Everything You Need to Know About BARR’s HITRUST Advisory Proven Process: Part 2—Validated Assessment and Quality Assurance

September 8, 2022 | HITRUST

Your healthcare organization is at the point in your cybersecurity journey where you’re ready for the next step. You want to ensure the security of your data and increase customer trust. Now what? Working with a HITRUST Authorized External Assessor like BARR can guide your organization through a HITRUST validated assessment and Quality Assurance (QA) review process, ultimately leading you to your HITRUST certification

The HITRUST Common Security Framework (CSF) was developed in collaboration with healthcare and information security professionals to provide a prescriptive framework which simplifies security requirements. It’s the most widely-adopted security framework in the U.S. healthcare industry and is the only assessment that produces a validated certification report. 

At BARR Advisory, we currently offer two types of HITRUST CSF assessments:  

  • r2 Validated Assessments: The r2 assessment is the most comprehensive HITRUST assessment and repeats every two years with an interim period in between. 
  •  i1 Validated Assessment: If your organization is not quite ready for the r2, you can consider the i1 Validated Assessment plus certification, which is a one-year process.

This is the second iteration of a two-part series in which we’re highlighting what to expect from the validation assessment and QA review of BARR’s HITRUST proven process. The first blog of this series outlines the HITRUST readiness assessment. 

During the readiness assessment, BARR will assess initial controls and provide recommendations for remediation. Once these controls are remediated, they’ll be implemented for a period of 90 days prior to your assessment. 

Let’s take a look at what you can expect during your validation assessment and how to obtain your HITRUST QA review plus certification. 

Validated Assessment

The validation assessment includes a number of testing procedures to ensure compliance gaps have been appropriately identified and controls are implemented and operating effectively. Testing procedures include:

  • Walkthroughs with personnel interviews to verify policies and procedures are documented;
  • Inspection of CSF-relevant policies and procedures to verify adequate coverage of CSF requirements;
  • Technical testing to validate the implementation of relevant controls;
  • Observation of relevant controls and control processes; and,
  • Inspection of mechanisms used to manage relevant controls.

Creating a Plan

Once your organization is ready to begin the validation assessment, your engagement lead will set up a kickoff meeting where you’ll confirm expectations and establish a timeline. The key result of this kickoff meeting is to schedule the QA review with HITRUST. 

Following the kickoff meeting, your engagement lead will provide you with a detailed HITRUST requirement questionnaire to begin working on. All of our engagements are submitted through BARR’s in-house communication tool, taskBARR

Assessing your Controls and Documentation

Now that you’ve provided the requested evidence, your engagement team is ready to test each control following BARR’s procedures. During the assessment, your controls will be tested against the HITRUST Maturity Model. Your engagement lead will agree or disagree with your organization’s scoring using the five maturity levels and provide supporting comments. 

According to the HITRUST Maturity Model, the five levels include:

  1. Policy, which considers the existence of current, documented information security policies or standards in the organization’s information security program and whether they fully address the control’s implementation specifications;
  2. Process/procedure, which considers the existence of documented procedures or processes developed from the policies or standards and whether they reasonably apply to the organizational units and systems within scope of the assessment;
  3. Implemented, which considers the actual implementation of the policies and whether the control’s implementation specifications are applied to all of the organizational units and systems within scope of the assessment;
  4. Measured, which considers the testing or measurement (metrics) of the specification’s implementation and whether they continue to remain effective; and,
  5. Managed, which reviews the organization’s management of its control implementations based on these metrics. 

After your assessment, testing will go under manager review. Following their review, the engagement lead will complete the administrative documentation. 

Quality Assurance Review and HITRUST Certification 

The HITRUST QA review is the final stage of your journey toward certification. Below are the three steps to obtaining a successful QA review and certification. 

Pre-submission Review

Your completed assessment must be reviewed for quality assurance by an assigned Certified HITRUST CSF Practitioner with the Certified HITRUST Quality Professionals (CHQP) designation to ensure completeness and accuracy prior to submitting your assessment to HITRUST for review. 

There are six required forms/documents that need to accompany the submission:

  • Management representation letter 
  • Third-party participation agreement
  • Organizational overview and scope document
  • The assessor’s timesheet
  • Quality Assurance checklist signed by the engagement executive and the QA reviewer
  • Test plan and supporting work papers

It’s important to note that the QA reviewer must be independent of the assessment team.

Submit Assessment to HITRUST

Once all documentation is uploaded to myCSF, your engagement lead will reach out to the CHQP for the final quality assurance review. After the review is complete, the engagement lead will submit the assessment to HITRUST and work with HITRUST QA to address any issues or concerns. 

Certification and Debrief

If approved, you will receive a certified report by HITRUST. After the final report is posted, the engagement lead will set up a time for an internal and external debrief. This process is repeated annually, as the i1 validation report is only valid for one calendar year from the date of submission. The r2 assessment repeats every two years with an interim period in between. 

Now that you’ve reached HITRUST certification you can rest assured knowing that patient data is protected and your organization has significantly decreased the likelihood of data loss or a breach. 

Our HITRUST team is available to answer any questions you may have about starting the certification process. Contact us today.

Let's Talk