HITRUST CSF® v9.2 Summary of Changes

Fundamental to HITRUST’s mission is the availability of a common information protection framework, the CSF, that provides the needed structure, clarity, functionality and cross-references to authoritative sources. The initial development of the CSF leveraged nationally and internationally accepted standards including ISO, NIST, PCI, HIPAA, and COBIT to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with these requirements that apply to healthcare organizations.

HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating the CSF to incorporate new standards and regulations as authoritative sources.

The HITRUST CSF v9.2 release includes changes based on feedback from the HITRUST community; miscellaneous corrections; the shift to an agnostic framework; restructure of category 13; and incorporation of regulatory requirements from the Personal Data Protection Act (PDPA). These updates reflect HITRUST’s commitment to facilitate application of the CSF across multiple industries, both nationally and internationally, which will continue in the next major release of the framework.

Minor administrative updates, such as the correction of grammar or formatting errors, are generally not reflected in the Summary of Changes. Simple mapping updates from one version of a source to a newer 56 version, which do not impact existing content, are also generally not reflected.

Other Updates


Download the HITRUST CSF v9.2 free of charge.