Press release

New Version of HITRUST CSF® Incorporates California Consumer Privacy Act, NIST Cybersecurity Framework and Additional Legislation & Standards

Sponsored by Businesswire

a leading data protection standards development and certification
organization, today announced it will release version 9.3 of its HITRUST
CSF® during the third quarter of 2019.

The HITRUST CSF controls framework addresses security, privacy, and
regulatory challenges facing organizations in industries such as
healthcare, financial services, retail, hospitality and travel. These
updates reflect HITRUST’s continuing commitment to facilitate HITRUST
CSF’s adoption in multiple industries, both domestically and

By incorporating numerous international, federal and state governmental
regulations as well as recognized standards the HITRUST CSF helps
organizations address information risk management and compliance
challenges through a comprehensive, risk-based flexible framework of
prescriptive and scalable controls. By including both privacy and
security standards, the HITRUST CSF uniquely enables organizations to
address the big picture of data protection. Most privacy regulations
require appropriate security measures, which the HITRUST CSF helps

By allowing organizations to conduct a comprehensive privacy and
security assessment, the HITRUST CSF encourages cooperation between
these disciplines and assists in achieving better compliance with
regulatory requirements and best practices. Through the HITRUST CSF
Assurance Program, organizations who obtain HITRUST CSF Certification
covering both privacy and security can demonstrate that they are
achieving high standards in their data protection program.

HITRUST ensures the HITRUST CSF relevancy and remains current to the
needs of organizations by regularly updating the framework to
incorporate new standards and regulations. HITRUST CSF v9.3 will include
new requirements placed on organizations by the California Consumer
Privacy Act (CCPA). Passed in 2018, the new legislation takes effect
January 1, 2020 with enforcement of the new law taking effect on July 1,
2020. The CCPA is similar to the European Union’s General Data
Protection Regulation (GDPR) which takes additional steps to protect the
transmission, sharing and storage of consumer data. HITRUST CSF v9.3
also reflects key differences of the two laws, including the
applicability, requirements for data access, and detailed requirements
about opt-out methods.

The HITRUST CSF v9.3 will also reflect updates to a number of
authoritative sources, including:

  • Centers for Medicare & Medicaid Services’ (CMS) Information Security
    ARS: CMS Minimum Security Requirements for High Impact Data, version
  • The Federal Risk and Authorization Management Program (FedRAMP).
  • IRS Publication 1075: Tax Information Security Guidelines for Federal,
    State and Local Agencies: Safeguards for Protecting Federal Tax
    Returns and Return Information.
  • The National Institute of Standards and Technology’s (NIST) Framework
    for Improving Critical Infrastructure Cybersecurity: Framework Core –
    Subcategories, v1.1.
  • South Carolina’s Bill 4655, the Insurance Data Security Act.

HITRUST understands the challenges of assembling and maintaining the
many and varied programs needed to manage information risk and
compliance. The
HITRUST Approach
provides organizations an integrated information
risk management and compliance approach that ensures all programs are
aligned, maintained, and comprehensive to support an organization’s
information risk management and compliance objectives.

The HITRUST CSF provides the depth and breadth of controls organizations
need to efficiently and effectively assess the strength of their
risk-based protection programs and their compliance with multiple
regimes through one assessment, as well as the structure, clarity,
functionality, and cross-references to authoritative sources,
eliminating the need for organizations to interpret, engage, and
harmonize the multitude of frameworks and standards. The HITRUST CSF
leverages nationally and internationally accepted standards and
regulations such as GDPR, ISO, NIST, PCI, FFIEC, FTC and HIPAA to ensure
a comprehensive set of baseline security and privacy controls. The CSF
normalizes these requirements and provides clarity and consistency,
reducing the burden of compliance with the varied requirements that
apply to organizations.

Organizations interested in assessing against any of the authoritative
sources in the HITRUST CSF can do so by leveraging the HITRUST MyCSF
tool. More information can be found at


Since it was founded in 2007, HITRUST has championed programs that
safeguard sensitive information and manage information risk for global
organizations across all industries and throughout the third-party
supply chain. In collaboration with privacy, information security and
risk management leaders from the public and private sectors, HITRUST
develops, maintains and provides broad access to its widely-adopted
common risk and compliance management frameworks, related assessment and
assurance methodologies.

For more information, visit