Navigating Your HITRUST Assessment Scope

What is a HITRUST assessment scope and why is it so important? Scoping is the process of outlining the systems and datasets you plan to include in your HITRUST assessment. It is a necessary step in the HITRUST process and should be your first level of engagement with HITRUST. Scoping is considered to not only be the most difficult part of the HTRUST process, but the most important as well. Proper scoping sets your HITRUST engagement on the right track. One important thing to understand when addressing scope is that HITRUST does not certify people or organizations. HITRUST certifies implemented systems and provides assurance that those systems are secure. This is an important distinction to note because during the scoping process we define which parts of the organization we want to secure, and oftentimes those are systems are associated with a third party requiring HITRUST certification. 

A common question we get asked is, “should we include HIPAA in our HITRUST assessment?” The convoluted answer would be: “The HIPAA compliance package is not necessary for every assessment. HITRUST doesn’t care about PHI and does not require it to be certified, but a partnering organization whose information you are housing in your systems will care and want assurances that you are protecting their information.” If that were the case, you would include HIPAA security and privacy for that system within your HITRUST scope, but it is not required for every assessment.

So how can you ensure you are performing a proper HITRUST engagement scope? A good question to ask at the beginning of the scoping process is why am I looking to adopt the HITRUST CSF and get HITRUST certified? Do I have a mandate or contractual requirements from partnering organizations to have HITRUST assurance? What systems or datasets do I care about? What systems or datasets do my customers/partners care about? What are our key business drivers and how will HITRUST help enhance our ability to do business? The scoping process should begin with these types of questions, and if answered accurately, should get you started on the right path for HITRUST assessment.

With the introduction of bC, i1 and r2 assessment types, scoping has become even more important because HITRUST has acknowledged that a full r2 assessment is not necessary for many organizations and determining your level of certification before starting the assessment can save you time and money. 

What makes Intraprise Health’s scoping process uniquely effective? We don’t like surprises, so we emphasize a thorough scoping process. During this important phase, we take the time to map out our client’s environment and understand their systems, services, applications, and the business functions these collectively serve. This is done in collaboration with the client, through interviews, documentation review and conversation, and we rely heavily on their input. As we examine the client’s specific use-case and glean these crucial insights, we help them determine what elements should or shouldn’t be included in the final scope, based on their legal and contractual obligations, motivations and business drivers. Finally, all pertinent scoping information is plotted into the portal, including facilities, systems, certain organizational factors, and state/federal legal requirements, which informs and generates the client’s unique assessment… and that’s when the fun begins. Our customers know where they stand at all times throughout the certification lifecycle. They will know their HITRUST score at the start, halfway through, and when their application is submitted. For more information on scoping and HITRUST certification, visit our HITRUST page, or contact us to speak with a HITRUST professional.