The HITRUST CSF Assurance Program is specifically designed to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and leading practices to support a single assessment that may be reported out in multiple ways, e.g., to support PCI SAQ development, the issuance of SOC 2 reports against specific AICPA Trust Services Principles, or scorecards of HIPAA or NIST Cybersecurity Framework compliance. Organizations using the CSF Assurance Program for third-party risk management experience significant reductions in cost and level of effort required to evaluate third-party reports or issue their own reports to their own stakeholders, including business partners and regulators. This is the fundamental reason why several large healthcare entities have moved from simply accepting HITRUST Validated and Certified Reports to requiring them.
For more information on the organizations now requiring HITRUST CSF assessment reports, refer to the joint news release. For more information on managing third-party compliance, refer to the HITRUST Third Party Assurance Program FAQ and the HITRUST CSF Assurance Program FAQ.