HITRUST

HITRUST overview

HITRUST is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner. The CSF builds on HIPAA and the HITECH Act, and incorporates healthcare-specific security, privacy, and other regulatory requirements from existing frameworks such as the PCI DSS, ISO/IEC 27001, and MARS-E.

The CSF contains 14 control categories, comprised of 49 control objectives and 156 control specifications. HITRUST certifies IT offerings against these controls. HITRUST also adapts requirements for certification to the risks of an organization based on organizational, regulatory, and system factors.

HITRUST provides a benchmark—a standardized compliance framework, assessment, and certification process—against which cloud service providers and covered healthcare entities can measure compliance. HITRUST offers three degrees of assurance, or assessment levels:

  • Self-assessment performed by an organization, which in turn generates a HITRUST readiness assessment report. This report can't be certified; however, it can be used as a foundation for a validated assessment.
  • HITRUST CSF Validated
  • HITRUST CSF Validated Certified

Validated assessments are performed onsite by a HITRUST authorized external assessor. Each level builds with increasing rigor on the one below it. An organization with the highest level, CSF Validated Certified, meets all the CSF certification requirements.

Azure and HITRUST

Microsoft Azure is one of the first hyper-scale cloud services platforms to receive a formal certification for the HITRUST CSF in Nov-2016. Azure has maintained the HITRUST CSF certification since then.

For extra customer assistance, Microsoft provides Azure Policy regulatory compliance built-in initiative for HIPAA/HITRUST, which maps to HIPAA/HITRUST compliance domains and controls. Regulatory compliance in Azure Policy provides built-in initiative definitions to view a list of controls and compliance domains based on responsibility – customer, Microsoft, or shared. For Microsoft-responsible controls, we provide extra audit result details based on third-party attestations and our control implementation details to achieve that compliance. Each HIPAA/HITRUST control is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, compliance in Azure Policy is only a partial view of your overall compliance status. Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to more granular status.

Using the HITRUST shared responsibility and inheritance program, you can accelerate achieving HITRUST compliance for your solutions hosted on Azure. The program enables you to pre-populate your assessment with fully inherited or shared responsibility controls for Azure in the HITRUST MyCSF tool. You can also collaborate with Microsoft on your assessment.

Applicability

  • Azure
  • Azure Government

Services in scope

For a list of Microsoft cloud services in audit scope, see the Azure HITRUST certification letter or Cloud services in audit scope:

  • Azure
  • Dynamics 365
  • Microsoft 365
  • Power Platform

Office 365 and HITRUST

For more information about Office 365 compliance, see Office 365 HITRUST documentation.

Attestation documents

The Azure HITRUST certification letter covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 cloud services. You can access Azure HITRUST audit documents from the Service Trust Portal (STP) Healthcare and Life Sciences section. For instructions on how to access audit reports and certificates, see Audit documentation.

Moreover, the Azure HITRUST shared responsibility matrix is available directly from HITRUST. It lists HITRUST CSF controls, clarifies shared responsibility per control (customer, shared, or Azure), and provides Azure control implementation details where appropriate.

Frequently asked questions

Can I use the Azure HITRUST certification to support my organization's certification process?
Yes. If your business requires HITRUST certification for implementations deployed on Azure, you can build on Azure HITRUST certification when you conduct your compliance assessment. However, you're responsible for evaluating the HITRUST requirements and controls within your own organization.

Does Microsoft certification mean that if my organization uses Azure, it is HITRUST compliant?
No. You're ultimately responsible for your own HITRUST CSF compliance. The Azure HITRUST shared responsibility matrix describes various responsibilities that are owned by Microsoft, you as the customer, or shared by both to achieve HITRUST CSF compliance. In all assessments, proper scoping is key to success. For cloud deployments, you should analyze the HITRUST CSF requirements to understand their intent. Correlating your responsibilities based on the shared responsibility matrix will aid you in planning ahead for a successful assessment.

As a cloud service provider, Microsoft Azure allows you to satisfy specific HITRUST CSF requirements through usage of the HITRUST CSF Inheritance Program. This reliance is dependent on which Azure offerings you're using and how you implemented them.

Most requirements, however, require an understanding of the distribution of responsibilities between you and Azure to fully meet HITRUST CSF compliance. In addition, some requirements are entirely part of your implementation responsibility to meet HITRUST CSF compliance.

How can I get the Azure HITRUST audit documentation?
For links to audit documentation, see Attestation documents.

How do I engage with Microsoft?
Sign in to the HITRUST MyCSF tool and pre-populate your assessment for your solution hosted on Microsoft Azure with either fully inherited or shared responsibility controls for Azure. A Microsoft HITRUST administrator will then complete the Microsoft part of the assessment in the MyCSF tool.

Resources