Master the complexities of cloud compliance with expert resources and relevant insights.

What is a HITRUST CSF Self-Assessment?

Organizations that want to demonstrate their compliance with HITRUST have a few options with increasing levels of assurance, known as Degrees of Assurance. The first and simplest level is the HITRUST CSF Self-Assessment. Here’s what you need to know about the HITRUST CSF Self-Assessment, how it works, and how to determine if the self-assessment option is sufficient for your organization.


Many people fail to realize that the Health Information Trust Alliance, known simply as HITRUST, is not a framework at all, but an organization comprised of healthcare industry leaders who regard information security as a fundamental component to data systems and exchanges. The HITRUST organization, in partner with other technology and information security leaders, created and maintains the Common Security Framework (CSF).

The HITRUST CSF harmonizes standards such as HIPAA, NIST, PCI, and ISO to create a single reference with required controls mapped to each standard. There are 19 control domains and 156 specific controls overall. Within each control, there are three different implementation levels, allowing organizations to build a customized compliance program based on the size of the company, the number of health records stored, and other risk factors.

What is a HITRUST CSF assessment?

Organizations can gauge their compliance to the HITRUST CSF by performing many types of assessments. There are a few types of HITRUST CSF assessments, but what is a HITRUST self-assessment specifically?

  • HITRUST CSF self-assessment is simply an organization completing the CSF through HITRUST's myCSF tool on its own. It is valuable, typically as an internal tool, because it's done with a standardized framework.

  • External parties don't verify any aspects of this type of assessment. It results in a HITRUST issued CSF Self Assessment Report.

  • Every HITRUST assessment begins with gathering information on the entity being assessed. This information is used to gauge the organization, system, and regulatory requirements for the assessment to determine the risk and scope.

What is myCSF?

HITRUST's myCSF tool is a SaaS information risk management platform providing assessment tools for organizations to achieve and maintain regulatory compliance with international, federal, and state regulations, including HIPAA, NIST, ISO, and other standards.

With myCSF, organizations can perform CSF assessments and risk assessments, manage corrective action plans, and measure against industry benchmarks. Organizations can tailor assessments to their specific needs by selecting broad regulatory factors or specific control requirement statements. After answering a series of scoping questions, organizations receive a customized assessment based on factors such as organization size and the number of health records it manages. The CSF assessment results identify the areas in which the organization meets CSF requirements based on the specific implementation level and reveals areas for improvement to achieve full compliance. Using the myCSF tool, organizations can quickly identify non-compliance issues and create targeted corrective action plans to speed the path to compliance.

What is a HITRUST assessment report?

After completing a self-assessment through myCSF, organizations receive a HITRUST Self Assessment report. The HITRUST assessment report reveals areas for improvement and areas the organization already has the necessary controls in place (based on the organization's implementation level for each control) for compliance. A report-only option is available for myCSF, which provides access to the tool for 90 days and starts at $2,500 (costs are based on the organization's net income). A yearly subscription is also available, which starts at about $10,000, for organizations that prefer continuous access for ongoing auditing and assessment. Corporate and premier subscriptions are also available for large organizations and enterprises.

How do I get HITRUST certified?

The HITRUST CSF Self-Assessment is the lowest Degree of Assurance; however, it's also a starting point for organizations that want to achieve a higher Degree of Assurance, such as CSF Verified or CSF Certified. If either of these Degrees of Assurance are pursued, the CSF assessment is a required first step in the process.

Why does HITRUST matter?

As healthcare is becoming further dependent on evolving technologies to store and transmit data, cybersecurity and compliance have become a progressively emphasized, yet convoluted, matter. Navigating the tortuous labyrinth of federal, state, and third-party security mandates has become a feat that can quickly consume an organization's resources. If that isn't enough, getting through all the twists, turns and pitfalls to achieve compliance is only half the battle. Healthcare organizations and IT vendors must also prove their compliance to guarantee they are a trusted business partner. With all considerations, isn't it obvious that the industry needs a system that is clear, standard, and secure? Thankfully, that's exactly what HITRUST has established in order to put the trust in data security.

Healthcare is complex and can seem overwhelming, but it doesn't have to be. Whether you're an industry professional or not, it is commonly felt that more time is spent understanding the healthcare conundrum versus solving it. That's where Datica comes in. We have set out to investigate the underlying logic behind the astounding regulatory maze of this field and distill the information to those searching for it. Why spend your time mastering the problem when you could be discovering the innovative solutions?

HITRUST isn't easy, and it shouldn't be. The experience we've gained as a company and the extensive testing of our technology brings great value to our customers.

For more information on HITRUST, check out the Datica Blog. Additional questions? Get in touch.