HITRUST Privacy Notice

HITRUST cares about you and your privacy. This Notice provides you information on how we collect your information, how we use it, how we store it, and how and when we delete it.

Please be aware that this Notice applies only to information collected by HITRUST and its subsidiaries and affiliates, including but not limited to HITRUST Services Corp., HITRUST Alliance, Inc., and HITRUST Assessment Exchange LLC (collectively “HITRUST,” “we,” “our,” “us”).

Information is provided below on third parties we use as service providers. Any links from downloads or other documents that take you to non-HITRUST or non-HITRUST affiliated websites may have their own independent privacy policy.

This policy applies to any Personal Information collected about you by HITRUST, either electronic, written, or oral. Please note that HITRUST is a business-to-business entity and anticipates that information provided by you will be business contact information. HITRUST’s services are meant for adults, and HITRUST should not receive Personal Information of any individual under the age of 18.

Residents of California or countries outside the United States may have different privacy rights. California residents can find their specific rights not otherwise covered in the Notice below. Residents of the EEA can find information on their specific rights not otherwise covered in the Notice below.

Our Notice includes the following information:

  • The type of information covered by this Notice
  • The collection and use of your Personal Information
  • Means to manage your Personal Information and communication preferences
  • Sharing of your Personal Information by us
  • Protection and security of your Personal Information
  • Use of cookies
  • Changes to this Notice
  • Our Contact information


This Notice applies to Personal Information collected by us. Personal Information is any information that can be used to identify you directly or indirectly. This includes but is not limited to your name, address, phone number, email address, payment card information, and/or certain additional categories of information that identify you personally.


We collect the information you provide directly to us, such as when you create or modify your account or user preferences, sign up for a newsletter, contact us, respond to a survey, use online content, use the HITRUST CSF, or the HITRUST MyCSF, or otherwise communicate with us. We also collect information when you interact with HITRUST Academy, by asking questions or by registering for a class or taking an exam. This information may include your name, email address, phone number, postal address, company, title or roll, survey responses, user content stored or entered into the forms found in our online platforms, scores on exams and completion dates of courses, and other information you choose to provide. We use this data to provide you services, products, and support. We also use your Personal Information to contact you about our news and updates as well as pertinent information regarding any certification you may have with us. For some data collection, we use customer management software provided by service providers and/or processors. All such companies have signed a Data Protection Addendum with HITRUST directing how they may use any Personal Information collected in connection with our website or entered into their system by HITRUST employees. We also allow our analytics provider or providers to collect usage information over the Internet to determine website traffic.

We and most of the third parties with which we may share your data are located in the United States. If you are visiting our website or otherwise communicating with us from outside the United States, please be aware that your information may be transferred to, stored or processed in the United States and maintained on computers or servers located outside your state, province, country or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. By providing us your Personal Information, you understand that you are choosing to transfer that information to the United States.


If you do not want to receive information about our products or services, please update your account preferences and/or utilize the “unsubscribe” mechanism within the communications that you receive from us.

If you need to change any of your information or wish to have it deleted, please contact us at


We will not sell, rent, or lease mailing lists of customer names or email addresses to others, and we will not make your Personal Information available to any unaffiliated parties, except our approved agents and contractors, or as otherwise described in this Privacy Notice. We may share your information as needed among our affiliates and subsidiaries, who are subject to this Notice.

We will share your information as required by law, in a matter of public safety or policy, as needed in connection with the transfer of our business assets (for example, if we are acquired by another company), or if we believe in good faith that sharing the data is necessary to protect our rights or property.

Without your consent, we will not further disclose any Personal Information except as necessary to service the account, to enforce the terms of use, to meet our obligations to content and technology providers, or as required by law.


The security of your information is important to us. We take precautions to protect your information by implementing safeguards to protect the information we collect. However, you should keep in mind that no website, internet transmission, or software product is ever completely secure or error-free.

PLEASE NOTE: The safety and security of your information also depends on you. We urge you to take steps to keep your Personal Information safe, such as choosing strong passwords and never sharing your password with anyone else. If you create or receive a password in connection with our services or website, please notify us promptly if you believe your password security has been breached and remember to log off the service before you leave your computer or mobile device.

You may communicate with us through email. However, because normal email is not encrypted, the possibility exists that unauthorized individuals may intercept email messages. We and our subsidiaries and affiliates are not responsible for the privacy of email messages except those stored in our system.


A cookie is a small text file that a website saves on your computer or mobile device when you visit its site. It enables the website to remember your actions and preferences over a period of time, so you don’t have to keep re-entering them whenever you come back to the site or browse from one page to another. Cookies also help us understand which sections of our websites are the most popular as they help show which pages are being visited and for how long. This helps us adapt our websites to provide more relevant and accessible information. Cookies can be deleted or blocked by changing browser settings.

Advantages of cookies are:

  • Remembering the details as provided by the user
  • Remembering user preferences
  • Helping improve the site


To manage or delete cookies on your browser or on a mobile device, please visit the official webpage of the browser or device manufacturer and the documentation provided by them and follow their instructions.

Please note, however, that disabling cookies might affect your online experience and/or prevent you from taking full advantage of our site and some of its functionality.


California and Delaware law require us to indicate whether we honor “Do Not Track” settings in your browser concerning targeted advertising. At this time, there is no worldwide uniform or consistent industry standard or definition for responding to, processing, or communicating Do Not Track signals. Thus, like many other websites and online services, we do not currently respond to any Do Not Track browser requests.


Under California law, California residents have the right to request in writing from businesses with whom they have an established business relationship certain information about the business’s collection and use of their data, the right to request deletion of their personal information, and information about whether the business sells their Personal Information.

As stated above, HITRUST does not sell any Personal Information. We disclose it to our service providers, including Salesforce and Pardot, and to our analytics provider Google Analytics. We may share the information with our affiliates as listed above, HITRUST Alliance, Inc., and HITRUST Assessment Exchange LLC, whose use of Personal Information is also subject to this Notice.

We collect name, email and mailing address, company affiliations, your title or role with your company, your phone number, or any other contact information. This information is used to reply to any requests or inquiries you make to HITRUST, to track any such requests. The information is collected when you enter it into any website forms or contact HITRUST directly.

HITRUST does not, to its knowledge, collect information from anyone 16 years of age or younger and requests that no one 16 years of age or younger enter their Personal Information into our systems. If you are in this age group and would like access to certain HITRUST information, please call us at 469-269-1100.

Additionally, you have the right to request what Personal Information HITRUST collected, used, or sold about you. To request more specific information regarding your data than that provided herein, please contact us through the means mentioned below and reference to California Disclosure Information. Please note that we are required to verify that the request is from you and are only required to respond to each customer twice per calendar year. Your information may be verified by asking your name, phone number, email address, other information previously provided to HITRUST, or what services or products you requested from HITRUST.

You also have the right to request that we delete your data. Unless HITRUST needs the data to comply with applicable law, perform contracted for services for you and/or your company, or if other limited circumstances reply, HITRUST does not need to delete your information. If you request deletion and any of these situations apply, HITRUST will inform you that it will not be deleting the data and on what basis that decision was made.

You have the right to opt-out of any communications from HITRUST using the methods described above. You also have the right to not face discrimination should you chose not to provide us personal information. Failure to do so, however, may prohibit HITRUST from responding to a request from you or otherwise doing business with you.

If you have/are an authorized agent requesting to exercise such rights, please contact HITRUST by the methods discussed below and provide documentation regarding the agent’s right to make such requests.


Under the General Data Protection Regulation (GDPR), data subjects have certain rights.

HITRUST collects your information in order to provide products and services, inform you of products, services, and other offerings, and to respond to any specific queries from you.

Information is processed based on the legitimate interests of HITRUST, which include responding to customer or potential customer inquiries, informing such individuals of our services and offerings, and tracking responses to customer requests. Given the limited information collected – typically professional contact information – HITRUST has found that these legitimate interests are not overridden the fundamental rights and freedoms of data subjects. You may opt-out of such communications at any time pursuant to the means discussed above. If you choose not to provide your personal information, HITRUST will not be able to respond to any queries or requests sent by you.

Your information is shared with our service providers or processors in order to collect and coordinate our communications with you as well as with our website analytics providers.

You have the right to have access to your information and to delete or rectify any of your information. You also have the right to lodge a complaint with a supervisory authority regarding this Notice or any of your related rights.

For more information, please contact HITRUST through the means listed below.

As of the time of this update, UK residents have the same privacy rights as residents of EEA countries.


If you reside in a country outside the EEA other than the US, please contact HITRUST at through the means listed below with any questions regarding this Notice or your privacy rights.


Google Session cookies These are used to help us analyze your use of our website, to ensure that connections between a Google search and our website are correct, and to disperse our advertising to interested parties. Advertising may be seen on webpages that display advertising purchased through Google, including but not limited to and Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, 650-253-0000,
LinkedIn Functional cookies; session cookies; persistent cookies; advertising cookies These are used to provide us information on form submissions, if you came to our website through a LinkedIn ad by HITRUST, and how many people who came to our website through a LinkedIn ad by HITRUST download information from our website. These help us track information provided on the website and the efficacy of our ads on LinkedIn. We also have a button on our website that directs you to HITRUST’s LinkedIn account. Linkedin Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085,
LivePerson Functional cookies; session cookies These collect information on survey responses and use of our website along with communications you may have with our support team. This gives us an auditable trail for support conversations and information on what communications are coming through the website. LivePerson, Inc., 475 Tenth Avenue, 5th Floor, New York, NY 10018;
Salesforce/Pardot Service provider; persistent cookies Pardot and Salesforce collect information entered by you on the forms on our website. We may also add your information into Salesforce and/or Pardot if you contact us by other means. This information is used to move information into our customer management service for purposes of knowing what services you engaged in, what information you downloaded, and to see how you use our website. This helps us know what your interest in HITRUST is and helps us determine the value of certain content and what additional content visitors to our website may find informative., Inc, Attn: Data Protection Officer, 415 Mission St., 3rd Floor, San Francisco, CA 94105,
SoundCloud Functional cookies These let us know if you came to our website through our ITSP magazine podcast promotion, which allows us to track the efficacy of the promotion. SoundCloud, Limited, Rheinsberger Str. 76/77 10115 Berlin, Germany, Attn: Data Protection Officer or
TrustArc Session cookies These allow our website to “remember” your cookie preferences as you move between pages on the site, so you do not need to reenter your cookie preferences on each page. TrustArc Inc., 111 Sutter
Street, Suite 600, San
Francisco, CA 94104
Vimeo Functional cookies; persistent cookies These track viewing of videos on our website to help us understand which videos are being watched and by whom. This helps us determine the value of certain content and what additional content visitors to our website may find informative. Vimeo, Inc., Attention: Data Protection Officer, 555 West 18th Street, New York, NY 10011;



Because we are committed to your privacy and laws and technologies change, this Notice may change from time to time. Updates will be posted here. This Notice was last updated on January 25, 2021.


We hope that this information is useful to you and reflects our commitment to your privacy. Please contact us via email at, via phone at 469-269-1100, or via regular mail at 6175 Main St, Suite 400, Frisco, Texas 75034 if you have any questions or concerns.

We thank you for your trust in us.

Chat Now

This is where you can start a live chat with a member of our team