report”), or as a result of questions or concerns raised by during
HITRUST’s quality assurance review, HITRUST may deem an independent evaluation
necessary to validate External Assessor’s findings, the underlying information provided by
Participant on which the findings are based (“Participant Information”), or whether External
Assessor actually followed the methods stated. If such review is deemed necessary,
Participant will cooperate with HITRUST in the performance of the review.
(c) Effective Date. Certified Report: If the Participant meets the criteria for
issuance of a HITRUST Certified Report, the report will be effective for either: (a) a one (“1”)
year term for a HITRUST e1 or i1 submission; or (b) a two (“2”) year term for a HITRUST r2
submission (“Term”) after its issuance, unless earlier suspended, revoked, or terminated. In
addition, the following two conditions must be met to continue the Term of an R2 Certified
Report: (1) an interim report must be performed and completed one year after the issuance of
the Certified Report; and (2) satisfactory progress must be made on any/all Corrective Action
Plan(s). HITRUST may contact the Participant regarding any questions or issues with respect
to the interim report and/or the status update on any Corrective Action Plan. Participant shall
cooperate with HITRUST and respond to any reasonable requests. Validated Report: I
f the
Participant does not meet the criteria for a Certified Report, HITRUST will issue a Validated
Report which is a point in time report which includes no extended effective date.