In HITRUST scoring, deficiencies are identified when maturity levels fall below required thresholds for certification. In this case, the Policy, Procedure, and Implementation levels are not fully compliant, with scores of 50%, 50%, and 75% respectively. For certification-critical controls, HITRUST requires 100% Implementation, supported by adequate Policy and Procedure. Since the Implementation score is not at 100% and supporting maturity levels are below full compliance, this results in aRequired Corrective Action Plan (CAP). The CAP ensures the organization addresses deficiencies through remediation. Unlike optional CAPs, which may apply to non-critical requirements, required CAPs must be documented and remediated to achieve certification. Thus, the correct classification of this scoring outcome is aRequired CAP.
[References:HITRUST Scoring Rubric – “Deficiency Types and CAP Triggers”; CCSFP Study Guide – “Scoring Outcomes and CAP Requirements.”, ]
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit