HITRUST CSF is Now Incorporates GDPR Requirements

HITRUST has incorporated the EU’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST CSF) creating a single framework and assessment for healthcare organizations to help them meet GDPR obligations.

Many countries have introduced data privacy and security laws that require companies to update policies, procedures, and systems to ensure the private data of consumers and customers remains confidential. Companies that want to engage in global business must be sure to follow those country-specific laws to avoid privacy violations and accompanying regulatory fines. The potential fines can be considerable. GDPR violations could attract penalties of up to €20 million or 4% of global annual revenue, whichever amount is higher.

Satisfying complex compliance requirements and evaluating compliance efforts can be a big challenge; however, HITRUST’s “one framework, one assessment” aims to simplify complying with multiple regulations.

HITRUST has finished the official application process to the EU Data Protection Board and the Irish Data Protection Commission to have the HITRUST CSF formally accepted as satisfying GDPR certification standards. HITRUST also expects to be approved as an accredited GDPR certification body.

Besides GDPR, HITRUST has also incorporated the Singapore Personal Data Protection Act (PDPA) and is presently working toward getting approval as an Accountability Agent under Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules and Procedures for Processing programs.

Businesses taking the HITRUST approach can now perform a single HITRUST CSF assessment to confirm their security, privacy and compliance status to different audiences worldwide, according to Bryan Cline, HITRUST VP of standards and analysis.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy