Find Your Specialist


Contact Us

    Go Back

    Adapting HITRUST® CSF Assessments in the Era of COVID-19

    As the impact of COVID-19 continues to be felt by businesses of all sizes and industries, figuring out how to adapt to continue operations, while keeping employees safe and healthy, is the top priority for business leaders right now. Fortunately, technology has allowed a large number of employees to continue working, at least partially, from home during these unprecedented times. While the ultimate goal is to “flatten the curve” and continue to ensure employee health and safety, the shift to this new working environment will naturally create nuances to Organizations in the throes of a current HITRUST CSF Assessment.

    This paper identifies changes that HITRUST has made and offers suggestions should you be one of the Organizations pursuing or undergoing a HITRUST CSF Assessment.

    HITRUST Announcements

    Since the pandemic outbreak, HITRUST has issued three CSF Assurance Program Bulletins: HAA 2020-001: Waiver of On-Site Requirement for Validated Assessments, HAA 2020-002: Impact of COVID-19 On Assessment Timelines, and HAA 2020-004: HITRUST CSF Bridge Assessments.  These three changes have begun to re-shape the traditional HITRUST CSF® Validated Assessment with a new approach that overcomes the challenges created by social distancing, travel restrictions and reduced workforces.

    • HAA 2020-001: Waiver of On-Site Requirement – Effective March 5, 2020, HITRUST temporarily waived the requirement for in-person/on-site validation procedures to be performed at the assessed entity’s facilities.  Since on-site requirements (such as physical security) are still in scope, HITRUST has issued guidance for alternative testing procedures.
    • HAA 2020-002: Impact of COVID-19 On Assessment Timelines – Effective March 16, 2020, HITRUST has re-communicated the timing requirements associated with a ‘rely-able’ Validated Assessments.
    • HAA 2020-004: HITRUST CSF Bridge Assessments – Effective April 15, 2020, HITRUST offers CSF® Bridge Assessment and Certificate to organizations whose current certification is affected due to COVID-19 disruption.

    Advice from an experienced authorized HITRUST External Assessor

    As an experienced HITRUST Assessor Firm and a member of the HITRUST Assessor and Quality Councils, Frazier & Deeter extends beyond HITRUST’s guidance by suggesting the following:

    • Assessors and their customers must maintain open communication with respect to how key dates may be affected during this time. Any deviations that would jeopardize the ‘rely-ability’ or integrity of an assessment must be addressed sooner than later.
    • In the event deviations are necessary, communication between the customer, their Assessor, and HITRUST must take place. While there are no guarantees that alternative approaches will be accepted, HITRUST has shown flexibility and concern given our current challenges.
    • In the event testing procedures or assessment timelines are impacted, it’s the HITRUST External Assessor’s responsibility to understand the situation, suggest alternatives, coordinate with HITRUST, and ensure quality is not marginalized.
    • Given our new norm, it’s important to identify controls that have operationally changed. Teleworking is one example.  In these situations, flexibility will be necessary to evaluate alternative, and even ad-hoc, controls.  Again, err on the side of transparency and communication so assessment interruptions will be minimized.

    Most importantly, the pandemic situation cannot become an excuse for lower quality or integrity, both of which remain major ingredients to the HITRUST CSF Assurance Program.  Whether you find yourself in the middle of an assessment, or are considering HITRUST for the first time, feel free to reach out to Frazier & Deeter with any questions.

    About the Authors

    Andrew Hicks CISA, CRISC, CCSFP, HCISPP, MBA is the Vice President of Risk Assurance and National Practice Leader for HITRUST for Frazier & Deeter. He has managed hundreds of HITRUST assessments.

    Buddy Orol is a member of Frazier & Deeter’s Process, Risk & Governance practice.

    Related Articles

    • 01.25.2023

      A New Year Means New Privacy Laws

      Ever since the General Data Protection Regulation (GDPR) came into effect in May 2018, US state privacy laws have been passed in Virginia, Colorado, Connecticut, Utah and, most pressing of them all, California. The California Privacy Rights Act (CPRA) went…

      Continue Reading
    • 01.19.2023

      The New Rules Under Section 174

      Internal Revenue Code Section 174 has long been used by taxpayers to deduct certain expenses related to research and experimentation (R&E) in the current year.  The code section was originally enacted in 1954 to eliminate uncertainty in the tax accounting…

      Continue Reading
    • 12.20.2022

      IRS Customer Service May Improve in 2023

      With 4,000 new customer service representatives and plans to hire 700 new Taxpayer Assistance Center (TAC) employees, taxpayers soon may get relief from endless hold times, no in-person help and unresolved problems.

      Continue Reading
    • 12.12.2022

      Reduce Taxable Income with IRA Distributions Transfers

      IRA owners who are age 70½ or over can transfer up to $100,000 per year to charity to reduce their taxable income. These transfers, known as qualified charitable distributions or QCDs, offer end-of-the year tax savings and can count toward required minimum distributions (RMDs) that taxpayers who are age 72 must make each year. Think of it as a tax-free charitable rollover of IRA funds.

      Continue Reading
    • 12.02.2022

      UK R&D Tax Reliefs – Where Are We Now?

      In the November 2022 Autumn Statement, the Chancellor announced significant changes to the current Research and Development (R&D) tax reliefs. The key announcements were a change to the applicable rate of the Research and Development Expenditure Credit (RDEC) and a…

      Continue Reading
    • 12.01.2022

      1099s Required for 2022 Tax Year

      Taxpayers earning income from selling goods or providing services may receive a Form 1099-K, Payment Card and Third-Party Network Transactions, for the first time in early 2023, when the 2022 forms are due. The requirement to file Forms 1099 have…

      Continue Reading
    • 11.28.2022

      IRS Uncovers $3.1 Billion in COVID Fraud

      The IRS Criminal Investigation department (IRS-CI) has partnered with the Justice Department to uncover and prosecute fraudulent activities related to the federal government’s COVID relief programs. To date, the IRS has conducted 840 investigations involving fraud amounts totaling more than…

      Continue Reading
    • 10.25.2022

      IRS Inflation Reduction Act Increases Funds

      The Inflation Reduction Act of 2022, enacted in August, increased funding for the IRS by $80 billion through 2031 for enforcement activities, operations support, systems modernization and taxpayer services. The legislative language, Treasury Secretary Janet Yellen and IRS Commissioner Charles…

      Continue Reading

    Privacy Overview

    When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

    You can enable or disable our use of cookies per category.
    Always Enabled