• Step 1: Create a readiness, validated, or targeted assessment using v9.5.0 or later which includes the HIPAA breach notification rule and/or HIPAA security rule.
• Step 2: Go to Analytics > Compliance Packs > Select the assessment > Select the HIPAA compliance pack.

• Step 3: Configure the HIPAA compliance pack’s options

a. Preference: Do you want to include evidence in the compliance pack?

i. What it does: Controls whether the supporting evidence linked to HITRUST CSF requirements mapped to included HIPAA sections are included in the HIPAA compliance pack. When “Yes” is selected, a copy of each supporting artifact linked to the HITRUST CSF requirements mapped to included HIPAA sections will be present in an “Evidence” folder in the HIPAA compliance pack’s zip archive.

Why include this as an option? Some audiences may want the ability to inspect the evidence considered by you and/or your external assessor when reaching control maturity scores for HITRUST CSF requirements relevant to HIPAA compliance, while others may not.

a. Preference: Which HIPAA sections do you want to include in the MyCSF Compliance and Reporting Pack for HIPAA?

i. What it does: The HIPAA sections and implementation specifications listed in the “Selected” box will be included in the report. All others will not be included.

Why include this as an option? Some audiences may only be interested in learning about the organization’s controls relevant to very specific parts of HIPAA. This option gives the ability for a compliance pack to be run against all of HIPAA, or just part of it.

• Step 4: Press “Generate Compliance Pack”
• Step 5: Await email from MyCSF with the download link.

Frequently Asked Questions about the MyCSF Compliance and Reporting Pack for HIPAA:

• Which versions of the HITRUST CSF does an assessment need to use to generate the MyCSF Compliance and Reporting Pack for HIPAA?
  a) The MyCSF Compliance and Reporting Pack for HIPAA can only be run against assessments using HITRUST CSF v9.5.0 (or higher), and only objects that were created or refreshed on or after September 3, 2021.
  b) The MyCSF Compliance and Reporting Pack for HIPAA is only available in HITRUST CSF v9.5.0 and will not work with any older versions of the CSF such as v9.1, v9.2, v9.3, or v9.4.
  c) Assessments that have not been previously submitted to HITRUST can change their CSF version to v9.5.0. Assessed Entities should work with their External Assessors to understand the implications of changing CSF versions on their assessment as a change in CSF version may, in certain circumstances, introduce new or modified requirements into an assessment.
  

• When will the MyCSF Compliance and Reporting Pack for HIPAA be available?
  a) The release of HITRUST CSF v9.5.0 on September 3, 2021 can generate the MyCSF Compliance and Reporting Pack for HIPAA.

• Is the HIPAA Compliance Pack a replacement for a HITRUST CSF certification?
  a) No. While the audience of a HIPAA compliance pack can be an internal stakeholder (e.g., Internal Audit, Compliance, InfoSec), an external stakeholder (e.g., consultant, auditor, business partner), or a regulator (e.g., OCR), the “Compliance Pack” is not a HITRUST certification and does not itself convey the same level assurances as the HITRUST CSF Validated Report with Certification.

• Do you need to be a MyCSF subscriber to access the HIPAA pack?
  a) Yes, all annual MyCSF subscription levels can access and use the MyCSF Compliance and Reporting Pack for HIPAA – “Report Only” customers will not have access.

• Is there an additional charge for the MyCSF Compliance and Reporting Pack for HIPAA?
  a) No, the HIPAA Pack is included as part of the analytics within MyCSF subscription accounts.

• I’m a HIPAA business associate, and I noticed that several HIPAA standards and implementation specifications specific only to covered entities and group health plans are not included in my HIPAA compliance pack’s reports. Is this intentional?
  a) Yes. The HIPAA compliance pack’s outputs are tailored based on the organization type you specified when you created your HITRUST CSF assessment object. Certain portions of the HIPAA security rule and HIPAA breach notification rule are applicable only to covered entities, while other portions are applicable only to business associates. These applicability rules are built into the HITRUST CSF and the MyCSF Compliance and Reporting Pack for HIPAA.

• Which parts of HIPAA does the Compliance Pack report on?
  a) Currently, the MyCSF Compliance and Reporting Pack for HIPAA only reports on the HIPAA Security Rule and the HIPAA Breach Notification Rule (45 CFR 164 subparts C and D). Support for the HIPAA Privacy Rule (45 CFR 164 subpart E) will be included in a future update.

textileRef:1214921852660f57583664b:linkStartMarker:”* I’m about to go through an OCR audit and I’d like to contact someone about how to best communicate the value of my HITRUST efforts regarding my organization’s HIPAA compliance. Who is the best person to contact?
a) A HITRUST Regulatory Assistance Center was created to aid organizations that have a HITRUST CSF® Certification and are preparing for or undergoing an OCR regulatory audit. This no cost assistance includes guidance on how a HITRUST CSF Assessment Report can and should be leveraged to demonstrate compliance, including how specific requirements are met or how best to respond relating to a specific inquiry. The intent is to provide a resource to aid organizations in understanding how to leverage their report appropriately and effectively in responding to regulatory audits and other similar requests.
b) The HITRUST Regulatory Assistance Center’s focus is initially HIPAA and will be expanding to other regulations, and is staffed with security and privacy professionals, who can refer you to outside attorneys and other experts familiar with the HITRUST CSF, HITRUST Assurance Program, and HIPAA regulations. Organizations with a current HITRUST CSF Certified can reach the HITRUST Regulatory Assistance Center at “”:https://hitrustalliance.net/regulatory-assistance-center/