MYCSF is the Tool Utilized to Manage the HITRUST Certification Process

What subscription option should I buy?

  • Assess/Report option is limited to 90 days and deleted after the final report is issued, you will have to re-enter your information for any interim or subsequent reports.  Also, options like inheritance and offline assessment features are not available.  This is not recommended to use. 
  • A one-year subscription allows you to use the full capacity of the tool and allows you to retain your work effort after the report is finalized. 

Scoping section in the MYCSF?

The MYCSF tool has a section that is dedicated to determining the number of control requirements that are applicable to reaching HITRUST certification Many Healthcare payers will require you to select the HIPAA regulatory factor as a part of the scope.   We would highly recommend spending a lot of time to ensure this information is correct as HITRUST will be reviewing data flow and organization descriptions to ensure this data is correct.   Using Lurie to scope the environment will help ensure this is conducted in an efficient manner.   

Object versus elements?

Each assessment object requires a separate report while multiple elements can be included in one report A company can have multiple objects and reports If a business has two distinct service lines then multiple objects can be possible and more efficient. 

Grouping of elements

If a company has 5 facilities that share centralized management andsimilar control structure then they can be grouped together for testing and scoping purposes. 

What is version 9 of the HITRUST framework?

HITRUST each year realizes updates to the HITRUST framework, also legacy versions of HITRUST will reach an end of life and will no longer be accepted for submission to HITRUST.  As of June 2020, there are 4 active versions (9.1,9.2, 9.3, 9.4).  We recommend using the latest version as possible.  

What is version 10 of the HITRUST framework?

At this time, version 10 is still being finalized at HITRUST, once version 10 comes out, all version 9.x assessments will have 18 months to get submitted to HITRUST.

Meet Your HITRUST CSF Certification Team


Partner, Technology Consulting

Kate Siegrist leads Lurie’s growing technology practice and consults with business owners to help improve their security, compliance, and technology controls posture. As a partner, she oversees the firm’s SOC 1, 2, and 3 practices, security assessments, IT strategic planning services, IT risk assessments, IT governance assessments, business and systems transformations, and controls audits. Kate has been a featured speaker on technology and controls topics relevant in this rapidly evolving arena.


Partner, Technology Consulting

James is a Cybersecurity and IT compliance professional with over 12 years of security consulting experience in addition to other professional experience. He leads readiness consulting and assessments related to a variety of IT compliance standards including but not limited to NIST, SOC 1/2/3, HITRUST, PCI, HIPAA and Sarbanes-Oxley.

Let's start a conversation.


This article is for your general education, and does not create a client relationship or any service engagement between you and Lurie LLP. The content of this article is based on the best information available, but official guidance, rules, laws and/or updates may change and become out of date. Please contact your Lurie advisor before acting on any of the information contained in this article.

We may provide links to third-party sources for your convenience, but we do not review, control, or monitor the materials on any other websites. Lurie LLP is not responsible for the performance of those websites or for your business dealings with them.

Share Post: