COVID business shifts change but don’t stop robust HITRUST evaluations

When the COVID-19 pandemic took hold in March 2020, many organizations by necessity moved to a work-from-home arrangement for most employees. However, this workplace shift did not change the need for organizations to go through the HITRUST evaluation process.

Speaking at a recent webinar sponsored by Baker Tilly, Ryan Misek, security compliance manager with WEX Health, Inc., noted that the shift to virtual HITRUST walkthrough meetings, while not seamless, was made easier because WEX already had “a pervasive deployment of tools and the ability to collaborate remotely.” The shift to remote work also created more flexibility related to scheduling HITRUST walkthrough meetings – instead of flying everyone to one location for a few days of intense in-person work, scheduling became more flexible.

His biggest concern related to virtual meetings was that some of the important human aspects of in-person meetings would be lost. “There's a team building type of opportunity with face-to-face meetings that is lost when we meet virtually. You miss nonverbal cues, reading the room, seeing if everybody understands the process or we if we need to go into more detail on different topics.”

Michael Effner, chief information security officer with Data Dimensions, noted that the transition to virtual was tough because the culture of his company was “so in-person and relationship-based.” He noted the company had “technology challenges, so when we dispersed our workforce, not everybody had sufficient bandwidth to deal with video conferencing.” Because of the challenges “it took a significantly larger amount of planning and structure as we started rolling into preparation for the HITRUST assessment.”

He added, “Our artifacts were broadly dispersed, and getting them pulled in to where we could get a common library to store and research was difficult. When we went to the physical validation components of our facilities, our FaceTime virtual tours were a unique challenge as we tried to demonstrate some of our physical controls.” Having worked through these challenges successfully, Effner said he doesn’t envision a time when Data Dimensions will ever fall back into a 100% in-person type of assessment. “Our ability to reduce travel costs and to reduce on-site impact to our staff, has been a real value to the company.”

HITRUST on-site requirements

Michael Parisi, HITRUST’s vice president of adoption, noted that the relaxed requirements and expectations related to HITRUST validated assessments put in place during the pandemic will continue to stay in place until further notice. He said one positive aspect of COVID-19 is that it forced HITRUST to think outside of the box when it came to validated assessments. “There is not going to be a requirement for on-site validation anytime soon,” he said. That being said, if certain entities and assessors want to move back to an on-site validation, which can be more efficient in terms of getting evidence and building relationships, HITRUST will support that.