HITRUST FAQs

1. What is HITRUST?: The Health Information Trust Alliance (HITRUST) was established out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, established the HITRUST Common Security Framework (CSF), a certifiable framework that all healthcare organizations that create, access, store or exchange electronic health and other sensitive health information can implement. HITRUST, a not-for-profit, is led by a seasoned management team and governed by an Executive Council comprised of leaders from across the healthcare industry and its supporters.
2. What is the HITRUST CSF?: The HITRUST Common Security Framework (CSF) is a framework that normalizes the security requirements of healthcare organizations, including federal (e.g., ARRA and HIPAA), state (Massachusetts), third party (e.g., PCI and COBIT) and government (e.g., NIST, FTC and CMS). The CSF is not a new standard; this is a misconception. The CSF supplements the existing controls with the industry knowledge and leading practices of HITRUST's community and provides the clarity and consistency lacking in many standards and regulations. Because of this, the CSF is the only framework that is built to provide scalable security requirements based on the different risks and exposures of organizations in the healthcare industry.
3. How many organizations have adopted the CSF?: HITRUST does not publish a list of organizations adopting the CSF, but as of April 2011 more than 62 percent of hospitals and 74 percent of health plans with more than 500,000 members are utilizing the CSF. In addition, we continue to see increasing interest in the CSF as is representative in our growing member-base on HITRUST Central, which houses the CSF. We have active participation from organizations representing providers, health plans, manufacturers, pharmacies, PBMs, clearing houses, health information and data exchanges, information technology and security companies, professional services firms, and increasingly states as they establish state-wide Health Information Exchanges (HIEs).
4. How will the HITRUST framework incorporate future security standards that may be mandated by state and federal governments?: HITRUST is committed to providing regular updates to the CSF so that it remains current to the needs of the organizations adopting it. The CSF is a dynamic, prescriptive framework that not only adapts quickly to changes in regulatory standards and requirements, but also incorporates feedback from the organizations adopting it, ensuring its continued relevance to the healthcare industry and the organizations that rely on it to lessen the cost and burden of their compliance efforts. The guidance and best practices incumbent in the CSF will continue to be refined based on those elements that present the greatest security risks to organizations. Recent updates included a number of changes such as the addition of certification control requirements to protect against Web application vulnerabilities, improve password strength and management, and manage electronic media and hard copy destruction in accordance with the guidance associated with HITECH.
5. Does the government recognize the CSF as an acceptable means for addressing information security?: In May of 2010, the Office of Civil Rights (OCR), issued guidance on performing a risk assessment and included a reference to the HITRUST Common Security Framework (CSF) as a valuable resource for the industry.
6. How do I access the CSF?: The HITRUST CSF is available by subscribing to HITRUST Central, the online community for healthcare information security professionals. Individuals can register for one of two annual subscription options — Standard and Professional. A Standard subscription, which includes access to the core CSF in PDF form, is available at no charge to individuals from qualified organizations and Professional subscriptions are available for an annual fee based on organization type. The Professional subscription provides access for five individuals in the purchasing organization to access HITRUST Central and the online, interactive version of the CSF, authoritative sources and the CSF Assurance Kit. The annual price of the Professional version is $5,500 for qualified organizations and $10,000^* for all other organizations (i.e., professional services and technology organizations).

A qualified organization is any organization employing a function or activity involving the use or disclosure of individually identifiable health information, provided that said organization does not provide technology or security products or services. Additionally, any federal, state, or local agency or department may qualify for a Standard subscription. HITRUST has the right to verify eligibility.

^* Includes one seat in HITRUST Training for Practitioners
7. How do I adopt the CSF?: HITRUST recommends that when adopting the CSF you seek assistance from a professional who has completed the HITRUST Training for Practitioners Course and has been certified to perform CSF-related assessment, implementation, remediation and certification activities. In addition, CSF Assessor organizations are available to assist with adoption of the CSF. CSF Assessors are those organizations that have been approved by HITRUST for performing CSF-related services. CSF Assessors are critical to HITRUST's efforts to provide trained resources to healthcare organizations of varying size and complexity to assess compliance with security control requirements and document corrective action plans that align with the CSF. HITRUST requires an organization to meet certain criteria in order to become accredited as a CSF Assessor. To learn more about CSF Assessors, click here.
8. What is HITRUST Central?: HITRUST Central is a managed, online community that is designed to be a resource for healthcare information security professionals who wish to more efficiently and cost effectively enhance the security of their organizations, comply with standards and regulations and collaborate with industry peers. Through HITRUST Central, organizations can access the CSF, utilize the CSF Assurance Kit for performing self assessments or undergoing an assessment by a HITRUST CSF Assessor, collaborate and share experiences with peers through blogs and forums, and request support. To learn more, click here.
9. How do I arrange for someone to come speak about HITRUST and the CSF at my event?: For information about a HITRUST representative speaking at your event, please contact HITRUST's Director of Marketing and Communications at pr@hitrustalliance.net or 972-330-4919.
10. I still have questions. Who should I talk to?: For additional information or if you have questions not addressed here, please call HITRUST at 972-330-4900 or email info@hitrustalliance.net.