Leveraging HITRUST to Demonstrate HIPAA Compliance

HITRUST has supported thousands of Covered Entities and Business Associates with their Healthcare Insurance Portability and Accountability Act (HIPAA) compliance programs since the first release of the HITRUST CSF in 2009. More than 80% of US hospitals, 85% of US health insurers, and many other covered entities and business associates leverage the HITRUST Approach today to aid their HIPAA compliance initiatives.

With regulations constantly evolving and the threat landscape changing, organizations must continuously work to stay one step ahead. HITRUST’s integrated approach to information risk management and compliance helps organizations achieve their security and privacy goals—including HIPAA compliance regulations. The HITRUST CSF framework, HITRUST MyCSF platform, and HITRUST Assessments work together harmoniously to support organizations in their efforts to achieve, maintain, and provide assurances surrounding HIPAA compliance.

This integrated methodology is referred to as the HITRUST Approach.

Introducing … HITRUST MyCSF Compliance and Reporting Pack for HIPAA

The HITRUST MyCSF SaaS best-in-class risk management platform helps automate the process of selecting appropriate security and privacy controls via various assessment scoping factors. The MyCSF Compliance and Reporting Pack for HIPAA automatically compiles the list of evidence collected during the HITRUST r2 Assessment process and provides specific HIPAA compliance information that is regularly requested during the Office for Civil Rights (OCR) audits. Information is automatically consolidated into a compliance report and populated with evidence that can be shared directly with (OCR) investigators. This new capability significantly streamlines how organizations capture and present HIPAA regulatory compliance evidence for OCR audits by:

  • Generating a report, formatted by HIPAA control, that maps applicable HIPAA requirements to your HITRUST r2 Assessment.
  • Mapping each requirement to your corresponding policies and evidence for submission to the OCR.
  • Providing only the evidence that the OCR requests.
MyCSF HIPAA Compliance Pack

Key Resources

  • HITRUST Approach to HIPAA Compliance – Download this free guide, which documents HITRUST controls as they relate to HIPAA’s Security and Breach Notification Rules. The guide includes instructions, a support and responsibilities table, and a HIPAA compliance checklist that can be leveraged as organizations pursue their HIPAA compliance objectives. Click here to download the guide.
  • MyCSF Compliance and Reporting Pack for HIPAA – As part of our continuous commitment to improve HITRUST products and services, the HITRUST CSF framework v9.5 (or higher) can now generate a HIPAA-specific Compliance and Reporting Pack, which significantly streamlines how organizations capture and present HIPAA regulatory compliance evidence. This high-efficiency tool saves countless hours by collecting documentation and preparing the reports that are regularly requested by the Office for Civil Rights (OCR).
    Click here to learn more about the MyCSF Compliance and Reporting Pack for HIPAA.
    MyCSF Compliance and Reporting Pack for HIPAA Frequently Asked Questions.
  • HITRUST Regulatory Assistance Center – The new HITRUST Regulatory Assistance Center was created to aid organizations that have a HITRUST Certification and are preparing for or undergoing a regulatory audit. This no-cost assistance includes guidance on how HITRUST Assessment Reports can and should be leveraged to demonstrate compliance, including how specific requirements are met or how best to respond relating to a specific inquiry. The Center is staffed with security and privacy professionals, attorneys, and other experts familiar with the HITRUST CSF, HITRUST Assurance Program, and HIPAA regulations. Click here to learn more about the HITRUST Regulatory Assistance Center.
  • HITRUST and HIPAA Safe Harbor – Download our white paper to learn how the HITRUST Approach meets the requirements of having recognized security practices in place as it relates to the HIPAA Safe Harbor Law, H.R. 7898. Click here to download the white paper.


HITRUST, together with King & Spalding LLP, hosted a webinar to provide insight on how organizations can position themselves advantageously from a legal perspective when it comes to HIPAA compliance and regulatory investigations by leveraging their HITRUST Certifications. To watch the webinar, visit here.

Chat Now

This is where you can start a live chat with a member of our team