The HITRUST Common Security Framework (CSF) was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.

The HITRUST CSF:

  • Includes, harmonizes and cross-references existing, globally recognized standards, regulations and business requirements, including HIPAA, HITECH, NIST, ISO, PCI, FTC, COBIT and State laws
  • Scales controls according to type, size and complexity of an organization
  • Provides prescriptive requirements to ensure clarity
  • Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds
  • Allows for the adoption of alternate controls when necessary
  • Evolves according to user input and changing conditions in the healthcare industry and regulatory environment on an annual basis
  • Provides an industry-wide approach for managing Business Associate compliance

Individuals can access the CSF with a subscription to MyCSF, a secure, Web-based solution for performing assessments, managing remediation activities, and reporting and tracking compliance. A subscription to MyCSF is available for an annual fee. To learn more about a subscription to MyCSF, click here.

* A qualified organization is any organization employing a function or activity involving the use or disclosure of individually identifiable health information, provided that said organization does not provide security products or services. Additionally, any federal, state, or local agency or department may qualify. HITRUST has the right to verify eligibility.