Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)

HITRUST — CSF overview

The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner.

The CSF builds on HIPAA and the HITECH Act, which are US healthcare laws that have established requirements for the use, disclosure, and safeguarding of individually identifiable health information, and that enforce noncompliance. HITRUST provides a benchmark — a standardized compliance framework, assessment, and certification process — against which cloud service providers and covered health entities can measure compliance. The CSF also incorporates healthcare-specific security, privacy, and other regulatory requirements from such existing frameworks as the Payment Card Industry Data Security Standard (PCI-DSS), ISO/IEC 27001 information security management standards, and Minimum Acceptable Risk Standards for Exchanges (MARS-E).

The CSF is divided into 19 different domains, including endpoint protection, mobile device security, and access control. HITRUST certifies IT offerings against these controls. HITRUST also adapts requirements for certification to the risks of an organization based on organizational, system, and regulatory factors.

Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)

HITRUST offers three degrees of assurance, or levels of assessment: self-assessment, CSF validated, and CSF-certified. Each level builds with increasing rigor on the one below it. An organization with the highest level, CSF-certified, meets all the certification requirements of the CSF. Microsoft Azure and Office 365 are the first hyperscale cloud services to receive certification for the HITRUST CSF. Coalfire, a HITRUST assessor firm, performed the assessments based on how Azure and Office 365 implement security, privacy, and regulatory requirements to protect sensitive information. Microsoft supports the HITRUST Shared Responsibility Program.

Learn how to accelerate your HITRUST deployment with our Azure Security and Compliance Blueprint.

Download the Microsoft Azure HITRUST Customer Responsibility Matrix (CRM) blueprint v9.0d

Microsoft in-scope cloud services

Audits, reports, and certificates

The HITRUST CSF certification of Azure and Office 365 is valid for two years.

Accelerate your deployment of HIPAA/HITRUST solutions on Azure

Get a head start on taking advantage of the benefits of the cloud for health data solutions with the Azure Security and Compliance Blueprint — HIPAA/HITRUST Health Data and AI. This blueprint provides tools and guidance to get you started building HIPAA/HITRUST solutions today.

Start using the Azure HIPAA/HITRUST Blueprint

Accelerate your HIPAA/HITRUST compliance when using Office 365

Use Office 365 to manage health information in a secure and compliant way with Compliance Score, which enables you to perform risk assessments against health regulations like HIPAA and security control frameworks like NIST CSF and NIST 800-53. You can follow step-by-step guidance to know how to implement and maintain data protection controls that help you meet healthcare compliance obligations.

Start using Compliance Score

Collaborate with Microsoft in the HITRUST Shared Responsibility Program

Accelerate achieving HITRUST compliance for your solution hosted on Microsoft Azure by pre-populating your assessment with fully inherited or shared responsibility controls for Azure in the HITRUST MyCSF tool, and collaborating with Microsoft on your assessment.

Learn more

Frequently asked questions

Can I use the Azure HITRUST compliance to build on my organization's certification process?

Yes. If your business requires a HITRUST certification for implementations deployed on Microsoft services, you can build on Azure HITRUST compliance when you conduct your compliance assessment. However, you are responsible for evaluating the HITRUST requirements and controls within your own organization.

How can I get a copy of the HITRUST certification?

You can download a copy of letter of certification for Azure and Office 365.

What are the in-scope services for Office 365?

The in-scope services of HITRUST CSF certification are Exchange Online Archiving, Exchange Online Protection, Exchange Online, Skype for Business, Admin Center, SharePoint Online, Project Online, OneDrive for Business, Office Online, MyAnalytics, Microsoft Teams, Microsoft 365 Apps for enterprise in Office 365 Multi-tenant cloud and Office 365 GCC.

Note

Microsoft 365 Apps for enterprise enables access to various cloud services, such as Roaming Settings, Licensing, and OneDrive consumer cloud storage, and may enable access to additional cloud services in the future. Roaming Settings and Licensing support the standards for HITRUST. OneDrive consumer cloud storage does not, and other cloud services that are accessible through Microsoft 365 Apps for enterprise and that Microsoft may offer in the future also may not, support these standards.*

Why are some Office 365 services not in the scope of this certification?

Microsoft provides the most comprehensive offerings compared to other cloud service providers. To keep up with our broad compliance offerings across regions and industries, we include services in the scope of our assurance efforts based on the market demand, customer feedback, and product lifecycle. If a service is not included in the current scope of a specific compliance offering, your organization has the responsibility to assess the risks based on your compliance obligations and determine the way you process the data in that service. We continuously collect feedback from customers and work with regulators and auditors to expand our compliance coverage to meet your security and compliance needs.

Does Microsoft certification mean that if my organization uses Azure or Office 365, it is compliant with HITRUST CSF?

When you store your data in a SaaS like Office 365, it’s a shared responsibility between Microsoft and your organization to achieve compliance. Microsoft manages majority of the infrastructure controls including physical security, network controls, application level controls, etc., and your organization has the responsibility to manage access controls and protect your sensitive data. The Office 365 HITRUST certification demonstrates the compliance of Microsoft’s control framework. Building on that, your organization needs to implement and maintain your own data protection controls to meet HITRUST CSF requirements.

Does Microsoft provide guidance for my organization to implement appropriate controls when using Office 365?

Yes, you can find recommended customer actions in Compliance Score, cross-Microsoft Cloud solutions that help your organization meet complex compliance obligations when using cloud services. Specifically, for HITRUST CSF, we recommend that you perform risk assessments using the NIST 800-53 and NIST CSF assessments in Compliance Score. In the assessments, we provide you with step-by-step guidance and the Microsoft solutions you can use to implement your data protection controls. You can learn more about Compliance Score in Microsoft Compliance Score.

How do I engage with Microsoft?

Log in to the HITRUST MyCSF® tool and pre-populate your assessment for your solution hosted on Microsoft Azure with either fully inherited or shared responsibility controls for Azure. A Microsoft HITRUST Administrator will then complete their part of the assessment using their account on the MyCSF® tool.

Resources