HITRUST MyCSF Compliance and Reporting Pack for HIPAA FAQs

What is the MyCSF Compliance and Reporting Pack for HIPAA?

The MyCSF Compliance and Reporting Pack for HIPAA compiles and reports on information relevant to HIPAA that is collected during the HITRUST r2 Assessment process. The MyCSF Compliance and Reporting Pack for HIPAA cannot be used with HITRUST e1 or i1 Assessments.

Which versions of the HITRUST CSF does an assessment need to use to take advantage of the MyCSF Compliance and Reporting Pack for HIPAA?

The MyCSF Compliance and Reporting Pack for HIPAA can only be generated for assessments using HITRUST CSF v9.5.0 (or higher) – including v11 – and only for objects created or refreshed on or after September 3, 2021.

Will the MyCSF Compliance and Reporting Pack for HIPAA work with any older versions of the CSF such as v9.1, v9.2, v9.3 or v9.4?

No, it is only available in HITRUST CSF v9.5.0, and later.

How does an inflight assessment leverage the new MyCSF Compliance and Reporting Pack for HIPAA?

r2 Assessments that have not been previously submitted to HITRUST can change their CSF version to v9.5.0 (or later). Assessed entities should work with their External Assessors to understand the implications of changing CSF versions on their assessment as a change in CSF version may, in certain circumstances, introduce new or modified requirements into an assessment.

Do you need to be a MyCSF subscriber to access the MyCSF Compliance and Reporting Pack for HIPAA?

Yes, while all annual MyCSF subscription levels can access and use the Compliance and Reporting Pack for HIPAA, “Report Only” MyCSF customers cannot.

Is there an additional charge for the MyCSF Compliance and Reporting Pack for HIPAA?

No, the MyCSF Compliance and Reporting Pack for HIPAA is included as part of the analytics within MyCSF subscription accounts.

Is the MyCSF Compliance and Reporting Pack for HIPAA a replacement for a HITRUST Certification?

While the audience for a MyCSF Compliance and Reporting Pack for HIPAA can be an internal stakeholder (such as IA, Compliance, InfoSec), an external stakeholder (such as a consultant, an auditor, or a business partner), or a regulator (such as the OCR), the MyCSF Compliance and Reporting Pack for HIPAA is not a HITRUST Certification and does not itself convey the same level of assurances as the HITRUST Risk-based, 2-year (r2) Validated Assessment with Certification.

Can the MyCSF Compliance and Reporting Pack for HIPAA be run against i1 or e1 assessments?

No, the MyCSF Compliance and Reporting Pack for HIPAA cannot be run against i1 or e1 assessments. The MyCSF Compliance and Reporting Pack for HIPAA can be run against r2 assessments.

Can the MyCSF Compliance and Reporting Pack for HIPAA only be generated against a completed, HITRUST Risk-based, 2-year (r2) Validated Assessment?

No, in-process r2 Readiness and Targeted Assessments can also be used as the basis for the MyCSF Compliance and Reporting Pack for HIPAA if they contain HITRUST requirements with HIPAA control mappings.

What does the MyCSF Compliance and Reporting Pack for HIPAA contain?

The MyCSF Compliance and Reporting Pack for HIPAA contains a stand-alone downloadable archive containing:

  • Multiple reports, organized by HIPAA safeguard, section, and implementation specification, that contains relevant information captured in the underlying HITRUST Assessment.
  • A mapping of each HIPAA control to your corresponding policies and evidence.
  • An informational PDF describing how adoption of the HITRUST CSF and the HITRUST Assurance Program supports an organization’s HIPAA compliance efforts.
  • Optional: Can tailor by choosing to include the control evidence and supporting artifacts captured in the underlying HITRUST r2 assessment that are relevant to HIPAA standards and implementation specifications.

Where can I find the MyCSF Compliance and Reporting Pack for HIPAA feature and how do I use it?

The MyCSF Compliance and Reporting Pack for HIPAA is located on the MyCSF Analytics page.

Which portions of HIPAA does the MyCSF Compliance and Reporting Pack for HIPAA report on?

Currently, the MyCSF Compliance and Reporting Pack for HIPAA only reports on the HIPAA Security Rule and the HIPAA Breach Notification Rule (45 CFR 164 subparts C and D respectively). Support for the HIPAA Privacy Rule (45 CFR 164 subpart E) will be included in a future update.

I’m a HIPAA business associate, and I noticed that several HIPAA standards and implementation specifications specific only to HIPAA covered entities and group health plans are not included in my MyCSF Compliance and Reporting Pack for HIPAA. Is this intentional?

Yes. The MyCSF Compliance and Reporting Pack for HIPAA is tailored based on the organization type you specified when you created the HITRUST Assessment used as the basis for the pack. Certain portions of the HIPAA security rule and HIPAA breach notification rule are applicable only to covered entities, while other portions are applicable only to business associates. These applicability rules are built into the HITRUST CSF and the MyCSF Compliance and Reporting Pack for HIPAA.

Can you elaborate on how to use the MyCSF to only perform a HIPAA assessment? How would you avoid the basic scoping factors such as number of records, number of transactions, etc.?

This can be achieved through use of a targeted assessment in MyCSF for which HIPAA is included as an authoritative source. Targeted assessments include all requirements in the CSF mapped back to the specific authoritative source(s) picked for inclusion and do not use the MyCSF scoping questions (such as number of records). For example, a HIPAA-specific targeted assessment could easily be created within MyCSF by including the HIPAA security, breach notification, and privacy rules as the targeted assessment’s only authoritative sources.

I’m about to go through an OCR audit and I’d like to contact someone about how to best communicate the value of my organization’s HITRUST efforts regarding our HIPAA compliance. Who is the best person to contact?

The HITRUST Regulatory Assistance Center* was created to assist organizations that have a HITRUST r2 Certification and are preparing for or undergoing a regulatory audit. This no-cost service includes guidance on how a HITRUST Assessment can and should be leveraged to demonstrate compliance, including how specific requirements are met or how to best respond relating to a specific inquiry. The Regulatory Assistance Center formalizes and centralizes resources and helps HITRUST-certified organizations compile and develop additional content. The center is staffed with security and privacy professionals who can refer you to outside attorneys* and other experts familiar with HITRUST, HIPAA regulations, and the OCR audit process. The center’s initial focus is on HIPAA compliance, and it will be expanding to other regulations. Organizations with a current HITRUST Certification can reach out to the HITRUST Regulatory Assistance Center.

*The HITRUST Regulatory Assistance Center is a preliminary resource to assist organizations undergoing an audit and use of it does not create or constitute an attorney-client relationship.

Is there a demo?

YES! Contact HITRUST to arrange for demo that includes the MyCSF Compliance and Reporting Pack for HIPAA.

Where can I get more information?

Chat Now

This is where you can start a live chat with a member of our team