The Health Information Trust Alliance Common Security Framework (HITRUST CSF) leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, and HIPAA to create a comprehensive set of baseline security and privacy controls.
HITRUST has developed the HITRUST CSF Assurance Program, which incorporates the common requirements, methodology, and tools that enable an organization and its business partners to take a consistent and incremental approach to managing compliance. Further, it allows business partners and vendors to assess and report against multiple sets of requirements.
AWS customers can design and implement an AWS environment, and use AWS services in a manner that supports the requirements of HITRUST CSF. Customers can also leverage certain controls established under the HITRUST CSF validated assessment of AWS services.
What is the relationship between HITRUST CSF and HIPAA?
The HITRUST CSF serves to unify security controls based on aspects of US federal law (such as HIPAA and HITECH), state law (such as Massachusetts’s Standards for the Protection of Personal Information of Residents of the Commonwealth), and recognized non-governmental compliance standards (such as PCI DSS) into a single framework that is tailored for healthcare needs.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is US federal law. Some of the requirements of HIPAA provide the basis for certain security controls of HITRUST CSF. AWS customers should consult their legal advisors to understand how HIPAA, or related laws, apply to them.
Is AWS HITRUST certified?
Certain AWS services have been assessed under the HITRUST CSF Assurance Program by an approved HITRUST CSF Assessor as meeting the HITRUST CSF v9.1 Certification Criteria. The certification is valid for two years, describes the AWS services that have been validated, and can be accessed here:
How can customers leverage AWS in their own HITRUST CSF compliance?
AWS customers can design and implement an AWS environment and use AWS services to help them meet the requirements of the HITRUST CSF. Customers may look to leverage the AWS HITRUST CSF certification of AWS services to support their own HITRUST CSF certification. Please refer to the AWS HITRUST CSF Certification. AWS also provides additional whitepapers, and best-practice guides on the AWS Compliance Resources webpage.
What services can I use in my AWS account if I am seeking HITRUST CSF certification or already have HITRUST CSF certification?
For customers seeking HITRUST CSF certification, AWS customers can design and implement an AWS environment, and use AWS services to help them meet the requirements of the HITRUST CSF. Customers may look to the AWS HITRUST CSF Certification to support their own HITRUST CSF certification for in-scope services. Customers may leverage AWS HITRUST CSF certified services to support the HITRUST CSF validation process (for example, customers may use AWS Key Management Service, which is a covered service, to manage keys in their HITRUST CSF environment). For the latest list of HITRUST CSF certified AWS services, see the AWS Services in Scope by Compliance Program webpage. Many HITRUST CSF certified AWS services are also HIPAA-eligible services, which can be found on the HIPAA Eligible Services Reference webpage. Customers may also use any other AWS service as part of their HITRUST CSF certified environment subject to the customer’s own assessment of the service’s suitability for the application. For other services used in your HITRUST CSF environment, please see other AWS security accreditations and attestations for those services on the AWS Compliance Programs webpage.
Does HITRUST require that health information be encrypted?
Entities seeking HITRUST certification are required to take steps to safeguard health information and it is the responsibility of each entity to determine whether encryption is appropriate to satisfy its security obligations. AWS recommends that health information always be encrypted at rest and in transit.