Do You Need a HITRUST External Assessor?

July 27, 2022 Ryan Meehan

Choosing your doctor is a big decision, right?

You want someone licensed, with a medical degree, that can interpret your reported symptoms and treat you accordingly to your desired result—to feel better. It’s a personal relationship, so you likely research their practice, make sure they can accommodate your conditions, and check reviews on their bedside manner.

Your doctor’s job is so important to your health, vetting them like this and feeling comfortable is important. The same is true for your HITRUST external assessor.

While they can’t treat your symptoms, they will similarly review your internal scoring and be responsible for submitting those results to HITRUST for further evaluation. Your external assessor plays a pivotal role in your potential certification, and that’s why it’s so important to choose the right one for you.

That’s why we wrote this article—to help you with that. We’re HITRUST assessors ourselves, but we want you to choose the third party who will best serve you, no matter who it is. Just like with your doctor, you need to be as comfortable as possible with whoever you choose.

So read on, because we’re not only going to clearly define what a HITRUST external assessor is and does, but we’re also going to outline four questions you should ask of all your prospects ahead of making your choice. 

That way, you’ll have all the information and be further empowered to make the wisest possible decision on the right assessor for you. 

What is a HITRUST External Assessor?

If you’re on the path to HITRUST certification (i1 or r2) for one or more of your organization’s systems, the general process goes like this:

  • First, you score yourself across a set of control requirements.
  • After that, you bring in an external and independent, assessor—often a public accounting firm—who validates those scores using a combination of inquiry, observation, and inspection of evidence.
  • Your external assessor will then submit the agreed-upon scores to HITRUST, which performs quality assurance (QA) before issuing you a certificate.
  • If any questions arise during that process, HITRUST will work with your external assessor to resolve them. 

When choosing your third party, you’ll have options—the HITRUST website currently lists 94 approved external assessor organizations. To get on that list, each firm had to undergo a vetting process with HITRUST and demonstrate its ability to perform HITRUST CSF Assessments. 

That screening process includes reviewing the organization’s policies and procedures as well as the background of the individuals performing the assessments. All external assessors are required to employ at least 5 Certified CSF Practitioners (CCSFPs) and 2 Certified HITRUST Quality Professionals (CHQPs) at all times. 

How to Choose Your HITRUST External Assessor Firm: 4 Questions to Ask

But of those 94 options, how do you choose the best one for you? 

To start, that listing makes it easy to trim your prospects to consider by using the filters on the site: 

 Filtering through all this should bring the list down to somewhere between 30-40 external assessor possibilities. So how to drill down further? 

Obviously, you’ll need to make budget considerations as well—price is a dominating factor across all compliance initiatives and we wrote an article specifically on the numbers regarding HITRUST certifications. 

But once you do narrow down your options to those within your budget, what else should you evaluate to determine which of those external assessors left is the right choice for your organization? 

Here are four more considerations to make—or questions to ask in your conversations—when choosing your HITRUST external assessor. 

1. How Many HITRUST Certifications Have They Completed in the Past Year?

HITRUST utilizes a framework that is updated on an ongoing basis to reflect changes in the cybersecurity landscape—“ongoing” being the keyword. HITRUST has made changes in recent years including alterations to:

  • The way controls are scored;
  • The definition of policies and procedures; and
  • The workflow within their tool. 

Using an external assessor who performs many assessments each year will help ensure that you work with someone who remains aware of all changes that could affect your ability to get HITRUST certified. You don’t want your results to be sent to HITRUST for their QA review only to find out that your external assessor gave you bad information about scoring or acceptable evidence. 

Of those listed on HITRUST’s site, a large number of external assessors only perform a handful of HITRUST assessments each year—some of those names might surprise you, which is why this question could be important in your search. 

2. What is Their Approach to HITRUST Certification? (Or, What is Their Process?)

A good external assessor will be involved in your HITRUST validated assessment from early on. 

They should work with you to ensure that your scope and factors are appropriate before generating your list of requirements. If they’re not involved in those aspects, you run the risk of scoring yourself against the requirements that you think are correct only for your assessor to come in and require scoping factor changes. 

If your external assessor does not want to get involved early, that could be a warning sign of necessary additional work and/or possible wasted time for you during your early scorings. 

3. What is Their Success Rate on Validated Assessment Submissions to HITRUST?

Part of the HITRUST process involves submitting your validated assessment to HITRUST. They then review your scoring and the evidence provided that was validated by your external assessor. 

Before you get started with a third party, ask about their success rate. Their answer can be a vital clue as to your fate—if they have a high rate of return, they likely do things the right way to serve their clients. 

Whereas if they don’t want to disclose that information—or if their rate is low—they may be guilty of not properly testing and/or scoring the requirements correctly, resulting in failed certification for those organizations. 

4. Do They Have Full-Time Staff to Perform Their HITRUST Audits or Are They Outsourcing Offshore or to Consultants?

It’s not uncommon for external assessors to outsource their HITRUST work to an outside consultant. 

However, sometimes these consultants do a great job, and other times they do not. One way to avoid that uncertainty is to choose an external assessor that uses their own full-time employees, rather than farming the work out at all. 

When you contract with someone who uses their people, you can ensure that the work product being delivered is consistent and follows a methodology that aligns with the rest of the work that firm does. 

Moving Forward with Your HITRUST Certification

Before entrusting your doctor with helping maintain your health, you always want to make sure you’ve picked the right person. Though the circumstances are enormously different, you should also take the same care when choosing your HITRUST external assessor.

Now, you’re prepared to ask the questions that will help you feel the most comfortable with your third party going into the process—you understand why it’s important to ask them and how the external assessor should fit into your overall HITRUST process. 

To prepare yourself even further going in, make sure you read our other HITRUST content that will deconstruct other important aspects of this certification:

 We’re also happy to set up a more personal conversation between you and our HITRUST team if you’d prefer a discussion about organizational particulars. Please feel free to reach out to us so we can help address any lingering concerns you may have.

About the Author

Ryan Meehan

Ryan is a Senior Manager at Schellman & Company, LLC. He has worked in public accounting since 2007 specializing in compliance auditing, including SOC examinations, ISO certifications, and healthcare audits such as HIPAA and HITRUST. Ryan has serviced clients in a multitude of industries including business process outsourcing, financial services, information technology, and healthcare. Ryan holds certifications including the CISSP, CISA, ISO 27001 Lead Auditor, CIPP/US, CCSFP, and the Advanced SOC certification.

More Content by Ryan Meehan
Previous Video
HITRUST: i1 or r2 Certification?
HITRUST: i1 or r2 Certification?

Next Article
HIPAA Violations and How to Avoid Them
HIPAA Violations and How to Avoid Them

Concerned about the hefty fines for violating HIPAA? We define what a violation is, common examples, who ca...