1. Introduction

* Enforcement of the requirements defined within the Assessment Handbook will begin for all assessments submitted to HITRUST on or after April 16, 2024. For assessments submitted to HITRUST prior to April 16, 2024, the existing guidance found on the HITRUST website is expected to be observed. See HAA 2023-014 – HITRUST Assessment Handbook for details.

*Click here to download the Assessment Handbook.

The purpose of this document is to define the requirements for those organizations assessing their information protection programs against the HITRUST CSF utilizing a readiness or validated assessment. The Assessment Handbook is intended to provide guidance and expectations to Assessed Entities and HITRUST External Assessors on the HITRUST assessment and certification processes. HITRUST External Assessors are expected to maintain an understanding of the requirements and Assurance Program processes defined in this Handbook. For additional details around the development of the HITRUST CSF and the HITRUST approach to risk management, please see the HITRUST Risk Management Handbook.

This document assumes a baseline understanding of HITRUST, the HITRUST CSF Framework and the HITRUST Assurance Program. The following resources provide additional information about HITRUST:

• HITRUST CSF Framework: HITRUST Alliance | HITRUST CSF | Information Risk Management
• HITRUST Assurance Program: HITRUST Assurance Program – HITRUST Alliance
• Potential Assessed Entities: My Organization Needs a HITRUST Certification – HITRUST Alliance
• Potential External Assessors: HITRUST Alliance | Assessors | Information Risk Compliance
• HITRUST Academy courses: HITRUST Academy – HITRUST Alliance
  

Any updates to the Assurance Program will be communicated via Advisories published at: https://hitrustalliance.net/advisories. HITRUST will provide notice of any changes to requirements in this Handbook using those Advisories. In addition, HITRUST will provide a comparison log detailing the changes outlined within those Advisories. HITRUST will provide a notice period for any changes to requirements in this Assessment Handbook to allow sufficient time for Assessed Entities and External Assessors to prepare for the change. HITRUST may include additional FAQs or Examples within the Handbook at any time to provide Assessed Entities and External Assessors with additional clarification or guidance on the requirements within the Handbook.

Terminology used within the Assessment Handbook follows the definitions in the HITRUST Glossary of Terms and Acronyms (accessible within MyCSF in the “References” tab), unless otherwise defined within this Assessment Handbook.

HITRUST expects all Assessed Entities and External Assessors to maintain awareness of the current Assurance Program requirements and updated requirements through this Assessment Handbook and corresponding Advisories.