BLOG

HITRUST COVID-19 Bridge Certifications Explained

Blog Post by Angela Fitzpatrick, ITRM Manager at Meditology Services

The HITRUST Alliance recognizes that COVID-19 is creating extraordinary circumstances and that HITRUST CSF Certification holders may be unable to meet the deadline for renewing their certifications by the two-year anniversary date.

The HITRUST Bridge Assessment and Certification [1] is designed to provide relief by giving organizations an additional 90 days to submit their validated assessment. A Bridge Assessment allows organizations to demonstrate continued control effectiveness and at the same make progress towards their Validated Assessment during these unprecedented circumstances.

Starting April 15, 2020, any organization planning to renew their HITRUST Certification at the two-year anniversary mark can elect to complete a Bridge Assessment. This 90-day Bridge Certification will require an additional reduced-scope assessment from a certified Assessor firm like Meditology Services and will prevent the traditional HITRUST Certification from lapsing.

HITRUST Bridge Certification in a Nutshell
  • Who: Any organization with a current HITRUST CSF Certification that will expire within the next 60 days or who missed submitting a Validated Assessment at the two-year anniversary mark by less than 30 days. In addition, your organization must be significantly impacted by COVID-19.
  • What: HITRUST Bridge Certification provides an additional 90 days to submit a Validated Assessment to maintain certification.
  • When: Starting April 15, 2020. Subject to cancellation by HITRUST at any time, but most likely to run through the end of 2020. HITRUST can create the Bridge Assessment Object 60 days prior to the two-year anniversary and up to 30 days after the anniversary date.
  • Where: MyCSF web-based tool.
  • How: Reach out to Meditology Services for more information including steps for obtaining an assessor review of the HITRUST approved Bridge Assessment.
Frequently Asked Questions (FAQ)

Q: What are the HITRUST Alliance qualifications for obtaining a Bridge Certification?
A: In order to qualify for a Bridge Certification, the following must be true:

  • Your organization must have an active Validated Report with Certification. In other words, you must be currently certified.
  • You must be working toward submitting a Validated Assessment with Certification and nearing your anniversary date. (Bridge Assessments cannot be started until 60 days before the certification anniversary date).
  • Your organization is likely to miss submitting a Validated Assessment by the certification anniversary date due to the COVID-19 pandemic.
  • You cannot have missed the certification anniversary date by more than 30 days.

Q: Am I required to obtain a Bridge Certification?
A: No. A Bridge Certification is only for organizations who have a business need to maintain continuous HITRUST Certification and are approaching their two-year anniversary date. If COVID-19 is causing extenuating circumstances, and there is a strong possibility of missing the anniversary date, then you should complete a Bridge Assessment to keep the certification from lapsing. If a lapse in HITRUST certification is an acceptable business risk, then the Bridge Assessment is not explicitly required.

Q: How long will HITRUST offer Bridge Certifications?
A: HITRUST will offer Bridge Certifications starting April 15 and most likely through the end of 2020. HITRUST has not set a formal expiration date at the time of this post.

Q: How much does a Bridge Certification cost?
A: There is a cost of $1,000 for the HITRUST Alliance to create the Bridge Assessment object. Note that HITRUST currently plans to increase their cost to $3,000 after September 2020.  Additional budget will also be required for your third party assessor firm to complete the Bridge Assessment. Contact Meditology Services to learn more about the assessment scope and cost.

Q: How long will the Bridge Certification be valid?
A: A Bridge Certification is valid for 90 days. These 90 days will be included in the first year of the certification. For example, the Bridge Certification is issued for September 2020 to December 2020 and the Validated Assessment with Certification will subsequently be issued for September 2020 to August 2021.

Q: Our previous Validated Assessment was based on MyCSF version 9.1. Will we have to upgrade MyCSF to the current version in order to complete a Bridge Assessment?
A: No, the Bridge Assessment will be based on the version of MyCSF used in the original assessment.

Q: We have allowed our MyCSF license expire. What should we do?
A: Contact your HITRUST Customer Success Manager for direction.

Q: When I complete the Validated Assessment, will I need to retest the 19 controls in the Bridge Assessment?
A: No, any controls tested for the Bridge Assessment will not need to be retested for the Validated Assessment.

Conducting a Bridge Assessment

Once the HITRUST Alliance has approved your eligibility for a Bridge Assessment and you have paid their Bridge Assessment fee, engage a certified HITRUST Assessor organization like Meditology Services to initiate the assessment process.

The Bridge Assessment Object will be made available within MyCSF. HITRUST will randomly select 19 controls (typically 1 from each domain) that will need to be tested by an Assessor firm and submitted to HITRUST. This random selection process is similar to an Interim Assessment; however, Corrective Action Plans (CAPS) will not be included.

The Bridge Assessment process is similar to the Interim Assessment process where the Assessor tests the 19 control statements to confirm that their maturity remains at the same level as the previous assessment. The good news is that when you complete your Validated Assessment, these 19 controls will not need to be retested for the renewal of your full certification.

The Bridge Assessment Object can be submitted to HITRUST no more 30 days before and no more than 30 days after the expiration of your current certificate. HITRUST will then fast track the Bridge Assessment, and unless there are significant issues uncovered during QA, will issue the Bridge Certification within two to three weeks. Note that HITRUST will give QA priority to Bridge Assessments submitted by HIEs, HINs, and healthcare providers.

The Bridge Certification will be issued in the form of a letter within MyCSF, similar to Interim Assessments.

Conclusion

The HITRUST Bridge Assessment Certification provides some much-needed relief for organizations struggling to maintain HITRUST certification renewal timelines impacted by COVID-19. Contact Meditology Services to learn more about the process and get started with your Bridge Assessment today.

 


[1] https://hitrustalliance.net/csf-assurance-bulletin/#collapse41520

Most Recent Posts
The FDA’s New Medical Device Development Tools (MDDT) Program Read More
NIST SP 800-53 Rev 5: Sizing Up the New Security Standard in Town Read More
The Pandemic of Poor Passwords Read More