HITRUST CSF

Overview

• What is the relationship between HITRUST CSF and HIPAA?

  The HITRUST CSF serves to unify security controls based on aspects of US federal law (such as HIPAA and HITECH), state law (such as Massachusetts’s Standards for the Protection of Personal Information of Residents of the Commonwealth), and recognized non-governmental compliance standards (such as PCI DSS) into a single framework that is tailored for healthcare needs.

  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is US federal law. Some of the requirements of HIPAA provide the basis for certain security controls of HITRUST CSF. AWS customers should consult their legal advisors to understand how HIPAA, or related laws, apply to them.
  

• Is AWS HITRUST certified?

  Certain AWS services have been assessed under the HITRUST CSF Assurance Program by an approved HITRUST CSF Assessor as meeting the HITRUST CSF v9.6 Certification Criteria. The full list of AWS services that were audited by a third-party auditor and certified under HITRUST CSF is available on the AWS Services in Scope by Compliance Program page. You can view and download our HITRUST CSF certification on demand through AWS Artifact.

• How can customers leverage AWS in their own HITRUST CSF compliance?

  AWS customers can design and implement an AWS environment and use AWS services to help them meet the requirements of the HITRUST CSF. Customers may look to leverage the AWS HITRUST CSF certification of AWS services to support their own HITRUST CSF certification. Please refer to the AWS HITRUST CSF Certification. AWS also provides additional whitepapers, and best-practice guides on the AWS Compliance Resources webpage.
  

• What services can I use in my AWS account if I am seeking HITRUST CSF certification or already have HITRUST CSF certification?

  For customers seeking HITRUST CSF certification, AWS customers can design and implement an AWS environment, and use AWS services to help them meet the requirements of the HITRUST CSF. Customers may look to the AWS HITRUST CSF Certification to support their own HITRUST CSF certification for in-scope services. Customers may leverage AWS HITRUST CSF certified services to support the HITRUST CSF validation process (for example, customers may use AWS Key Management Service, which is a covered service, to manage keys in their HITRUST CSF environment). For the latest list of HITRUST CSF certified AWS services, see the AWS Services in Scope by Compliance Program webpage. Many HITRUST CSF certified AWS services are also HIPAA-eligible services, which can be found on the HIPAA Eligible Services Reference webpage. Customers may also use any other AWS service as part of their HITRUST CSF certified environment subject to the customer’s own assessment of the service’s suitability for the application. For other services used in your HITRUST CSF environment, please see other AWS security accreditations and attestations for those services on the AWS Compliance Programs webpage.
  

• Does HITRUST require that health information be encrypted?

  Entities seeking HITRUST certification are required to take steps to safeguard health information and it is the responsibility of each entity to determine whether encryption is appropriate to satisfy its security obligations. AWS recommends that health information always be encrypted at rest and in transit.
  

• Can AWS customers inherit AWS HITRUST Certification?

  Yes, AWS customers can inherit AWS HITRUST CSF certification provided that customers use only in-scope services and apply the controls detailed in the HITRUST Alliance website. Customers should download AWS Custom HITRUST Shared Responsibility Matrix to determine HITRUST controls hat AWS customers can inherit as part of the shared responsibility model. Customers should refer to the HITRUST webpage for guidance on how to initiate an inheritance request.