HITRUST MyCSF Compliance and Reporting Pack for HIPAA FAQs

What is the MyCSF Compliance and Reporting Pack for HIPAA?

The MyCSF Compliance and Reporting Pack for HIPAA compiles and reports on information relevant to HIPAA that is collected during the HITRUST CSF Assessment process. The pack can be configured to include some or all HIPAA requirements and implementation specifications outlined in 45 CFR 164 subparts C and D, and it can be configured to optionally include supporting evidence / artifacts captured during the assessment process. The MyCSF Compliance and Reporting Pack for HIPAA is:

  • An aid to those who rely on the HITRUST CSF to support their HIPAA compliance efforts.
  • A mechanism to quickly and easily self-report against HIPAA compliance using information captured in a HITRUST CSF assessment.
  • A helpful resource during interactions with internal and external stakeholders inquiring about HIPAA compliance.

When will the MyCSF Compliance and Reporting Pack for HIPAA be available?

The release of HITRUST CSF v9.5.0 on September 3, 2021 can generate the MyCSF Compliance and Reporting Pack for HIPAA.

Which versions of the HITRUST CSF does an assessment need to use to take advantage of the MyCSF Compliance and Reporting Pack for HIPAA?

The MyCSF Compliance and Reporting Pack for HIPAA can only be generated for assessments using HITRUST CSF v9.5.0 (or higher), and only for objects created or refreshed on or after September 3, 2021.

Will the MyCSF Compliance and Reporting Pack for HIPAA work with any older versions of the CSF such as v9.1, v9.2, v9.3 or v9.4?

No, it is only available in HITRUST CSF v9.5.0.

How does an inflight assessment leverage the new MyCSF Compliance and Reporting Pack for HIPAA?

Assessments that have not been previously submitted to HITRUST can change their CSF version to v9.5.0. Assessed entities should work with their External Assessors to understand the implications of changing CSF versions on their assessment as a change in CSF version may, in certain circumstances, introduce new or modified requirements into an assessment.

Do you need to be a MyCSF subscriber to access the MyCSF Compliance and Reporting Pack for HIPAA?

Yes, while all annual MyCSF subscription levels can access and use the Compliance and Reporting Pack for HIPAA, “Report Only” MyCSF customers cannot.

Is there an additional charge for the MyCSF Compliance and Reporting Pack for HIPAA?

No, the MyCSF Compliance and Reporting Pack for HIPAA is included as part of the analytics within MyCSF subscription accounts.

Is the MyCSF Compliance and Reporting Pack for HIPAA a replacement for a HITRUST CSF Certification?

While the audience for a MyCSF Compliance and Reporting Pack for HIPAA can be an internal stakeholder (such as IA, Compliance, InfoSec), an external stakeholder (such as a consultant, an auditor, or a business partner), or a regulator (such as the OCR), the MyCSF Compliance and Reporting Pack for HIPAA is not a HITRUST Certification and does not itself convey the same level of assurances as the HITRUST CSF Validated Report with Certification.

What does the MyCSF Compliance and Reporting Pack for HIPAA contain?

The MyCSF Compliance and Reporting Pack for HIPAA contains a stand-alone downloadable archive containing:

  • Multiple reports, organized by HIPAA safeguard, section, and implementation specification, that contains relevant information captured in the underlying HITRUST CSF assessment.
  • A mapping of each HIPAA control to your corresponding policies and evidence.
  • An informational PDF describing how adoption of the HITRUST CSF and the HITRUST CSF Assurance Program supports an organization’s HIPAA compliance efforts.
  • Optional: Can tailor by choosing to include the control evidence and supporting artifacts captured in the underlying HITRUST CSF assessment that are relevant to HIPAA standards and implementation specifications.

Can the MyCSF Compliance and Reporting Pack for HIPAA only be generated against a completed, 2-year validated HITRUST CSF assessment?

No, in-process readiness and targeted assessments can also be used as the basis for the MyCSF Compliance and Reporting Pack for HIPAA if they contain HITRUST requirements with HIPAA control mappings.

Where can I find the MyCSF Compliance and Reporting Pack for HIPAA feature and how do I use it?

The MyCSF Compliance and Reporting Pack for HIPAA is located on the MyCSF Analytics page.

Which portions of HIPAA does the MyCSF Compliance and Reporting Pack for HIPAA report on?

Currently, the MyCSF Compliance and Reporting Pack for HIPAA only reports on the HIPAA Security Rule and the HIPAA Breach Notification Rule (45 CFR 164 subparts C and D respectively). Support for the HIPAA Privacy Rule (45 CFR 164 subpart E) will be included in a future update.

I’m a HIPAA business associate, and I noticed that several HIPAA standards and implementation specifications specific only to HIPAA covered entities and group health plans are not included in my MyCSF Compliance and Reporting Pack for HIPAA. Is this intentional?

Yes. The MyCSF Compliance and Reporting Pack for HIPAA is tailored based on the organization type you specified when you created the HITRUST CSF assessment used as the basis for the pack. Certain portions of the HIPAA security rule and HIPAA breach notification rule are applicable only to covered entities, while other portions are applicable only to business associates. These applicability rules are built into the HITRUST CSF and the MyCSF Compliance and Reporting Pack for HIPAA.

Can you elaborate on how to use the MyCSF to only perform a HIPAA assessment? How would you avoid the basic scoping factors such as number of records, number of transactions, etc.?

This can be achieved through use of a targeted assessment in MyCSF for which HIPAA is included as an authoritative source. Targeted assessments include all requirements in the CSF mapped back to the specific authoritative source(s) picked for inclusion and do not use the MyCSF scoping questions (such as number of records). For example, a HIPAA-specific targeted assessment could easily be created within MyCSF by including the HIPAA security, breach notification, and privacy rules as the targeted assessment’s only authoritative sources.

I’m about to go through an OCR audit and I’d like to contact someone about how to best communicate the value of my organization’s HITRUST efforts regarding our HIPAA compliance. Who is the best person to contact?

The HITRUST Regulatory Assistance Center* was created to assist organizations that have a HITRUST CSF Certification and are preparing for or undergoing a regulatory audit. This no-cost service includes guidance on how a HITRUST CSF assessment can and should be leveraged to demonstrate compliance, including how specific requirements are met or how to best respond relating to a specific inquiry. The Regulatory Assistance Center formalizes and centralizes resources and helps HITRUST-certified organizations compile and develop additional content. The center is staffed with security and privacy professionals who can refer you to outside attorneys* and other experts familiar with HITRUST, HIPAA regulations, and the OCR audit process. The center’s initial focus is on HIPAA compliance, and it will be expanding to other regulations. Organizations with a current HITRUST CSF certification can reach out to the HITRUST Regulatory Assistance Center.

*The HITRUST Regulatory Assistance Center is a preliminary resource to assist organizations undergoing an audit and use of it does not create or constitute an attorney-client relationship.

Is there a demo?

YES! Contact HITRUST to arrange for demo that includes the MyCSF Compliance and Reporting Pack for HIPAA.

Where can I get more information?

Chat Now

This is where you can start a live chat with a member of our team