Self Assessment and CSF Assessment for Small Organizations
Self Assessment
A self assessment allows both healthcare organizations and their business associates to benefit from a low-cost and industry-accepted approach to assessing the state of their information protection practices and communicating the results in simple terms internally and to third parties. Healthcare organizations with annual revenue greater than $25 million may choose to conduct a self assessment by utilizing the CSF Assessment Tool, which includes the CSF Compliance Worksheet and Common Health Information Protection (CHIP) Questionnaire. By employing an innovative, new approach over traditional check box assessments, the CHIP Questionnaire focuses on the key measures that will reflect the maturity of a security program and highlights control weaknesses that are most likely to result in a breach.
Upon submission of the completed CHIP questionnaire to HITRUST, organizations will receive a CSF Validated report with the assessment results that can be used to help them comply with the HITRUST CSF, address meaningful use, and report the state of their security to multiple internal and external parties (e.g., state and federal agencies, HIOs, customers, healthcare organizations, business associates).
CSF Assessment for Small Organizations
HITRUST's analysis has shown small organizations often provide inaccurate or incomplete information when using self-assessment questionnaires to communicate the status of their security controls to third parties. The reality is a large portion of the segment lacks the resources and knowledge to respond accurately and thoroughly to complex questionnaires.
The CSF Assessment for Small Organizations is targeted at healthcare organizations with annual revenue less than $25 million. The security assessment service equips these organizations with user-friendly tools needed to perform accurate and meaningful assessments of their information security environment. The tools used to collect the data analyzed for the assessment report include the HITRUST small business questionnaire and automated internal and external scans conducted with technology powered by nCircle.
The questionnaire and scan results are analyzed by HITRUST and incorporated into a HITRUST CSF Validated report, which can aid an organization in complying with the HITRUST CSF, addressing meaningful use, and meeting regulatory requirements such as HIPAA. In addition to the assessment report, an organization will be provided with the detailed vulnerability scanning information collected during the assessment so that it has the complete details on any gaps in its information protection environment and can address or seek assistance as appropriate.
All organizations have access to the HITRUST CSF Products and Services Guide, an online tool that simplifies the process for identifying products or services both within and independent of the CSF to aid them in their remediation and overall compliance efforts.
Pricing options
HITRUST offers two pricing options for organizations wanting to complete a self assessment or CSF Assessment for Small Organizations and communicate the assessment results to third parties. Pricing is the same regardless of the size of the organization and the assessment approach used. Organizations wishing to undergo a remote or onsite assessment must engage with a HITRUST CSF Assessor.
| Self assessment report distribution options | Pricing |
| Conduct an assessment and receive a CSF Validated report for unlimited distribution when purchased with a Professional subscription to HITRUST Central. | $500.001 |
| Conduct an assessment and receive a CSF Validated report for unlimited distribution. | $2,500.00 |
1 Total bundled price for Professional subscription to HITRUST Central and unlimited distribution of a CSF Validated report is $6,000. Bundled option available only to qualified organizations2.
2 A qualified organization is any organization employing a function or activity involving the use or disclosure of individually identifiable health information, provided that said organization does not provide technology or security products or services. HITRUST has the right to verify eligibility.
Conduct an assessment and purchase a CSF Validated report.
Contact sales@HITRUSTalliance.net for more information.
Read the data sheet to learn more about the benefits of conducting a self assessment and becoming CSF Validated.
Learn about the benefits of conducting a CSF Assessment for Small Organizations.
View a sample CSF Validated Report.
