Leveraging HITRUST to Demonstrate HIPAA Compliance

HITRUST has supported thousands of Covered Entities and Business Associates with their Healthcare Insurance Portability and Accountability Act (HIPAA) compliance programs since the first release of the HITRUST CSF in 2009. More than 80% of US hospitals, 85% of US health insurers, and many other covered entities and business associates leverage the HITRUST Approach today to aid their HIPAA compliance initiatives.

With regulations constantly evolving and the threat landscape changing, organizations must continuously work to stay one step ahead. HITRUST’s integrated approach to information risk management and compliance helps organizations achieve their security and privacy goals—including HIPAA compliance regulations. The HITRUST CSF framework, HITRUST MyCSF platform, and HITRUST CSF Assessments work together harmoniously to support organizations in their efforts to achieve, maintain, and provide assurances surrounding the HIPAA Security Rule, HIPAA Privacy Rule, and HIPAA Breach Notification Rule.

This integrated methodology is referred to as the HITRUST Approach.

HITRUST MyCSF Compliance and Reporting Pack for HIPAA

The HITRUST MyCSF SaaS platform helps automate the process of selecting appropriate security and privacy controls via various assessment scoping factors, including variables such as the number of records processed annually by an organization. In HITRUST MyCSF, the Compliance and Reporting Pack for HIPAA collects specific information that is required to comply with HIPAA and regularly requested during audits or investigations. The information is automatically consolidated in a compliance report, formatted by HIPAA control, and populated with evidence that can be shared directly with Office for Civil Rights (OCR) investigators. This new capability, planned for August 2021 release, will significantly streamline how organizations capture and present regulatory compliance evidence for OCR audits.

Key Resources

  • HITRUST Approach to HIPAA Compliance – Download this free guide, which documents HITRUST controls as they relate to HIPAA’s Security and Breach Notification Rules. The guide includes instructions, a support and responsibilities table, and a HIPAA compliance checklist that can be leveraged as organizations pursue their HIPAA compliance objectives. Click here to download the guide.
  • HITRUST Regulatory Assistance Center – Though there is no such thing as a HIPAA compliance certification, the new HITRUST Regulatory Assistance Center was created to aid organizations that have a HITRUST CSF Certification and are preparing for or undergoing a regulatory audit. This no-cost assistance includes guidance on how HITRUST CSF Assessment Reports can and should be leveraged to demonstrate compliance, including how specific requirements are met or how best to respond relating to a specific inquiry. The Center is staffed with security and privacy professionals, attorneys, and other experts familiar with the HITRUST CSF, HITRUST Assurance Program, and HIPAA regulations. Click here to learn more about the HITRUST Regulatory Assistance Center.
  • HITRUST and HIPAA Safe Harbor – Download our white paper to learn how the HITRUST Approach meets the requirements of having recognized security practices in place as it relates to the HIPAA Safe Harbor Law, H.R. 7898. Click here to download the white paper.


HITRUST, together with King & Spalding LLP, hosted a webinar to provide insight on how organizations can position themselves advantageously from a legal perspective when it comes to HIPAA compliance and regulatory investigations by leveraging their HITRUST CSF Certifications. To watch the webinar, visit here.

Chat Now

This is where you can start a live chat with a member of our team