HITRUST Releases Draft Privacy Controls For The HITRUST CSF

Integrated framework protects patient privacy while supporting the flow of health data

October 19, 2013

4 Min Read


Frisco, TX – October 17, 2013 – The Health Information Trust Alliance (HITRUST) is announcing today the release of the draft privacy controls to be added to the HITRUST CSF, resulting in the only fully integrated privacy and security framework for the U.S. healthcare industry. By incorporating privacy requirements into the CSF, organizations will now need only one framework to manage their privacy and information security compliance requirements.

With the expectation that more reliance will continue to be placed on electronic health records (EHRs) and on interoperable health information exchanges (HIEs) to improve patient care, minimize errors, reduce disparities, control costs and support public health initiatives, HITRUST believes the healthcare industry must be equipped to protect patient privacy while supporting the flow of health data in a way that benefits individuals and society.

Developed by the HITRUST Privacy Working Group and available now for public comment, the privacy controls were incorporated into the CSF to ensure better alignment between a healthcare organization's security and privacy programs and provide an integrated approach for protecting health information. The draft privacy controls were created to establish a foundation for a uniform and practical approach to implementing a privacy program, taking into account both the risk and implementation factors that organizations should consider as they work to adequately protect patient, family member and workforce privacy.

"From the beginning, HITRUST has been committed to ensuring the CSF remains relevant and current to the needs of the healthcare industry and organizations utilizing it; privacy was always a component of the initial vision," said Daniel Nutkis, chief executive officer, HITRUST. "Seven years ago when we began development of the CSF, we made a decision to focus on development and adoption of the security controls, recognizing this as the area where organizations needed greater assistance. Now, with broad adoption achieved, we can complete the vision for an integrated framework."

By incorporating privacy controls, the benefits of adopting the CSF become even greater by providing organizations with a more comprehensive and flexible framework for managing their security programs and reducing the burden of compliance with all the requirements that apply to healthcare organizations. The newly integrated framework will incorporate both privacy and security controls, but organizations will be able to choose if they wish to obtain certification against the privacy requirements, security or both, allowing them to pursue the approach and pace best suited to their needs.

"Given the multitude of federal and state regulations with privacy and security requirements, having a fully integrated privacy and security framework provides both privacy and security professionals advantages over disparate approaches," said Kimberly Gray, chief privacy officer, global, IMS Health. "By identifying the controls and requirements that support both disciplines, organizations are able to more effectively manage their information protection programs."

After conducting a review of various privacy frameworks and regulations, the HITRUST Privacy Working Group focused its efforts on the HIPAA Privacy Rule and the privacy controls contained in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 revision 4 (r4) Appendix J, as well as other privacy best practices recommended by organizations and experts in the healthcare industry. Based on this assessment, the group recommended the inclusion of specific privacy control categories, objectives, specifications and requirements by implementation level.

The draft privacy controls contain 125 specific changes affecting 35 controls in the CSF, with some of the most significant changes impacting confidentiality, notice, consent and disclosure requirements. The privacy controls will be incorporated into the 2014 HITRUST CSF, and ultimately the MyCSF tool to enable organizations to be able to perform privacy assessments, compliance reporting and remediation.

The draft privacy controls are available for review at HITRUSTCentral.net. Those wishing to provide comments on the draft controls must do so by November 15, 2013.


The Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the CSF, a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTAlliance.net.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights