Latest version includes shift to industry-agnostic approach and Singapore’s Personal Data Protection Act  

HITRUST today announced the release of version 9.2 of the HITRUST CSF.

This version integrates Singapore’s Personal Data Protection Act (PDPA) into the HITRUST CSF and includes additional plain language interpretations of relevant articles and recitals from the European Union’s General Data Protection Regulation (GDPR). Further, the HITRUST CSF Control Category for Privacy Practices has been revised significantly to support the placement of HIPAA-specific requirements in a separate segment in all categories, marking a shift to a more industry-agnostic approach for the HITRUST CSF and to better align with existing international privacy frameworks.

Designating HIPAA as a standalone segment creates no impact to healthcare organizations beyond the need to select their industry when conducting an assessment.

These updates reflect HITRUST’s continuing commitment to facilitate HITRUST CSF’s adoption in multiple industries, both domestically and internationally. HITRUST ensures the HITRUST CSF stays relevant and current to the needs of organizations by regularly updating the framework to incorporate new standards and regulations as authoritative sources.

HITRUST’s market-leading risk management and compliance framework – a key component of the HITRUST Approach – integrates and cross-references multiple authoritative sources such as ISO, NIST, PCI, and HIPAA. The HITRUST CSF provides the depth and breadth of controls organizations need to efficiently and effectively assess the strength of their risk-based protection programs and their compliance with multiple regimes through one assessment.