HITRUST Delays Release of CSF v10

On July 19, 2021, HITRUST issued an update regarding the status of HITRUST CSF v10. In prior updates, HITRUST had indicated that v10 would be released in May of 2021. However, they have now stated that several items were identified during their review of v10 that needed to be considered and addressed. As a result, HITRUST CSF v10 will not be released until 2022.

While HITRUST did not indicate when organizations would be required to submit assessments using v10, they have previously stated that organizations would have the choice of v10 or the current frameworks for a 12-month period after the release of v10. That would mean that most organizations would not be required to assess against v10 until 2023.

HITRUST has indicated that the goal with HITRUST CSF v10 is to make the HITRUST CSF a more flexible and efficient approach to compliance and risk management. In 2021, they have already implemented some of these changes, such as the new assessment reservation process, updates to the maturity requirements for policy and process, and dashboards to show users where their assessment is in the HITRUST QA process.

While HITRUST has delayed v10, they will be releasing CSF v9.5 in 2021 to help ensure the framework addresses risks and controls in our current environment. Additionally, they plan to release a HITRUST Privacy Certification and expand their security assessment portfolio to address requests for various levels of assurance.

HITRUST has also indicated they will continue to enhance the shared responsibility program, which allows organizations to inherit controls from external service providers and provide a tool to facilitate the delivery of the HITRUST Assessment Reports electronically.

If you are interested in how we can help your organization achieve and maintain HITRUST certification, please reach out to us at 855-670-8780 or connect@compliancepoint.com.