The HITRUST RMF has matured significantly since it was first released to the public in 2009 and subsequently provides using organizations with more products, services, and tools—and subsequently value—than ever before. HITRUST is intent on continuing this trend to make it easier for organizations to adopt and implement the HITRUST RMF—whether as a single product, service, or tool or as the basis for an entire organizational information protection and risk management program.
Changes in the underlying methodologies that support these products, services, and tools will be incorporated into this document as they occur. However, specific changes in the suite of products, services, and tools HITRUST provides (such as the introduction of the HITRUST e1,102 HITRUST i1,103 and the HITRUST r2104 into our assessment portfolio) will be documented under separate cover, such as in the HITRUST Assessment Handbook.105
And finally, by presenting and maintaining the core concepts that form the foundation of the HITRUST RMF together in a single document, we hope to provide the context necessary for HITRUST Organizations and Assessors to better understand, choose, implement, and benefit from the multitude of information protection and risk management products, tools, and services HITRUST provides.
102 HITRUST (2023f). HITRUST Essentials, 1-year (e1) Validated Assessment.
103 HITRUST (2022g). HITRUST Implemented, 1-Year (i1) Validated Assessment.
104 HITRUST (2022h). HITRUST Risk-based, 2-year (r2) Validated Assessment.
105 Bennekers, V. (Ed.) (2022).