HITRUST CSF® v9.3 Summary of Changes

Fundamental to HITRUST®’s mission is the availability of a common security and privacy framework, the HITRUST CSF (“CSF”), which provides the needed structure, transparency, guidance and cross-references to authoritative sources organizations globally need to be certain of their data protection compliance. The initial development of the CSF leveraged nationally and internationally accepted security and privacy related regulations, standards, and frameworks–including ISO, NIST, PCI, HIPAA, and COBIT–to ensure a comprehensive set of security and privacy controls. The CSF standardizes these requirements, providing clarity and consistency and reducing the burden of compliance.

HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating the CSF to integrate and normalize applicable requirements and best practices as authoritative sources.

The HITRUST CSF v9.3 release includes changes based on feedback from the HITRUST community; miscellaneous corrections; added language to the glossary to better clarify terms found in the framework; and incorporation of regulatory requirements from the California Consumer Privacy Act (CCPA), the South Carolina Insurance Data Security Act (SCIDSA), and NIST SP 800-171 r2 (DFARS). These updates reflect HITRUST’s commitment to provide a framework fitting for any organization globally.

Minor administrative updates, such as the correction of grammar or formatting errors, are generally not reflected in the Summary of Changes. Simple mapping updates from one version of a source to a newer version, which do not impact existing content, are also generally not reflected.

Other Updates


Download the HITRUST CSF v9.3 free of charge.