No. If a Cloud Service Provider (CSP) is HITRUST CSF Certified, it does not mean your environment hosted by that CSP is also certified for the following reasons:
- There could be control gaps, so it is still incumbent that you perform thorough due diligence to evaluate how the CSP’s HITRUST CSF Certification addresses the security and privacy requirements associated with your own organization’s risk profile and/or regulatory and customer compliance needs.
- While there are a subset of controls that only the CSP is responsible for (for example, environmental security within a production datacenter), there are controls that remain only your responsibility as the accountable party governing the data entrusted and how your users appropriately access and operate that cloud-hosted environment; further, there remain a significant portion of controls that are shared, and therefore you remain partially responsible for full coverage of control effectiveness.
For more information, you can download the HITRUST Shared Responsibility Matrix included in the HITRUST CSF download package and refer to the detailed set of common use-case scenarios defined in the HITRUST Shared Responsibility Model. For guidance on how to communicate the value of offering your cloud services hosted on a HITRUST CSF Certified environment, please contact HITRUST Support at firstname.lastname@example.org.