The next update to the HITRUST CSF standard is v9.3. This is a release that addresses CCPA, NIST CsF v1.1 and other standards. HITRUST CSF v9.3 will include new requirements placed on organizations by the California Consumer Privacy Act (CCPA). CCPA is America’s GDPR. CCPA takes effect January 1, 2020 with enforcement effective on July 1, 2020. CCPA requires additional steps to protect the transmission, sharing and storage of consumer data. HITRUST CSF v9.3 also reflects key differences of the two laws, including the applicability, requirements for data access, and detailed requirements about opt-out methods.
The HITRUST CSF v9.3 will also reflect updates to a number of authoritative sources, including:
- CMS Information Security ARS: CMS Minimum Security Requirements for High Impact Data, version 3.1
- Federal Risk and Authorization Management Program (FedRAMP)
- IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information
- NIST CsF v1.1
- South Carolina’s Bill 4655, the Insurance Data Security Act
Bottomline: The HITRUST CSF leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, FFIEC, FTC and HIPAA to ensure a comprehensive set of baseline security and privacy controls. The CSF normalizes these requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations.
Date: September 24, 2019