Validated assessments undergo QA by HITRUST after submission by the assessor. The outcome can be either:
A Validated Report – issued if the assessment is complete but certification thresholds (e.g., domain scores ≥71 for r2) are not met. This report still provides assurance to relying parties by confirming independent validation, even without certification.
A Validated Report with Certification – issued when all certification criteria are met, including minimum domain scores and interim assessment requirements for multi-year validity.
This distinction allows HITRUST to provide value even to organizations that fall short of certification, by documenting their current control maturity and gaps. Organizations can use the validated report as a roadmap to remediate deficiencies and pursue certification in the future.
[References: HITRUST Assurance Program Overview – “Validated Reports and Certification”; CCSFP Study Guide – “Assessment Outcomes.”, , ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit