New Version of HITRUST CSF® Incorporates California Consumer Privacy Act, NIST Cybersecurity Framework and Additional Legislation & Standards

Update Ensures the HITRUST CSF Continues to Provide the Most Comprehensive Global Privacy and Security Framework Available

FRISCO, Texas--()--HITRUST, a leading data protection standards development and certification organization, today announced it will release version 9.3 of its HITRUST CSF® during the third quarter of 2019.

The HITRUST CSF controls framework addresses security, privacy, and regulatory challenges facing organizations in industries such as healthcare, financial services, retail, hospitality and travel. These updates reflect HITRUST’s continuing commitment to facilitate HITRUST CSF’s adoption in multiple industries, both domestically and internationally.

By incorporating numerous international, federal and state governmental regulations as well as recognized standards the HITRUST CSF helps organizations address information risk management and compliance challenges through a comprehensive, risk-based flexible framework of prescriptive and scalable controls. By including both privacy and security standards, the HITRUST CSF uniquely enables organizations to address the big picture of data protection. Most privacy regulations require appropriate security measures, which the HITRUST CSF helps identify.

By allowing organizations to conduct a comprehensive privacy and security assessment, the HITRUST CSF encourages cooperation between these disciplines and assists in achieving better compliance with regulatory requirements and best practices. Through the HITRUST CSF Assurance Program, organizations who obtain HITRUST CSF Certification covering both privacy and security can demonstrate that they are achieving high standards in their data protection program.

HITRUST ensures the HITRUST CSF relevancy and remains current to the needs of organizations by regularly updating the framework to incorporate new standards and regulations. HITRUST CSF v9.3 will include new requirements placed on organizations by the California Consumer Privacy Act (CCPA). Passed in 2018, the new legislation takes effect January 1, 2020 with enforcement of the new law taking effect on July 1, 2020. The CCPA is similar to the European Union’s General Data Protection Regulation (GDPR) which takes additional steps to protect the transmission, sharing and storage of consumer data. HITRUST CSF v9.3 also reflects key differences of the two laws, including the applicability, requirements for data access, and detailed requirements about opt-out methods.

The HITRUST CSF v9.3 will also reflect updates to a number of authoritative sources, including:

  • Centers for Medicare & Medicaid Services’ (CMS) Information Security ARS: CMS Minimum Security Requirements for High Impact Data, version 3.1.
  • The Federal Risk and Authorization Management Program (FedRAMP).
  • IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information.
  • The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Framework Core – Subcategories, v1.1.
  • South Carolina’s Bill 4655, the Insurance Data Security Act.

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage information risk and compliance. The HITRUST Approach provides organizations an integrated information risk management and compliance approach that ensures all programs are aligned, maintained, and comprehensive to support an organization’s information risk management and compliance objectives.

The HITRUST CSF provides the depth and breadth of controls organizations need to efficiently and effectively assess the strength of their risk-based protection programs and their compliance with multiple regimes through one assessment, as well as the structure, clarity, functionality, and cross-references to authoritative sources, eliminating the need for organizations to interpret, engage, and harmonize the multitude of frameworks and standards. The HITRUST CSF leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, FFIEC, FTC and HIPAA to ensure a comprehensive set of baseline security and privacy controls. The CSF normalizes these requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations.

Organizations interested in assessing against any of the authoritative sources in the HITRUST CSF can do so by leveraging the HITRUST MyCSF tool. More information can be found at


Since it was founded in 2007, HITRUST has championed programs that safeguard sensitive information and manage information risk for global organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from the public and private sectors, HITRUST develops, maintains and provides broad access to its widely-adopted common risk and compliance management frameworks, related assessment and assurance methodologies.

For more information, visit


Kevin Lightfoot


Kevin Lightfoot