HITRUST Updates Common Security Framework to Include Privacy Controls
<< All Press Releases

Date: January 7, 2015

The addition of privacy controls will create a fully integrated information security and privacy framework

Frisco, TX – January 7, 2015: The Health Information Trust Alliance (HITRUST) announced today the addition of privacy controls to version seven of the HITRUST Common Security Framework (CSF) being released later this month. This addition creates a fully integrated privacy and security framework that meets the regulatory requirements of the U.S. healthcare industry. Organizations can now rely on a single framework to manage their information privacy and security risk and compliance.

Developed over the last 18 months by the HITRUST Privacy Working Group, the privacy controls produce better alignment between healthcare organizations’ security and privacy programs and allow for an integrated approach for protecting health information under HIPAA. After conducting a review of various privacy frameworks, standards and regulations, the working group recommended the inclusion of specific privacy control categories, objectives, specifications and requirements by implementation level.

“The new HITRUST CSF privacy domain facilitates an integrated approach to protect personal health information, aids in regulatory compliance, is consistent with healthcare industry trends, and enhances the current HITRUST CSF,” said Angela Holzworth, senior information risk analyst, Highmark Health and HITRUST Privacy Working Group Chair. Holzworth added, “I am proud of the deliverable we have developed and thankful for the opportunity to work with a wonderful and talented group of people.”

The benefits of adopting the HITRUST CSF become even greater by incorporating privacy controls. The HITRUST CSF has evolved into a more comprehensive and robust framework with which organizations can address their security and privacy programs and reduce the burden of compliance with all the applicable healthcare-related requirements. Although the HITRUST CSF will incorporate both privacy and security controls, organizations will have the option to obtain certification for privacy, security or both in order to choose the approach and pace most suited to their operational and compliance objectives.

“Given the multitude of federal and state regulations incorporating privacy and security requirements, a fully integrated privacy and security framework provides privacy and security professionals advantages over disparate approaches, allowing the organizations to effectively manage their information protection program,” said Michelle Nader, staff vice president, ethics & compliance and chief privacy officer, Anthem, Inc. “By identifying the controls and requirements that support both disciplines, organizations now have the option to certify their programs for security, privacy, or both,” Nader concluded.

“More reliance will continue to be placed on electronic health records and health information exchanges to improve patient care and safety, minimize errors, control costs and support public health initiatives. In turn the healthcare industry must protect patient privacy while supporting this flow of health information in a way that benefits individuals and society,” stated Kimberly Gray, chief privacy officer, global, IMS Health. “The CSF privacy controls establish a uniform and practical approach to implementing privacy controls, taking into account both risk and operational factors.”

“From the beginning, HITRUST has been committed to ensuring the CSF remains relevant and current to the needs of the healthcare industry and organizations utilizing it. Privacy was always seen as a component of a complete framework,” said Daniel Nutkis, chief executive officer, HITRUST. “Seven years ago when we began to create the CSF, we focused on the development and adoption of the security controls as a means to drive greater compliance by organizations with the HIPAA security requirements. Now that we have achieved broad adoption, we can join privacy controls with the framework.”

In addition, this release of the HITRUST CSF incorporates the Minimum Acceptable Risk Standards for Exchanges (MARS-E), additional guidance for cyber security, and enhancements to risk factors and assurance methodology. HITRUST is currently updating MyCSF to support the additional privacy controls and enable organizations to perform privacy control assessments, compliance reporting and related remediation tracking within the tool.


Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST – in collaboration with public and private healthcare technology, privacy and information security leaders – has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.

HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry.

For more information, visit www.HITRUSTalliance.net.

All product and company names herein may be trademarks of their respective owners.

Chat Now

This is where you can start a live chat with a member of our team