Contact us


HITRUST works with prominent healthcare organizations to create a cyber threat intelligence and incident coordination capability for the Healthcare Sector.

HITRUST has developed the HITRUST CSF, a certifiable framework that provides organizations with the needed structure, detail and clarity relating to information protection. With input from leading organizations, HITRUST identified a subset of the HITRUST CSF control requirements that an organization must meet to be HITRUST CSF Certified. HITRUST performed a quality assurance review to ensure that the control maturity scores were consistent with the results of testing performed by the Authorized External Assessor. meets the HITRUST CSF v9.4 certification criteria for: Minuteful Kidney test, Kidney Check, Call center application - HEART, Minuteful for Wound hosted at the Google Cloud Platform (GCP) and Amazon Web Services (AWS).

HITRUST is an organization governed by representatives from the healthcare industry.

The Health Insurance Portability and Availability Act (HIPAA) requires that healthcare organizations and their business associates establish security controls that protect sensitive information. Personal Health Information (PHI) and electronic PHI (ePHI) is defined as information about a person’s health that can be linked back to the individual.

HIPAA’s security requirements integrate several industry standards, frameworks, and regulatory requirements including but not limited to COBIT, ISO, NIST, and PCI DSS. To better manage HIPAA compliance requirements, many organizations choose to become HITRUST CSF certified.

HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. The CSF builds on HIPAA and the HITECH Act, and incorporates healthcare-specific security, privacy, and other regulatory requirements from existing frameworks such as the PCI DSS, ISO/IEC 27001, and MARS-E.

The CSF is divided into 19 different domains, including endpoint protection, mobile device security, configuration management, vulnerability management, network protection, access control, and others. HITRUST certifies IT offerings against these controls. HITRUST also adapts requirements for certification to the risks of an organization based on organizational, system, and regulatory factors.

HITRUST provides a benchmark—a standardized compliance framework, assessment, and certification process—against which cloud service providers and covered health entities can measure compliance. HITRUST offers three degrees of assurance, or levels of assessment: self-assessment, CSF-validated, and CSF-certified. Each level builds with increasing rigor on the one below it. An organization with the highest level, CFS-certified, meets all the CSF certification requirements.

Request the HITRUST validated assessment report.


Learn more