HITRUST CSF Assurance Program

The HITRUST CSF Assurance Program delivers simplified compliance assessment and reporting for HIPAA, HITECH, state, and business associate requirements. Leveraging the Common Security Framework (CSF), the program provides healthcare organizations and their business associates with a common approach to manage security assessments that creates efficiencies and contains costs associated with multiple and varied assurance requirements.

The CSF Assurance Program includes the risk management oversight and assessment methodology governed by HITRUST and designed for the unique regulatory and business needs of the healthcare industry. Also available through the program is the CSF Assurance Kit, which serves as the only practical means for an organization to perform a self assessment or undergo an assessment conducted by a third party. The Kit includes the CSF Assessment Tool featuring the CSF Compliance Worksheet and Common Health Information Protection (CHIP) Questionnaire, and optional templates for scoping an environment and managing a test plan.

For organizations wanting to quickly and efficiently assess their security controls to understand their risk exposure, the self-assessment option available through HITRUST is the only practical means of achieving this through a common and accepted approach. In addition, HITRUST offers the CSF Assessment for Small Organizations as a practical and effective solution for organizations with annual revenue less than $25 million that want to perform accurate and meaningful assessments of their information security environment.

HITRUST also offers the CSF Products and Services Guide, an online tool that simplifies the process for IT security and compliance professionals needing to identify products or services both within and independent of the CSF to aid them in addressing assessment results and their overall compliance efforts.

Assisting in the documentation of findings and preparation of reports are CSF Assessors - those organizations uniquely qualified to deliver services under the CSF Assurance Program.

CSF Assurance Program benefits include:

  • Reduced costs and complexity. Through the adoption of a common set of security objectives and assessment processes, the CSF Assurance Program streamlines how healthcare organizations manage business-associate compliance. Business associates can assess once and report to their many constituents, while healthcare organizations and other external parties benefit from a more complete and effective assessment process.
  • Managed risk. Through a commercially reasonable process, organizations will achieve increased insight into their internal and third-party risks. By freeing resources from reacting to new requirements and audits, organizations can take a proactive approach focusing on the other building blocks of an effective security management program.
  • Simplified compliance. Organizations benefit from a consistent and efficient approach for reporting compliance with internal stakeholders, HIPAA, HITECH, state, and business associates.
Read the brochure to learn more about how the program simplifies the assessment and reporting process.
View the complete list of program requirements.
View a sample CSF Assurance Program Assessment Report - Validated.
View a sample CSF Assurance Program Assessment Report - Certified.

HITRUST Central

A Professional subscription provides access to the online, interactive CSF , the CSF Assurance Kit, and many other resources developed specifically for healthcare information security professionals.

CSF Assurance Program

Learn how the program simplifies compliance assessment and reporting through a common set of information security requirements.

News Events