The MyCSF Compliance and Reporting Pack for HIPAA compiles and reports on information relevant to HIPAA that is collected during the HITRUST r2 Assessment process. The MyCSF Compliance and Reporting Pack for HIPAA cannot be used with HITRUST e1 or i1 Assessments.

The MyCSF Compliance and Reporting Pack for HIPAA can only be generated for assessments using HITRUST CSF v9.5.0 (or higher) – including v11 – and only for objects created or refreshed on or after September 3, 2021.

No, it is only available in HITRUST CSF v9.5.0, and later.

r2 Assessments that have not been previously submitted to HITRUST can change their CSF version to v9.5.0 (or later). Assessed entities should work with their External Assessors to understand the implications of changing CSF versions on their assessment as a change in CSF version may, in certain circumstances, introduce new or modified requirements into an assessment.

Yes, while all annual MyCSF subscription levels can access and use the Compliance and Reporting Pack for HIPAA, “Report Only” MyCSF customers cannot.

No, the MyCSF Compliance and Reporting Pack for HIPAA is included as part of the analytics within MyCSF subscription accounts.

While the audience for a MyCSF Compliance and Reporting Pack for HIPAA can be an internal stakeholder (such as IA, Compliance, InfoSec), an external stakeholder (such as a consultant, an auditor, or a business partner), or a regulator (such as the OCR), the MyCSF Compliance and Reporting Pack for HIPAA is not a HITRUST Certification and does not itself convey the same level of assurances as the HITRUST Risk-based, 2-year (r2) Validated Assessment with Certification.

No, the MyCSF Compliance and Reporting Pack for HIPAA cannot be run against i1 or e1 assessments. The MyCSF Compliance and Reporting Pack for HIPAA can be run against r2 assessments.

No, in-process r2 Readiness and Targeted Assessments can also be used as the basis for the MyCSF Compliance and Reporting Pack for HIPAA if they contain HITRUST requirements with HIPAA control mappings.

The MyCSF Compliance and Reporting Pack for HIPAA contains a stand-alone downloadable archive containing:

• Multiple reports, organized by HIPAA safeguard, section, and implementation specification, that contains relevant information captured in the underlying HITRUST Assessment.
• A mapping of each HIPAA control to your corresponding policies and evidence.
• An informational PDF describing how adoption of the HITRUST CSF and the HITRUST Assurance Program supports an organization’s HIPAA compliance efforts.
• Optional: Can tailor by choosing to include the control evidence and supporting artifacts captured in the underlying HITRUST r2 assessment that are relevant to HIPAA standards and implementation specifications.

The MyCSF Compliance and Reporting Pack for HIPAA is located on the MyCSF Analytics page.

Currently, the MyCSF Compliance and Reporting Pack for HIPAA only reports on the HIPAA Security Rule and the HIPAA Breach Notification Rule (45 CFR 164 subparts C and D respectively). Support for the HIPAA Privacy Rule (45 CFR 164 subpart E) will be included in a future update.

Yes. The MyCSF Compliance and Reporting Pack for HIPAA is tailored based on the organization type you specified when you created the HITRUST Assessment used as the basis for the pack. Certain portions of the HIPAA security rule and HIPAA breach notification rule are applicable only to covered entities, while other portions are applicable only to business associates. These applicability rules are built into the HITRUST CSF and the MyCSF Compliance and Reporting Pack for HIPAA.

This can be achieved through use of a targeted assessment in MyCSF for which HIPAA is included as an authoritative source. Targeted assessments include all requirements in the CSF mapped back to the specific authoritative source(s) picked for inclusion and do not use the MyCSF scoping questions (such as number of records). For example, a HIPAA-specific targeted assessment could easily be created within MyCSF by including the HIPAA security, breach notification, and privacy rules as the targeted assessment’s only authoritative sources.

The HITRUST Regulatory Assistance Center* was created to assist organizations that have a HITRUST r2 Certification and are preparing for or undergoing a regulatory audit. This no-cost service includes guidance on how a HITRUST Assessment can and should be leveraged to demonstrate compliance, including how specific requirements are met or how to best respond relating to a specific inquiry. The Regulatory Assistance Center formalizes and centralizes resources and helps HITRUST-certified organizations compile and develop additional content. The center is staffed with security and privacy professionals who can refer you to outside attorneys* and other experts familiar with HITRUST, HIPAA regulations, and the OCR audit process. The center’s initial focus is on HIPAA compliance, and it will be expanding to other regulations. Organizations with a current HITRUST Certification can reach out to the HITRUST Regulatory Assistance Center.

*The HITRUST Regulatory Assistance Center is a preliminary resource to assist organizations undergoing an audit and use of it does not create or constitute an attorney-client relationship.

YES! Contact HITRUST to arrange for demo that includes the MyCSF Compliance and Reporting Pack for HIPAA.

• Datasheet
• User Guide