When performing r2 assessments, any added compliance factors should be considered before marking a requirement statement "N/A".
Marking a requirement statement ''Not Applicable (N/A)'' requires careful justification. In r2 assessments, compliance factors such as HIPAA, PCI-DSS, GDPR, or state-specific laws may trigger requirements that would not otherwise apply. Therefore, an assessor must verify that all compliance factors have been considered before permitting an N/A designation. For example, a requirement related to cardholder data might seem irrelevant unless PCI-DSS was selected as a compliance factor; in that case, it becomes mandatory. HITRUST QA scrutinizes N/A markings to ensure they are not misused to exclude applicable requirements. Incorrect use of N/A may result in CAPs or QA rejection. Thus, compliance factors must always be reviewed first to confirm whether the requirement is truly outside scope.
Currently there are no comments in this discussion, be the first to comment!