The HITRUST CSF was developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
The HITRUST CSF:
- Includes, harmonizes and cross-references existing, globally recognized standards, regulations and business requirements, including HIPAA, HITECH, NIST, ISO, PCI, FTC, COBIT and State laws
- Scales controls according to type, size and complexity of an organization
- Provides prescriptive requirements to ensure clarity
- Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds
- Allows for the adoption of alternate controls when necessary
- Evolves according to user input and changing conditions in the healthcare industry and regulatory environment on an annual basis
- Provides an industry-wide approach for managing Business Associate compliance
Qualified Organizations can download the HITRUST CSF free of charge. MyCSF, a secure, Web-based solution for performing assessments, managing remediation activities, and reporting and tracking compliance offers a customized version of this framework and helps in implementation.
*A qualified organization is any organization employing a function or activity involving the use or disclosure of individually identifiable health information, provided that said organization does not provide security products or services. Additionally, any federal, state, or local agency or department may qualify. HITRUST has the right to verify eligibility.