HITRUST CSF Download
In order to download the HITRUST CSF, please review the below License Agreement and verify your eligibility and acceptance. You will be asked for your contact information in the form below.
THE HITRUST CSF INCLUDED IN THE DOWNLOAD PACKAGE IS NOT A COMPREHENSIVE LISTING OF ALL REQUIREMENTS WITHIN THE HITRUST CSF. THE FULL AND COMPREHENSIVE HITRUST CSF IS AVAILABLE ONLY UPON REQUEST TO ELIGIBLE QUALIFIED ORGANIZATIONS OR QUALIFIED INDIVIDUALS AS SET FORTH IN THE LICENSE AGREEMENT BELOW.
Qualified Organizations or Qualified Individuals may request access to the full and comprehensive HITRUST CSF PDF by submitting a request to info@hitrustalliance.net.
HITRUST will review requests to confirm the Qualified Organization or Qualified Individual eligibility. HITRUST reserves the right to reject any request, for the full and comprehensive HITRUST CSF, at HITRUST’s sole discretion.
Version 11.1.0
Effective Date: April 4, 2023
HITRUST Alliance Inc. (“HITRUST” or “Licensor”) hereby authorizes limited access to and use of the HITRUST CSF® to entities that are parties to a HITRUST MyCSF® Subscription Agreement, a HITRUST Authorized External Assessor Agreement, HITRUST CSF Readiness License Agreement, or other Qualified Organizations or Individuals who have agreed to the HITRUST® Website Terms of Use through execution of this License Agreement (each such party, a “Licensee”). The HITRUST MyCSF Subscription Agreement, HITRUST CSF Authorized External Assessor Agreement, HITRUST CSF Readiness License Agreement and the HITRUST Website Terms of Use are referred to herein collectively as the “Agreements.” By accessing or using any portion of the HITRUST CSF or checking the box at the end of this License Agreement, Licensee agrees to the terms of this HITRUST CSF License Agreement (the “License Agreement”). As used in this License Agreement, the “HITRUST CSF” means a partial version of the HITRUST CSF, a version which does not contain all the comprehensive requirements, and any other documents and materials contained within the download package. In the event of a conflict between one of the Agreements and this License Agreement, this License Agreement shall control. The Licensee may have access to and use the HITRUST CSF for its own internal business purposes as provided in this License Agreement, and as a condition to such use and access, the Licensee agrees to the following terms:
1. Licensee, Authorized Users. A Licensee must be a HITRUST Qualified Organization or Qualified Individual, which includes organizations and/or individuals employing a function or activity involving the use or disclosure of individually identifiable health information or individually identifiable personal information, provided such organization and/or individual does not provide security products or services of any kind or nature. Federal, state, and/or local governmental organizations or employees acting in an official capacity are Authorized Users.
The following is a non-exclusive list of persons or entities that are NOT HITRUST Qualified Organizations and/or HITRUST Qualified Individuals and shall not be permitted to be a Licensee or Affiliate under any circumstance:
- IT security service providers,
- IT security product providers,
- IT security consultants, and/or
- IT security vendors and suppliers.
You may NOT accept the terms and conditions of this License Agreement and access the HITRUST CSF or any portion thereof if you are not a HITRUST Qualified Organization and/or a HITRUST Qualified Individual. If a Licensee’s status as a HITRUST Qualified Organization and/or a HITRUST Qualified Individual is revoked or terminated, HITRUST may, in its sole and absolute discretion, terminate the License and revoke Licensee’s authorization to have downloaded and to utilize the HITRUST CSF.
The Licensee may authorize unlimited individual users, provided that each authorized user is a Qualified Individual and has a need to use the HITRUST CSF to provide internal services or perform internal functions for the Licensee, subject to this License Agreement (“Authorized Users”). The Licensee shall always maintain a list of all current and past Authorized Users. Authorized Users may include both employees of the Licensee or its Affiliates and their agents. All Authorized Users are subject to this License Agreement and Licensee shall not permit disclosure of an electronic or paper copy, in whole or part, of the HITRUST CSF, to any other person or entity.
Upon termination of an Authorized User’s authorization under this License Agreement for any reason, the Licensee shall (a) revoke the individual’s access to the HITRUST CSF, (b) remove any such electronic files from the individual’s possession and from all computers, systems, and devices to which the individual has access, and (c) remove any paper copies of the HITRUST CSF from the individual’s possession. In the case of a potential breach of this Agreement by one or more Authorized User(s), Licensee shall cooperate with HITRUST to identify the relevant user(s) and to remedy or remediate any breach. Licensee acknowledges that this may require sharing personal data about one or more Authorized User(s) with HITRUST and hereby acknowledges that it is responsible for getting proper consent as needed from potential Authorized Users to share such information with HITRUST prior to providing the proposed user access to the HITRUST CSF.
2. Grant of License. Subject to compliance with the terms and conditions of this License Agreement, Licensor hereby grants to Licensee, and Licensee accepts from Licensor, a limited, non-exclusive, non-transferable, and non-assignable right and license (the “License”) to access portions of the HITRUST CSF in PDF form for: (i) internal educational and/or internal information sharing purposes only, (ii) for the sole use of the Licensee, and/or (iii) by any wholly-owned subsidiaries of Licensee that have been previously identified and approved in writing to HITRUST (each, an “Affiliate”). Licensee agrees that it shall not use, or attempt to use, the HITRUST CSF for any other purpose, including but not limited to any external disclosure or use with any Licensee customers, vendors, or partners.
3. License Fee. There shall be no fee for the License provided herein.
4. Delivery of HITRUST CSF. During the term of this License Agreement, HITRUST shall make portions of the HITRUST CSF available to Licensee for delivery by the Internet from the server(s) on which the HITRUST CSF is hosted. HITRUST is not responsible for ensuring the Licensee’s computer and systems are compatible with the HITRUST CSF or that Licensee is able to access the HITRUST CSF. HITRUST makes no representation or warranty to Licensee.
5. HITRUST CSF Ownership. All title and intellectual property rights and interest in and to the HITRUST CSF, including but not limited to any text, images, photographs, animations, video, and audio incorporated into it, and any copies of any of the foregoing that a Licensee is expressly permitted to make herein, are and continue to be solely owned by HITRUST or its suppliers. The HITRUST CSF includes valuable, proprietary, and confidential information, compilations, methods, techniques, procedures, and processes not generally known, which can only be obtained from HITRUST. HITRUST has implemented reasonable protections for the HITRUST CSF, including but not limited to the terms of this License Agreement, to prevent its unauthorized disclosure or use. Licensee acknowledges and affirms HITRUST’s ownership and exclusive right, title and interest in the HITRUST CSF and all of its component parts. Licensee agrees that neither it nor any Affiliate or Authorized User (defined below) will attack or impair, directly or indirectly, any of HITRUST’s rights in the HITRUST CSF or any portion thereof, or any of HITRUST’s prior or subsequent registrations or applications for registration of any mark, copyright or patent arising out of or relating to any portion of the HITRUST CSF.
6. Updates. Licensor may, in its sole discretion, update the HITRUST CSF, by which Licensee would be entitled to the updated version of the HITRUST CSF, in which case such updates shall be deemed to be included in the HITRUST CSF and governed by this License Agreement as such unless HITRUST expressly notifies the Licensee that any such Update or Updates are provided under other licensing terms.
7. Prohibited Activities and Uses of HITRUST CSF. Any use of the HITRUST CSF not expressly permitted by this License Agreement is strictly prohibited. In particular, and without limitation, the Licensee shall NOT do any of the following:
- Provide or otherwise allow the disclosure of an electronic or paper copy, in whole or part, of the HITRUST CSF or any data contained therein that is not owned by Licensee, to any individual or entity that is not a duly authorized Licensee or Authorized User.
- Use the HITRUST CSF, in whole or part, to provide analyses, assessments, services or products of any kind to any other person or entity, except an Affiliate.
- Store or otherwise maintain the HITRUST CSF, in whole or part, in any medium including, without limitation, any cloud service, storage provider, or other electronic database.
- Create any Derivative Work, based in whole or part on any portion of the HITRUST CSF, without Licensor’s express prior written consent. “Derivative Work” as used herein shall mean any service, software program or other work, and copies thereof, which are developed by Licensee, or its Affiliates, and which are based on or incorporate any part of the HITRUST CSF, including without limitation any modification, enhancement, translation, compilation, expansion, or any other form in which the HITRUST CSF may be recast or adapted, and that, if prepared without HITRUST’s authorization, would constitute an infringement or violation of HITRUST’s rights.
These prohibitions shall not apply to: Any information, compilation, method, technique, procedure, or process included in the HITRUST CSF that (a) is or has become public knowledge, by publication or other public disclosure, through no action or omission of the Licensee under this License Agreement; (b) was verifiably known to the Licensee prior to the date of entry into this License Agreement, (c) was independently developed by the Licensee without use of the HITRUST CSF; or (d) was lawfully obtained by the Licensee from a third party who was in lawful possession of it and had the right to provide it to Licensee.
8. No Interference with Intellectual Property Protections. Under no circumstances shall any Licensee or other entity or individual subject to this License Agreement disable any digital rights protections or remove, modify, interfere with, or obscure any copyright, trademark or other proprietary rights and notices that apply to, appear on, or included in the HITRUST CSF.
9. Compliance. Upon Licensor’s request, an officer of the Licensee shall promptly certify in writing to Licensor that the Licensee and all Affiliates are in full compliance with the terms and conditions of this License Agreement.
10. Export Compliance. The information that HITRUST makes available under this License Agreement, and any derivatives thereof, may be subject to export laws and regulations of the United States and other jurisdictions. Each party represents that neither it nor any of its owners, directors or officers is named on any U.S. government denied-party list. You shall not permit Authorized Users to access or use any Service or Content in a U.S.-embargoed country or in violation of any U.S. export law or regulation.
11. Defense of Infringement and Misappropriation Claims.
11.1. Notice and Cure. In the event that HITRUST receives notice that the HITRUST CSF, or any component of the HITRUST CSF, may infringe any copyright, trademark, patent, or constitute a misappropriation of a trade secret, HITRUST may, at its sole discretion:
- Procure for the Licensee the right to continue using the potentially or allegedly infringing or misappropriated component; or
- Modify the HITRUST CSF to provide, or substitute, materially equivalent functioning or a materially functional equivalent which does not infringe and/or is not misappropriated in which case the Licensee shall immediately stop using the allegedly infringing or misappropriated component and shall cooperate with HITRUST in implementing use of the functional substitute.
11.2. Limited Defense. HITRUST will defend the Licensee against any claims by an unaffiliated third party that any component of the HITRUST CSF infringes any copyright, trademark or patent or misappropriates any trade secret, including but not limited to an action for injunctive relief based on such a claim; on the condition precedent that the Licensee gives HITRUST prompt written notice of such claim, gives HITRUST sole control over its defense or settlement (except that HITRUST may not settle any such claim against Licensee unless it unconditionally releases Licensee of all liability), and provides HITRUST with reasonable assistance and cooperation in such defense. Defense to any other claims shall not be provided, and issues relating to defense coverage shall be resolved in the sole and absolute discretion of HITRUST.
11.3. Limitation of Duty to Defend. HITRUST shall have no obligation to defend the Licensee against any claim:
- That relates to an allegedly infringing use, or use of misappropriated intellectual property, after HITRUST has notified the Licensee of a substitute as provided above; or
- That relates to any use or disclosure of any portion of the HITRUST CSF, in whole or in part, in breach of any term of this License Agreement; or
- For any trade secret claim that arises from the Licensee acquiring the trade secret through improper means, under conditions giving rise to a duty to maintain its secrecy or limit its use, or from a person other than Licensee who owed the party asserting the claim a duty to maintain the secrecy or limit the use of the trade secret.
11.4. Exclusive Remedy. The rights and remedies stated in this Section 11 state Licensor’s entire liability and the sole and exclusive remedy of Licensee and its Affiliates with respect to any claim of infringement or misappropriation of the intellectual property rights of any third party, whether arising under statutory or common law or otherwise.
12. DISCLAIMER OF WARRANTIES; ASSUMPTION OF RISK.
Disclaimer of Warranties. THE HITRUST CSF IS DEEMED ACCEPTED BY THE LICENSEE AS OF THE DATE LICENSEE OR ANY OF LICENSEE’S AFFILIATES OR AUTHORIZED USERS FIRST ACCESSES ANY PORTION OF THE HITRUST CSF. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, HITRUST AND ITS SUPPLIERS PROVIDE THE HITRUST CSF “AS IS,” “WHERE IS”, AND WITH ALL FAULTS, AND HITRUST AND ITS SUPPLIERS HEREBY DISCLAIM ALL OTHER WARRANTIES AND CONDITIONS, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES, DUTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUIET ENJOYMENT, QUIET POSSESSION, SECURITY, CONFORMITY TO DESCRIPTION, NON-INFRINGEMENT, RELIABILITY, ACCURACY OR COMPLETENESS, AND RESULTS ALL WITH REGARD TO THE HITRUST CSF OR OTHERWISE ARISING OUT OF THE USE OF THE HITRUST CSF OR ANY PORTION THEREOF. THE ENTIRE RISK AS TO THE QUALITY OR ARISING OUT OF THE USE OF THE HITRUST CSF AT ALL TIMES REMAINS WITH THE LICENSEE AND ITS AFFILIATES.
Assumption of Risk. THERE IS RISK INHERENT IN EVERY USE OF THE INTERNET AND/OR THE WORLD WIDE WEB. NO SYSTEM IS IMPERVIOUS TO ALL ATTACKS AND ATTEMPTS AT UNAUTHORIZED ENTRY AND ACCESS. BY ACCESSING THE HITRUST CSF, LICENSEE EXPRESSLY ASSUMES ANY AND ALL SUCH RISKS. IN NO EVENT WILL LICENSOR BE RESPONSIBLE OR LIABLE FOR ANY ERROR, OMISSION, INTERRUPTION, DELETION, DEFECT, DELAY IN OPERATION OR TRANSMISSION, COMMUNICATIONS LINE FAILURE, THEFT OR DESTRUCTION OR UNAUTHORIZED ACCESS OF THE HITRUST CSF, OR ANY INJURY OR DAMAGE TO ANY PROPERTY ARISING FROM LICENSEE OR ANY AFFILIATE OR AUTHORIZED USER’S ACCESS OF THE HITRUST CSF.
13. EXCLUSION OF INCIDENTAL, CONSEQUENTIAL, EXEMPLARY AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL HITRUST OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR CONFIDENTIAL OR OTHER DATA OR INFORMATION, BUSINESS INTERRUPTION, PERSONAL INJURY, LOSS OF PRIVACY, FAILURE TO MEET ANY DUTY INCLUDING OF GOOD FAITH OR OF REASONABLE CARE, NEGLIGENCE, AND ANY OTHER PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING OUT OF, OR IN ANY WAY RELATED TO, THE USE OF OR INABILITY TO USE THE HITRUST CSF, THE PROVISION OF OR FAILURE TO PROVIDE THE HITRUST CSF OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS LICENSE AGREEMENT, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), MISREPRESENTATION, STRICT LIABILITY, BREACH OF CONTRACT OR BREACH OF WARRANTY OF HITRUST OR ANY SUPPLIER AND EVEN IF HITRUST OR ANY SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
14. LIMITATION OF LIABILITY AND REMEDIES. NOTWITHSTANDING ANY DAMAGES THAT THE LICENSEE OR ANY AFFILIATE MIGHT INCUR FOR ANY REASON WHATSOEVER (INCLUDING, WITHOUT LIMITATION, ALL DAMAGES REFERENCED HEREIN AND ALL DIRECT OR GENERAL DAMAGES IN CONTRACT OR ANYTHING ELSE), TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, HITRUST SHALL HAVE NO LIABILITY TO LICENSEE AND ITS AFFILIATES ARISING OUT OF THIS LICENSE AGREEMENT. THE FOREGOING LIMITATIONS, EXCLUSIONS AND DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EVEN IF ANY REMEDY FAILS ITS ESSENTIAL PURPOSE.
15. Indemnification. The Licensee hereby agrees to defend, indemnify and hold harmless HITRUST, its officers, directors, shareholders, employees and agents at the Licensee’s own expense from and against any and all suits, claims, actions, causes of action, liabilities, obligations, losses, costs, penalties and damages of whatsoever kind in nature, including reasonable attorney’s fees and costs, arising out of or in connection with or incident to the use by the Licensee or any Affiliate of the HITRUST CSF or any portion thereof, or any breach of this License Agreement by the Licensee or any Affiliate.
16. Injunctive Remedies for License Violations. The Licensee hereby acknowledges that any violation of this License Agreement by the Licensee or an Affiliate will cause irreparable injury to HITRUST, and, as a result, in addition to and without limiting any other rights and remedies available to HITRUST, HITRUST shall be entitled to seek any injunctive relief or other rights or remedies to which HITRUST is or may be entitled to under law to prevent or mitigate the effects of such violation. This expressly includes but is not limited to any breach by Licensee of the Prohibited Activities and Uses of the HITRUST CSF provided in paragraph 6 above.
17. Termination of License. Licensee agrees that HITRUST may terminate this License Agreement, the License granted herein, and/or any access to or use of the HITRUST CSF by Licensee at any time. It is agreed that upon such termination, HITRUST shall owe Licensee no further obligation or liability of any kind or nature arising out of this Agreement, except as set forth herein. Notwithstanding anything to the contrary contained herein, the following paragraphs shall survive the termination of this License Agreement: Paragraphs 4, 6, 8, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 and any other paragraphs which, by their terms, are reasonably intended to survive the earlier termination of this License Agreement.
18. Governing Law; Venue. This License Agreement shall be governed by and construed in accordance with the laws of the State of Texas. The exclusive forum for any dispute regarding this License Agreement shall be the state or federal courts located in Collin County, Texas and the Licensee hereby waives any argument that such is an inconvenient forum or that venue is improper in such forum.
19. Legal Fees and Costs. In the event of legal proceedings arising from or pertaining to this License Agreement or the License, the prevailing party shall be awarded its reasonable attorney’s fees and costs of litigation, including any on appeal or in bankruptcy proceedings.
20. Entire Agreement. This License Agreement contains the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior written or oral agreements with respect thereto.
21. No Assignment. Licensee may not assign or transfer any of its rights or obligations under this Agreement without the prior written consent of Licensor, which may be withheld in Licensor’s sole and absolute discretion.
22. Consent to Collection of Information. As part of this License Agreement, HITRUST will be collecting certain personal and/or identifying information from the Licensee, including the name and contact information, including email address of Licensee’s representative. Licensee’s representative, by checking the applicable box below, consents to HITRUST collecting this information and acknowledges that the processing of this information is necessary for HITRUST to administer this License Agreement. Licensee hereby warrants that it will obtain proper consent to collect and potentially share with HITRUST information on any Authorized Users as appropriate prior to providing such User access to the HITRUST CSF. Information collected will be used in accordance with HITRUST’s Privacy Policy.
BY CLICKING THE ACCEPTANCE BUTTON BELOW OR BY ACCESSING OR USING THIS INFORMATION OR ANY PORTION OF THE HITRUST CSF, I ACKNOWLEDGE THAT I HAVE READ THE HITRUST CSF LICENSE AGREEMENT, UNDERSTAND IT AND AGREE TO BE LEGALLY BOUND BY ITS TERMS AND CONDITIONS.
I have read and agree to the general terms and conditions stated in the above license agreement.