Did you know that the underpinning of HITRUST Certification rests on policy and procedure? Yet it’s not as simple as just taking your current P&Ps and submitting them to the external assessor. In fact, we’d recommend strongly that you not do that. HITRUST has specific requirements.
Instead, assure that your organization’s policies and procedures meet the HITRUST requirements before the assessment object goes to the external assessor. Otherwise, you’ll be like the many organizations that find out on the first attempt (key word being “attempt”) at certification that their submitted policies and procedures won’t work and must be revised to meet these requirements.
There’s also a timeframe to stick to. Requirement-adherent policy and procedure changes must be approved and implemented for 60 days prior to the external assessor receiving the assessment object.
How does HITRUST’s MyCSF platform fit in?
HITRUST’s MyCSF platform is key to determining what policy and procedure revisions will be required for each control that is in scope for your organization’s assessment. Under each control, the illustrative procedures detail exactly what the external assessor is required to look for in policy, procedure, and implementation.
Remember to review each control against your own policy. Pay special attention to the fact that a control’s policy requirement might have one or more elements that have to be addressed in the policy and the process. Once you revise the policy statements to include all required language, you’ll want to review (or revise) the process statements to ensure that they address each policy element. I recommend your organization use the following questions to establish how to meet HITRUST’s requirements for process statements:
- Who is responsible for the implementation of the control?
- How has your organization implemented the control requirement(s)? (“How” do you do this?)
- Where has your organization documented this control? (Policy, SOP, plans, handbooks, etc.)
- How often is the control-related documentation reviewed? (Cite the instances: Annual policy reviews, testing exercises, log review etc.)
If you use our recommendation for structure, you’ll know that your organization is capturing the policy and process requirements. Use illustrative language for implementation that can also be used to develop process statements. That type of descriptive, “how” language as part of documentation is what the external assessor will be looking for as policy and process implementation evidence. The implementation evidence (aka thorough documentation) is necessary to assure that process statements address how your organization has executed specific control requirements. Then let’s talk about how to really dive into HITRUST certification prep!
Kevin Haralson, MBA, is a Senior Compliance Analyst with Apgar & Associates. He is a Common Core Security Framework Practitioner (CCSFP) and holds a CHPC designation (Certified in Healthcare Privacy Compliance). Kevin primarily works with clients in HITRUST readiness prep, Security Risk Analysis, and conducting HIPAA Privacy and Breach compliance assessments. Contact him at 503-384-2538 to discuss your company’s privacy and infosec needs.