CRI started the company’s HITRUST assessment in late November, with just three months until the insurance company’s stated deadline to achieve certification. HITRUST assessments typically last six to 12 months, but in this case, CRI was able to fast-track the process and submit the company’s assessment within the agreed-upon time and budget.
To achieve this accelerated timeline, CRI and the company established clear milestones, held weekly status, and made interim calls when issues arose.
The firm also was able to streamline the amount of internal time required of the healthcare company. Due to the firm’s extensive experience performing not only HITRUST assessments but also HIPAA assessments, SOC reporting, and other IT assurance services, CRI was able to help the company avoid road hazards that can trip up other healthcare companies.
For example, the CRI team coached the company’s team members on the idiosyncrasies of the MyCSF tool that they must use to submit documentation and test evidence for HITRUST certification. Submitting incorrect or incomplete documentation can cause HITRUST to “kick back” the assessment, which can seriously delay the process.
The most important outcome is that the company now has a certification that demonstrates to stakeholders that its IT controls effectively mitigate the risks associated with the company’s services and the sensitive data that it collects, uses, and processes.