The HITRUST CSF was developed to address the multitude of security, privacy and regulatory challenges facing organizations. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.


  • Includes, harmonizes and cross-references existing, globally recognized standards, regulations and business requirements, including ISO, NIST, PCI, HIPAA and State laws
  • Scales controls according to type, size and complexity of an organization
  • Provides prescriptive requirements to ensure clarity
  • Follows a risk-based approach offering multiple levels of implementation requirements determined by specific risk thresholds
  • Allows for the adoption of alternate controls when necessary
  • Evolves according to user input and changing conditions in the industry and regulatory environment on an annual basis
  • Provides an industry-wide approach for managing Business Associate compliance

Qualified organizations can download the FREE version of HITRUST CSF v9.2

HITRUST also offers a risk assessment tool called MyCSF, to help in the implementation of the framework.  MyCSF is a secure, Web-based solution for performing assessments, managing remediation activities, and reporting and tracking compliance.

*A qualified organization is any organization employing a function or activity involving the use or disclosure of individually identifiable health information, provided that said organization does not provide security products or services. Additionally, any federal, state, or local agency or department may qualify. HITRUST has the right to verify eligibility.