Find Your Specialist


Contact Us

    Go Back

    Adapting HITRUST® CSF Assessments in the Era of COVID-19

    As the impact of COVID-19 continues to be felt by businesses of all sizes and industries, figuring out how to adapt to continue operations, while keeping employees safe and healthy, is the top priority for business leaders right now. Fortunately, technology has allowed a large number of employees to continue working, at least partially, from home during these unprecedented times. While the ultimate goal is to “flatten the curve” and continue to ensure employee health and safety, the shift to this new working environment will naturally create nuances to Organizations in the throes of a current HITRUST CSF Assessment.

    This paper identifies changes that HITRUST has made and offers suggestions should you be one of the Organizations pursuing or undergoing a HITRUST CSF Assessment.

    HITRUST Announcements

    Since the pandemic outbreak, HITRUST has issued three CSF Assurance Program Bulletins: HAA 2020-001: Waiver of On-Site Requirement for Validated Assessments, HAA 2020-002: Impact of COVID-19 On Assessment Timelines, and HAA 2020-004: HITRUST CSF Bridge Assessments.  These three changes have begun to re-shape the traditional HITRUST CSF® Validated Assessment with a new approach that overcomes the challenges created by social distancing, travel restrictions and reduced workforces.

    • HAA 2020-001: Waiver of On-Site Requirement – Effective March 5, 2020, HITRUST temporarily waived the requirement for in-person/on-site validation procedures to be performed at the assessed entity’s facilities.  Since on-site requirements (such as physical security) are still in scope, HITRUST has issued guidance for alternative testing procedures.
    • HAA 2020-002: Impact of COVID-19 On Assessment Timelines – Effective March 16, 2020, HITRUST has re-communicated the timing requirements associated with a ‘rely-able’ Validated Assessments.
    • HAA 2020-004: HITRUST CSF Bridge Assessments – Effective April 15, 2020, HITRUST offers CSF® Bridge Assessment and Certificate to organizations whose current certification is affected due to COVID-19 disruption.

    Advice from an experienced authorized HITRUST External Assessor

    As an experienced HITRUST Assessor Firm and a member of the HITRUST Assessor and Quality Councils, Frazier & Deeter extends beyond HITRUST’s guidance by suggesting the following:

    • Assessors and their customers must maintain open communication with respect to how key dates may be affected during this time. Any deviations that would jeopardize the ‘rely-ability’ or integrity of an assessment must be addressed sooner than later.
    • In the event deviations are necessary, communication between the customer, their Assessor, and HITRUST must take place. While there are no guarantees that alternative approaches will be accepted, HITRUST has shown flexibility and concern given our current challenges.
    • In the event testing procedures or assessment timelines are impacted, it’s the HITRUST External Assessor’s responsibility to understand the situation, suggest alternatives, coordinate with HITRUST, and ensure quality is not marginalized.
    • Given our new norm, it’s important to identify controls that have operationally changed. Teleworking is one example.  In these situations, flexibility will be necessary to evaluate alternative, and even ad-hoc, controls.  Again, err on the side of transparency and communication so assessment interruptions will be minimized.

    Most importantly, the pandemic situation cannot become an excuse for lower quality or integrity, both of which remain major ingredients to the HITRUST CSF Assurance Program.  Whether you find yourself in the middle of an assessment, or are considering HITRUST for the first time, feel free to reach out to Frazier & Deeter with any questions.

    About the Authors

    Andrew Hicks CISA, CRISC, CCSFP, HCISPP, MBA is the Vice President of Risk Assurance and National Practice Leader for HITRUST for Frazier & Deeter. He has managed hundreds of HITRUST assessments.

    Buddy Orol is a member of Frazier & Deeter’s Process, Risk & Governance practice.

    Related Articles

    Privacy Overview

    When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

    You can enable or disable our use of cookies per category.
    Always Enabled

    Essential cookies enable you to navigate our Site and use certain features, such as accessing secure areas of our Site and using other features of our service that require us to keep track of certain information as you navigate from page to page. Although some of these cookies are “required” to enable certain functionality, you can disable them in the browser, but doing so will limit your ability to use the features supported by such cookies.

    Functionality cookies are cookies that support features of the Site, such as remembering your preferences.

    These cookies collect information about how you use our Site, including which pages you go to most often and if they receive error messages from certain pages. These cookies are only used to improve how our Site functions and performs.

    From time-to-time, we may engage third parties that track individuals who visit our Site. These third parties may track your use of the Site for purposes of providing us with certain marketing automation features (to help us improve our outreach to current and prospective clients) and providing you with targeted advertisements.