Choosing your doctor is a big decision, right? You want someone licensed, with a medical degree, that can interpret your reported symptoms and treat you accordingly to your desired result—to feel better. It’s a personal relationship, so you likely research their practice, make sure they can accommodate your conditions, and check reviews on their bedside manner. Your doctor’s job is so important to your health, vetting them like this and feeling comfortable is important. The same is true for your HITRUST external assessor.

Think about those a la carte sushi restaurants—the very cool ones with the circulating conveyor belts that let you select different dishes as they suit your fancy. Maybe your go-to is always California rolls, but you spot some delicious-looking Rainbow Rolls so you grab those one time. Or maybe you’re craving a Spicy Tuna roll, so you add that to your plate. Even if sushi is not quite your taste, you’d probably agree that SOC 2 audits are even less appetizing. Aside from the actual, in-depth audit process, they also require you to make a lot of decisions first, and it’s just added stress. That’s why you want to ensure that you take the audit path most helpful to you, and that includes the right criteria. SOC 2 functions a lot like that sushi conveyor belt—you have a lot of potential options. And we don’t just mean the SOC 2 Trust Services Categories (TSCs) that you have to select from to form the basis of your examination. We mean adding what is technically known as additional “subject matter.” For simplicity’s sake, we’ll just refer to it as “additional criteria.”

While the latest version of any product is often seen as the greatest, there is more nuance involved when trying to determine which version of the HITRUST CSF® framework to utilize for certification. Currently, users can choose from versions 9.1, 9.2, 9.3, and 9.4. With the impending release of HITRUST CSF v10p (preview) in mid-May 2021, and a full release of v10 scheduled for later in the year, it adds more questions about whether to make the jump to 10 right away, if you have to make the jump to 10, and when will you be required to make the jump to version 10; all of which we’ll tackle.

“Do I really need to retain all my HIPAA audit logs for 6 years?”

The short answer is...yes. Now for the long answer - a SOC 2 report requires that a service organization has sufficient control activities in place to address the Trust Services Principles and Criteria (TSPC) developed by the AICPA. However, there are no stipulations by the AICPA as to what those control activities have to be. As long as the criteria are satisfactorily addressed to align with the risks that a service organization has identified, a service organization has some flexibility with the controls they implement.

Determining the scope of an assessment against the HITRUST Common Security Framework (CSF) is one of the first and most important tasks of the entire HITRUST assessment process. The assessment scope is a major factor in the level of effort required to complete an assessment, and is important to relying entities in determining if the services they use are assessed against the HITRUST CSF. However, for organizations with large or complex IT environments, the task of determining the scope of their HITRUST assessment(s) may seem daunting.