HITRUST does not mandate that all required CAPs be remediated within a strict six-month deadline. Instead, CAPs must include a realistic remediation plan with target dates, owners, and milestones. Some CAPs may be resolved quickly, while others (such as large-scale encryption rollouts) may take longer. HITRUST requires that CAPs are tracked and updated until completion, and progress is reviewed at interim assessments. While assessors may encourage timely remediation (often aiming for six months where feasible), HITRUST does not impose a universal time limit. What matters is that CAPs are properly documented, tracked, and eventually closed. Therefore, the statement that all required CAPs must be remediated within six months is False.
[References: HITRUST Assurance Program – “CAP Documentation and Remediation Expectations”; CCSFP Practitioner Guide – “CAP Management Between Assessments.”, , , ]
Submit