The purpose of this document is to define the requirements for those organizations assessing their information protection programs against the HITRUST CSF utilizing a readiness or validated assessment. The Assessment Handbook is intended to provide guidance and expectations to Assessed Entities and HITRUST External Assessors on the HITRUST assessment and certification processes. HITRUST External Assessors are expected to maintain an understanding of the requirements and Assurance Program processes defined in this Handbook. For additional details around the development of the HITRUST CSF and the HITRUST approach to risk management, please see the HITRUST Risk Management Handbook.

This document assumes a baseline understanding of HITRUST, the HITRUST CSF Framework and the HITRUST Assurance Program. The following resources provide additional information about HITRUST:

Any updates to the Assurance Program will be communicated via Advisories published at: HITRUST will provide notice of any changes to requirements in this Handbook using those Advisories. In addition, HITRUST will provide a comparison log detailing the changes outlined within those Advisories. HITRUST will provide a notice period for any changes to requirements in this Assessment Handbook to allow sufficient time for Assessed Entities and External Assessors to prepare for the change. HITRUST may include additional FAQs or Examples within the Handbook at any time to provide Assessed Entities and External Assessors with additional clarification or guidance on the requirements within the Handbook.

Terminology used within the Assessment Handbook follows the definitions in the HITRUST Glossary of Terms and Acronyms (accessible within MyCSF in the “References” tab), unless otherwise defined within this Assessment Handbook.

HITRUST expects all Assessed Entities and External Assessors to maintain awareness of the current Assurance Program requirements and updated requirements through this Assessment Handbook and corresponding Advisories.