HITRUST Common Security Framework (CSF)

    Standards and Frameworks

    HITRUST Common Security Framework (CSF)

    The HITRUST Common Security Framework (“HITRUST CSF”) is a certifiable framework developed by the Health Information Trust Alliance (“HITRUST”) in collaboration with privacy, information security and risk management leaders from the public and private sectors. HITRUST is a privately held company, located in the U.S.

    Last Updated: July 30, 2019


  • HITRUST CSF is the foundation of all HITRUST Programs. It aims to address the multitude of security, privacy and regulatory challenges facing organizations. The framework provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. It also offers an industry-wide approach for managing Business Associate compliance. It is both risk-based and compliance-based.

    Under HITRUST CSF, relevant regulations and standards are rationalized into a single overarching security framework. The framework provides the needed structure, clarity, functionality and cross-references to authoritative sources. It allows organizations to tailor security control baselines based on the organization type, size, systems, and regulatory requirements. Through the risk-based approach, the framework also offers multiple levels of implementation requirements determined by specific risk thresholds.

    HITRUST CSF is based on both national (federal and state) and international standards including ISO, NIST, PCI, HIPAA. By normalizing the security requirements under these standards, the framework provides clarity and consistency for compliance, reducing the burden of compliance with the various requirements. HITRUST continues to update the CSF framework when new regulations and security risks are introduced. Revisions are made on an annual basis.

    HITRUST CSF v.9.2

    HITRUST CSF v.9.2 is the most updated version of the HITRUST CSF. The new version marked a shift to a more industry-agnostic approach to better align with existing privacy frameworks. Specifically, this version

    • Integrated the Singapore Personal Data Protection Act (PDPA)
    • Incorporated additional plain language interpretation of the EU General Data Protection Regulation (GDPR)
    • Revised the HITRUST CSF Control Category for Privacy Practices to pull HIPAA related requirements in a separate segment in all categories

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.