The purpose of this document is to define the requirements for those organizations assessing their information protection programs against the HITRUST CSF through a readiness or validated assessment. This assessment handbook is intended to provide guidance and expectations to Assessed Entities and HITRUST Assessors on the HITRUST assessment and certification processes. HITRUST External Assessors are expected to maintain an understanding of the requirements and Assurance Program processes defined in this handbook. For additional details around the development of the HITRUST CSF and the HITRUST approach to Risk Management, please see the HITRUST Risk Management Handbook.

This document assumes a baseline understanding of HITRUST, the HITRUST CSF Framework and the HITRUST Assurance Program. Below are additional resources to obtain information around HITRUST:

Any updates to the Assurance Program will be communicated through Advisories at the following: HITRUST will provide notice of any changes to requirements in this handbook through those Advisories. In addition, HITRUST will provide a comparison log detailing the changes outlined within those Advisories. HITRUST will provide a notice period for any changes to requirements in this Assessment Handbook to allow sufficient time for Assessed Entities and External Assessors to prepare for the change. HITRUST may add additional FAQs or Examples within the handbook at any time to provide Assessed Entities and External Assessors with additional clarification or guidance on the requirements within the Handbook.

HITRUST expects all Assessed Entities and External Assessors to maintain awareness of the current Assurance Program requirements and updated requirements through this Assessment Handbook and corresponding Advisories.