New Privacy Controls Incorporated in HITRUST Common Security Framework

by | Jan 14, 2014

The Health Information Trust Alliance (HITRUST) has revealed that version seven of the HITRUST Common Security Framework (CSF) – due to be issed later this month – will include a number of new privacy controls.

HITRUST was set up in 2007 with the aim of helping the healthcare sector with the move over to electronic health information systems. The alliance has worked with the public and private sector to implement tools to help healthcare organizations protect electronic health information systems and secure the Protected Health Information (PHI) they contain.

Numerous programs have been supported over the period of the past 15 years, with the development of its Compliance Management Framework (CSF) the most publicly known. It has been adopted by over 84% of health plans and hospitals and is currently the most known used security framework in the United States healthcare sector

The HITRUST Privacy Working Group has been developing a number of new privacy controls for the last 18 months to help HIPAA-covered entities better structure their privacy and security programs. The HITRUST PWC made a number of approvals and the specific privacy control categories, objectives, specifications and requirements have now been included in the CSF.

Angela Holzworth, senior information risk analyst at HITRUST, stated “The new HITRUST CSF privacy domain facilitates an integrated approach to protect personal health information, aids in regulatory compliance, is consistent with healthcare industry trends, and enhances the current HITRUST CSF.”

“From the beginning, HITRUST has been committed to ensuring the CSF remains relevant and current to the needs of the healthcare industry and organizations utilizing it. Privacy was always seen as a component of a complete framework,”according to Daniel Nutkis, Chief Executive Officer of HITRUST. He added “Seven years ago when we began to create the CSF, we focused on the development and adoption of the security controls as a means to drive greater compliance by organizations with the HIPAA security requirements. Now that we have achieved broad adoption, we can join privacy controls with the framework.”

Michelle Nader, Staff Vice President (Ethics & Compliance) and CPO of Anthem, Inc., remarked by saying “By identifying the controls and requirements that support both disciplines, organizations now have the option to certify their programs for security, privacy, or both.”

HITRUST also announced that the seventh version of its CSF would also include Minimum Acceptable Risk Standards for Exchanges (MARS-E) and the organization would be publishing new guidance for cyber security. It has also improved its risk factors and assurance methodology and is now refreshing MyCSF to include the new privacy controls.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy