New Version of HITRUST CSF Incorporates California Consumer Privacy Act, NIST Cybersecurity Framework and Additional Legislation & Standards
<< All Press Releases

Date: April 24, 2019

Update Ensures the HITRUST CSF Continues to Provide the Most Comprehensive Global Privacy and Security Framework Available

HITRUST, a leading data protection standards development and certification organization, today announced it will release version 9.3 of its HITRUST CSF during the third quarter of 2019.

Learn more about HITRUST, and the HITRUST CSF by attending our
HITRUST 2019 Conference in May. Click here to learn more.

The HITRUST CSF controls framework addresses security, privacy, and regulatory challenges facing organizations in industries such as healthcare, financial services, retail, hospitality and travel. These updates reflect HITRUST’s continuing commitment to facilitate HITRUST CSF’s adoption in multiple industries, both domestically and internationally.

By incorporating numerous international, federal and state governmental regulations as well as recognized standards the HITRUST CSF helps organizations address information risk management and compliance challenges through a comprehensive, risk-based flexible framework of prescriptive and scalable controls. By including both privacy and security standards, the HITRUST CSF uniquely enables organizations to address the big picture of data protection. Most privacy regulations require appropriate security measures, which the HITRUST CSF helps identify.

By allowing organizations to conduct a comprehensive privacy and security assessment, the HITRUST CSF encourages cooperation between these disciplines and assists in achieving better compliance with regulatory requirements and best practices. Through the HITRUST CSF Assurance Program, organizations who obtain HITRUST CSF Certification covering both privacy and security can demonstrate that they are achieving high standards in their data protection program.

HITRUST ensures the HITRUST CSF relevancy and remains current to the needs of organizations by regularly updating the framework to incorporate new standards and regulations. HITRUST CSF v9.3 will include new requirements placed on organizations by the California Consumer Privacy Act (CCPA). Passed in 2018, the new legislation takes effect January 1, 2020 with enforcement of the new law taking effect on July 1, 2020. The CCPA is similar to the European Union’s General Data Protection Regulation (GDPR) which takes additional steps to protect the transmission, sharing and storage of consumer data. HITRUST CSF v9.3 also reflects key differences of the two laws, including the applicability, requirements for data access, and detailed requirements about opt-out methods.

The HITRUST CSF v9.3 will also reflect updates to a number of authoritative sources, including:

  • Centers for Medicare & Medicaid Services’ (CMS) Information Security ARS: CMS Minimum Security Requirements for High Impact Data, version 3.1.
  • The Federal Risk and Authorization Management Program (FedRAMP).
  • IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information.
  • The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Framework Core – Subcategories, v1.1.
  • South Carolina’s Bill 4655, the Insurance Data Security Act.

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage information risk and compliance. The HITRUST Approach provides organizations an integrated information risk management and compliance approach that ensures all programs are aligned, maintained, and comprehensive to support an organization’s information risk management and compliance objectives.

The HITRUST CSF provides the depth and breadth of controls organizations need to efficiently and effectively assess the strength of their risk-based protection programs and their compliance with multiple regimes through one assessment, as well as the structure, clarity, functionality, and cross-references to authoritative sources, eliminating the need for organizations to interpret, engage, and harmonize the multitude of frameworks and standards. The HITRUST CSF leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, FFIEC, FTC and HIPAA to ensure a comprehensive set of baseline security and privacy controls. The CSF normalizes these requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations.

Organizations interested in assessing against any of the authoritative sources in the HITRUST CSF can do so by leveraging the HITRUST MyCSF tool. More information can be found at

Chat Now

This is where you can start a live chat with a member of our team