Feb 27, 2024

HITRUST Certification: Top Strategies for Effective Evidence Collection


The HITRUST Common Security Framework (CSF) addresses the many security, privacy, and regulatory challenges facing healthcare organizations today. With a comprehensive framework of security requirements, the HITRUST CSF incorporates a risk-based approach to federal and state regulations and common standards and frameworks to help organizations address these challenges.

Organizations often seek certification in the HITRUST CSF as it differentiates an organization in the healthcare marketplace. This framework can be helpful for smaller organizations and startups looking to give potential customers confidence in the security of their products and services to set themselves apart from their competitors. Further, being HITRUST certified is beneficial as it has a “certify once, report many” model, which can help reduce the time required to respond to security questions and utilize a single assessment to provide assurance. 

As part of the rigorous HITRUST Validated Assessment process, the assessed entity collects evidence for each requirement to support policy, procedure, and implementation maturity levels. Evidence may include information obtained by taking screenshots, through documents, and electronic records. This task is critical and time-consuming, so Tevora has outlined these tips for successful evidence collection.

Tevora’s Tips for Successful Evidence Collection:

Stay Organized

Before the start of each assessment, Tevora provides a tailored evidence request list for the requirement statements identified by HITRUST to be included based on scoping factors unique to each assessment. This evidence request list will include each control’s HITRUST implementation testing guidance. As a first step to collecting evidence, Tevora recommends assigning evidence owners for each requirement statement and keeping the status of each piece of evidence as it is collected and uploaded to our secure portal. Internally, Tevora recommends creating a folder for each of the 19 HITRUST CSF domains to organize evidence according to their domain and label each piece of evidence according to the requirement statement’s control number.

In addition to utilizing the evidence request list to stay organized, Tevora recommends setting internal deadlines to provide evidence if multiple evidence owners are identified. Setting internal deadlines is advised to ensure evidence is provided promptly, as HITRUST Validated Assessments have a strict 90-day assessment period. 

Adopting a clear and concise naming convention is also essential for staying organized. It can be challenging  difficult to keep track of evidence since HITRUST Validated Assessments have a minimum of 250 requirement statements and can grow to over 900 requirement statements quickly, depending on scoping factors and regulatory requirements.

Follow HITRUST’s Evidence Collection Guidelines

It is essential to know of HITRUST’s incubation periods for remediated controls – 60 days for policies and procedures and 90 days for implementation. If a requirement statement does not meet the implementation incubation period, the assessor must test the requirement statement based on the control state prior to remediation. As policies and procedures have a 60-day incubation period, there is the opportunity to remediate policies and procedures during the assessment. Still, remediation must be completed within the first two (2) weeks of fieldwork.

Further, consider the systems that are in scope for your validated assessment.  If multiple systems are in scope, you must provide evidence for each of these systems. 

A common pitfall to avoid is collecting evidence for only one system when there are multiple systems specifically listed in-scope as evidence must be provided for all systems. If all evidence is not collected, QA issues will be introduced. 

Taking quality screenshots is extremely important as HITRUST requires collecting point-in-time evidence during the 90-day assessment period. Tevora recommends taking screenshots that capture the entire window, and the date and time. In addition to date and time, for requirement statements that require sampling, ensure the unique identifier for every sample selected is also visible in each screenshot.

Other types of evidence, including third-party reports, may not be older than one year old or the defined review cycle. For example, SOC 2 Type 2 reports may be utilized if the reporting period is less than one year old. Further examples include user access rights reviews that are analyzed on a 60-day basis for privileged accounts and all other accounts every 90 days.

Recognizing HITRUST’s sample-based testing requirements is critical as there are different criteria based on each sampling criterion:

  • For manual controls operating at a defined frequency, these are identified in the implemented illustrative procedures and can include daily (25 days), weekly (5 weeks), monthly (2 months), quarterly (2 halves), semi-annual (2 halves), or annual (most recent occurrence). 
  • For manual controls operating at an undefined frequency, population periods are at 90 days with a maximum of one year before the testing date.. Additionally, sample sizes are dependent on population size. For populations that include less than 50, the sample size is a minimum of 3 selections. For any  population between 50 and 249, 10% will be selected as samples. For any population greater than 250, 25 samples will be selected as samples. HITRUST provides a detailed sampling methodology that must be utilized and can be found in the HITRUST Scoring Rubric document.  
  • For automated controls, the assessor is required to test the configuration of the system/tool and a sample of one showing that the system/tool is operating as expected.

Ask Questions

When an organization first begins their certification in the HITRUST CSF, some of the HITRUST requirement statements may seem complex and can often be misinterpreted. For these reasons, Tevora recommends asking your assessor questions regarding the requirements statements or evidence requests. Tevora understands that every environment is unique, and testing may be different. Additionally, if there is an instance where a requirement statement may not be applicable to your environment, reach out to your assessor to receive further guidance or clarifications about the requirement statement. If there is a requirement statement where there has not been instance or event in the past year, we also recommend reaching out to your assessor as HITRUST requires your assessor to provide evidence that demonstrates how we confirmed there has not been an event or instance in the past year.

Your Trusted Partner

The Tevora Healthcare team is here to support your organization achieve HITRUST certification. As an approved external assessor, we are the liaison between HITRUST and your organization while performing all necessary strides through your HITRUST CSF journey.