The latest version of the CSF framework is available on our website for qualified organizations. A qualified organization is defined as any organization employing a function or activity involving the use or disclosure of individually identifiable health information, provided that said organization does not provide security products or services. Additionally, any federal, state or local agency or department may be considered a qualified organization. HITRUST has the right to verify eligibility.

References: CSF Framework Download (Requires agreeing to the HITRUST CSF License Agreement)

If you are not sure whether your organization is qualified, please contact or call 855-HITRUST.


Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Post Comment