Articles & Blogs

HITRUST just released Version 9.3 of the HITRUST CSF. How will that affect your company?

November 20, 2019 | By Accorian

On October 28, 2019, HITRUST announced the release of version 9.3 of the HITRUST CSF information risk and compliance management framework.

The HITRUST CSF is an important step in the HITRUST certification process. It provides necessary risk management and compliance methods that helps organizations ensure that their security programs are aligned and meets compliance standards.

This new version of HITRUST CSF includes changes requested by the HITRUST community, corrections as needed and updated language to the glossary that effectively clarify terms found in the HITRUST framework.

New authoritative sources:

The California Consumer Privacy Act (CCPA) 1798 – Effective January 1, 2020, this act requires qualifying organizations to protect California consumer data and gives them the option to opt-out sharing of their data. HITRUST CSF v9.3 includes mappings and related information on the CCPA reflecting not just the original act, but the amendments made thereto during the recent California Legislative Session.

NIST SP 800-171 R2 (DFARS) – provides guidance to protect controlled unclassified information in nonfederal systems and organizations. HITRUST CSF provides the controls needed to implement NIST Cybersecurity Framework effectively. A company can certify its implementation of the NIST Cybersecurity Framework by using the widely adopted HITRUST assurance program. A 2018 Government Accountability Office (GAO) Report to Congress recognized the alignment of the HITRUST CSF to the NIST Cybersecurity Framework.

The South Carolina Insurance Data Security Act 2018 (SCIDSA) 4655 – Effective January 1, 2019, the SCIDSA requires qualifying organizations to report and investigate cybersecurity events within specific time frames. HITRUST v9.3 provides controls needed for risk management and due diligence.

Updates to existing sources in HITRUST CSF:

  • AICPA 2017
  • CIS CSC v7.1
  • ISO 27799:2016
  • CMS/ARS v3.1
  • IRS Publication 1075 2016
  • NIST Cybersecurity Framework v1.1

How will it affect your company?

Organizations that are currently involved in a HITRUST assessment using version 9.2 will not be impacted by this new update. However, HITRUST plans to release version 10 in Q4 2020 that will include more enhancements to make the framework more efficient.

Premal Parikh, Managing Director of Accorian says, “The inclusion of these security acts shows that HITRUST is determined to stay up to date on the new information security advancements.”

To learn more about HITRUST CSF v9.3 contact one of our HITRUST practitioners and we can help you get informed about these updates.

To download the HITRUST CSF go to:

HITRUST Press release –

Recent Blog

Ready to Start?

Ready to Start?​

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide