On an r2 assessment, when considering the CAP vs. gap decision, will CAPs be required if a Control Reference has an aggregate raw score of 72.5 across Requirement Statements with gaps?
HITRUST applies the CAP requirement at the Control Reference level. A CAP is required when the Control Reference score falls at 70 or below and Implementation maturity is not at 100%. In this case, the aggregate score is 72.5, which is above the certification threshold of 71. Even though there are gaps within individual requirement statements, the Control Reference as a whole is performing above the threshold, meaning a CAP is not mandatory. However, the gaps must still be documented, and remediation may be encouraged, but they will not block certification. This policy ensures that CAPs are only required where deficiencies present material risk to certification.
[References: HITRUST Scoring Rubric – “CAP Trigger Conditions”; CCSFP Practitioner Guide – “Gap vs. CAP Decisions.”, , ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit