Yes. If your organization requires HITRUST certification for deployments provided in Microsoft services, you can rely on Azure HITRUST compatibility when running conformity assessment. However, you are responsible for assessing HITRUST requirements and controls within your own organization. Download Microsoft Azure HITRUST Customer Responsibility Matrix (CRM) Blueprint v9.0d Why are some Office 365 services not covered by this certification? The timing of a HITRUST CSF evaluation varies depending on the type of report and the time it takes to address it. After preparation and in the case of HITRUST CSF certification, it takes you on average about nine weeks to submit your assessment to HITRUST for verification. Does Microsoft provide instructions for my organization to implement appropriate controls when using Office 365? Areas covered by the HITRUST CSF certification include Exchange Online-Archiving, Exchange Online Protection, Exchange Online, Exchange Online, Skype for Business, Admin Center, SharePoint Online, Project Online, OneDrive for Business, Office Online, MyAnalytics, Microsoft Teams, Microsoft 365 Office 365 Multi-Tenant Cloud business apps, and Office 365 GCC. Accelerate HITRUST compliance for your solution hosted in Microsoft Azure by completing your assessment in advance with fully legacy or shared responsibility controls for Azure in the HITRUST MyCSF tool and collaborating with Microsoft on your assessment. Does the Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) Does Microsoft certification mean that my organization, if it uses Azure or Office 365, is compatible with HITRUST CSF? HITRUST CSF Validated Assessment – A hitrust CSF validated assessment is performed by an authorized CSF assessor like KirkpatrickPrice. Validated assessments include a HITRUST CSF self-assessment in which you answer questions and confirm your compliance, followed by a CSF assessor who validates your checks based on what you have said and gives certification to HITRUST. HITRUST offers three levels of security or evaluation: self-assessment, CSF validated and CSF certified. Each level is built with increasing rigor on the one below. A high-level organization, CSF certified, meets all the certification requirements of the CSF. Microsoft Azure and Office 365 are the first hyperscale cloud services to achieve hitrust CSF certification.

Coalfire, a HITRUST assessment company, conducted these assessments based on how Azure and Office 365 implement security, data protection, and regulatory requirements for the protection of confidential information. Microsoft supports the hitrust Shared Responsibility Program. The HITRUST CSF certification from Azure and Office 365 is valid for two years. Use Office 365 to manage health information securely and compliantly with Compliance Score, which allows you to perform risk assessments based on health rules such as HIPAA and security control frameworks such as NIST CSF and NIST 800-53. You can follow step-by-step instructions on how to implement and maintain privacy controls that will help you meet healthcare compliance obligations. HITRUST CSF has two types: self-assessment and validated assessment. Deciding on the type of HITRUST CSF assessment can be a daunting task, especially when an organisation is conducting this review for the first time. Hitrust CSF assessment options include: Learn how to accelerate your HITRUST deployment with our Azure Security and Compliance Blueprint. .

. .