HIPAA regulatory factor now selected by rule within MyCSF.

With HITRUST’s recent update to the underlying logic of the HITRUST MyCSF platform regarding how HITRUST CSF Assessments–which incorporate regulatory factors–are created, the selection of an optional regulatory factor now includes all relevant requirement statements, including those that map outside the controls required for HITRUST CSF Certification.

With the logic update, the HIPAA Regulatory Factor would pull in all three Rules by default: Security, Privacy, and Breach Notification. HITRUST realized a need for organizations to be able to selectively choose to include none, some, or all of these Rules–as they may not all be applicable to every situation. The MyCSF platform now splits the general HIPAA factor into the three rules. For example, from a privacy perspective, an organization may choose to not pursue a HITRUST Privacy Assessment, avoiding the inclusion of all related privacy requirement statements; however, the HIPAA Privacy Rule can be selected to have the HIPAA-specific privacy requirement statements to be included when completing the factors portion of the assessment scoping.

This flexibility provides organizations more control over the inclusion of the HIPAA Rules.