On September 10, 2026, HITRUST will introduce Report Center, a secure online platform for sharing HITRUST assessment status and reports.
For assessments with draft reports issued after 9/10/2026, assessed entities must use Report Center to share HITRUST assessment reports with report recipients. Assessments with draft reports issued on or before 9/10/2026 may continue using the existing report-sharing process, although Report Center dashboards will be available for optional use.
HITRUST is introducing Report Center to make assessment report sharing more secure, consistent, and easier to manage for assessed entities and report recipients. Today, report sharing often relies on manual email-based processes that can create administrative burden, inconsistent recipient experiences, and limited visibility into who has received assessment information.
Report Center is intended to provide a centralized location for securely sharing assessment status and authorized reports. This helps assessed entities manage report access directly in MyCSF, supports report-level authorization, and gives recipients a consistent way to request, view, and download the reports they are approved to access.
HITRUST is introducing a new report sharing process through Report Center. Instead of sending assessment reports manually, assessed entities will manage report access through MyCSF.
This change does not alter assessment requirements, scoring, testing, validation, certification criteria, or QA procedures. It changes how assessment status and authorized reports are shared after the assessment reporting process is complete.
Report Center will allow assessed entities to manage access directly in MyCSF through the new Report Center Access Administration page. From this page, authorized users can:
Invite report recipients to access a specific assessment dashboard.
Approve or deny recipient access requests.
Select which reports a recipient may access.
Modify a recipient’s authorized reports.
Revoke access when it is no longer needed.
Each HITRUST assessment will have a Report Center dashboard. The dashboard is intended to give report recipients a central place to view assessment status and request access to available reports. Downloading any assessment report requires explicit authorization from the assessed entity.
Figure 1. Example Report Dashboard
Assessed Entities
Report Center gives assessed entities a more controlled and efficient way to share HITRUST assessment information with customers, business partners, and other report recipients. Assessed entities can manage report sharing directly in MyCSF, including inviting recipients, reviewing access requests, selecting which reports a recipient may download, modifying report access, and revoking access when needed.
Report Center also reduces the need to manually distribute reports by email. Instead of sending report files directly, assessed entities can direct recipients to the Report Center dashboard and manage access from a single location. This helps support more consistent sharing practices and provides better control over which recipients can access which reports.
Downloaded reports are recipient-specific and include information such as the recipient organization name, downloader email address, and download date. This supports more traceable report distribution and reinforces that downloaded reports are intended only for the internal business use of the authorized recipient organization.
Report Recipients
Report Center gives report recipients a central place to access HITRUST assessment information shared with them. Recipients can use the Report Center dashboard to view key assessment information and request access to available reports.
Once access is approved, recipients can download only the reports they are authorized to access. This provides a clearer and more consistent experience for recipients who rely on HITRUST assessment results for vendor risk management, customer assurance, procurement, compliance review, or other internal business purposes.
Report Center also gives recipients greater confidence that the reports they receive are authentic HITRUST-issued reports and have not been altered after issuance.
Report Center dashboards may be accessed through a link or QR code included in the HITRUST Completion Letter or otherwise provided by the assessed entity. A sample completion letter can be found here.
By default, Report Center dashboards are not public. If dashboard visibility remains private, a recipient who has the link or QR code must request access and receive assessed entity approval before the recipient can view the dashboard.
Assessed entities may choose to make a Report Center dashboard public. If the assessed entity opts in to public visibility for the dashboard, anyone with the link or QR code can view the dashboard without prior approval. Public dashboard visibility must be opted into and does not authorize report downloads.
Downloading a HITRUST assessment report requires separate authorization from the assessed entity. Dashboard access alone does not authorize a recipient to download any report.
Assessed entities will manage report access in MyCSF through the Report Center Access Administration page.
From this page, assessed entity MyCSF admin users will be able to:
Approve or deny recipient access requests.
Invite recipients to access a Report Center dashboard.
Select which reports a recipient may download.
Modify a recipient’s authorized reports.
Revoke a recipient’s access.
When sharing access through Report Center, assessed entities must authorize access to one or both primary report types: the full CSF Certification (or Validation) Report and the Certification (or Validation) Summary described below.
The Certification Report is the full HITRUST assessment report for an applicable e1, i1, or r2 assessment. It is intended for recipients who need detailed information about the assessment, including the assessment scope, results, and supporting report content. A sample report can be found here.
The Certification (or Validation) Summary is a shorter report designed for recipients who need confirmation of the assessment outcome but do not need the full detail included in the Certification or Validation Report. A sample report can be found here.
For assessments that include Insights Reports or additional certifications, assessed entities may authorize access to each Insights Report, Certification Report, and/or Certification Summary separately.
Figure 2. Report Center Access Administration page
Reports downloaded from Report Center will include recipient-specific information, including the recipient's organization name, downloader email address, and download date. This supports more controlled and traceable report sharing by identifying the organization and user associated with each downloaded copy.
Downloaded reports are intended for the internal business use of the authorized recipient’s organization. Recipients may not publish, distribute, or disclose reports outside the authorized recipient organization.
Assessed entities may revoke a recipient’s access in Report Center. Revocation prevents future access and future downloads through Report Center. It does not remove copies that were previously downloaded by an authorized recipient.
Figure 3. Example Certification Report Download
All assessment reports with draft reports issued on or before 9/10/2026 will follow the existing reporting process with no change. These assessments will have Report Center dashboards that can optionally be used to share assessment reports.
For all assessments with draft reports issued after 9/10/2026, the reporting process will occur as follows:
The assessed entity will review the draft versions of the Certification (or Validation) Report and Certification (or Validation) Summary within MyCSF.
Upon approval of the draft reports, the assessed entity will receive the Completion Letter in MyCSF, which can be shared to direct individuals to the assessment’s Report Center dashboard.
All report sharing for these assessments must occur through Report Center.
Anticipated questions and answers can be found here. Updated documentation, including user guide materials, will be made available at release.
For additional questions, please contact our Support team or a HITRUST Customer Success Manager (CSM).