HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Simplified HITRUST CSF Program Helps Small Healthcare Organizations with Compliance and Risk Management

HITRUST has announced that it has updated the HITRUST CSF and has also launched a new CSF initiative specifically for small healthcare organizations to help them improve their resilience against cyberattacks.

While the HITRUST CSF – the most widely adopted privacy and security framework – can be followed by healthcare organizations to improve their risk management and compliance efforts, for many smaller healthcare organizations following the framework is simply not viable. Smaller healthcare organizations simply don’t have the staff and expertise to follow the full HITRUST CSF framework.

While the HITRUST CSF program is beneficial for smaller healthcare organizations, they do not face the same levels of risk as larger organizations. Given that the risks are lower and the requirements to comply with HIPAA already take up a lot of resources, HITRUST has developed a more simplified, streamlined framework which is much better suited to small healthcare organizations.

The new framework – called CSF Basic Assurance and Simple Institution Cybersecurity or CSFBASICs for short – has a more streamlined assessment approach, is easier to understand, yet will still help smaller healthcare organizations with their risk management and compliance efforts.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

To develop the pilot CSFBASICs program, HITRUST collaborated with small businesses and the physician community. The pilot is now in the final phase and HITRUST expects to make the CSFBASICs program widely available by Q3, 2017.

Dr. J. Stefan Walker of Corpus Christi Medical Associates (CCMA), a Corpus Christi, TX-based five-physician primary healthcare practice, explained the problem, “I really don’t know many small practices that can comply with all our regulatory obligations, including HIPAA.” Walker went on to say, “We generally don’t have the staff or the expertise, nor can we hire consultants, to manage these programs on an ongoing basis. I honestly didn’t know how my practice could be secure or demonstrate HIPAA compliance, but that was before I had the opportunity to pilot CSFBASICs.”

Enhancements Made to HITRUST CSF and CSF Assurance Program


In addition to the CSFBASICs program, HITRUST has also announced that it has enhanced its HITRUST CSF programs (V8.1 and V9) along with the supporting HITRUST CSF Assurance Program (V9). The updates include new guidance and better assurance and support for healthcare organizations to help them deal with the increase in cyber threats and to improve resilience against those threats.

HITRUST (and the HITRUST CSF Advisory Council) sought input from healthcare industry stakeholders on potential changes and updates to the framework. From the comments received, a number of enhancements have now been made.

HITRUST CSF v8.1, which was made available on February 6, 2017, includes updated content and support for PCI DSS v3.2 and MARS-E v2. The CSF Assurance Program V9 has been enhanced with the HITRUST CSF Assessment also including a NIST Cybersecurity Framework certification, a HIPAA risk assessment and auditable documentation.

HITRUST CSF v9 update includes the latest OCR Audit Protoco (v2), FEDRAMP Support for Cloud and IaaS Service Providers and FFIEC IT Examination Handbook for Information Security. The updated version is not expected to be available until July, 2017. That will give HITRUST time to harmonize the new requirements of the program with the current program to ensure that the changes to not overly add to the complexity of the framework.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.