Microsoft and HITRUST - CSF

Azure and Office 365 are certified to the Health Information Trust Alliance Common Security Framework.

Health Information Trust Alliance (HITRUST) Common Security Framework (CSF)

HITRUST offers three degrees of assurance, or levels of assessment: self-assessment, CSF validated, and CSF certified. Each level builds with increasing rigor on the one below it. An organization with the highest level, CFS-certified, meets all the certification requirements of the CSF. Microsoft Azure and Office 365 are the first hyperscale cloud services to receive certification for the HITRUST CSF. Coalfire, a HITRUST assessor firm, performed the assessments based on how Azure and Office 365 implement security, privacy, and regulatory requirements to protect sensitive information.

Learn how to accelerate your HITRUST deployment with our Azure Security and Compliance Blueprint.

Download the Microsoft Azure HITRUST Customer Responsibility Matrix (CRM) blueprint v9.0d

Microsoft in-scope cloud services

Covered services for HITRUST CSF

  • Azure and Azure Government detailed list
  • Office 365 and Office 365 U.S. Government (detailed list in FAQs below)

Audits, Reports and certificates

The HITRUST CSF certification of Azure and Office 365 is valid for two years.

Accelerate your deployment of HIPAA/HITRUST solutions on Azure

Get a head start on taking advantage of the benefits of the cloud for health data solutions with the Azure Security and Compliance Blueprint - HIPAA/HITRUST Health Data and AI. This blueprint provides tools and guidance to get you started building HIPAA/HITRUST solutions today.

Start using the Azure HIPAA/HITRUST Blueprint


Accelerate your HIPAA/HITRUST compliance when using Office 365

Leverage Office 365 to manage health information in a secure and compliant way with Compliance Manager, which enables you to perform risk assessments against health regulations like HIPAA and security control frameworks like NIST CSF and NIST 800-53. You can follow step-by-step guidance to know how to implement and maintain data protection controls that help you meet healthcare compliance obligations.

Start using Compliance Manager

HITRUST - CSF overview

The Health Information Trust Alliance (HITRUST) is an organization governed by representatives from the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a certifiable framework to help healthcare organizations and their providers demonstrate their security and compliance in a consistent and streamlined manner.

The CSF builds on HIPAA and the HITECH Act, which are US healthcare laws that have established requirements for the use, disclosure, and safeguarding of individually identifiable health information, and that enforce noncompliance. HITRUST provides a benchmark—a standardized compliance framework, assessment, and certification process—against which cloud service providers and covered health entities can measure compliance. The CSF also incorporates healthcare-specific security, privacy, and other regulatory requirements from such existing frameworks as the Payment Card Industry Data Security Standard (PCI-DSS), ISO/IEC 27001 information security management standards, and Minimum Acceptable Risk Standards for Exchanges (MARS-E).

The CSF is divided into 19 different domains, including endpoint protection, mobile device security, and access control. HITRUST certifies IT offerings against these controls. HITRUST also adapts requirements for certification to the risks of an organization based on organizational, system, and regulatory factors.

one person sitting at conference table in active discussion with two others
one person sitting at conference table in active discussion with two others

Manage your compliance from one place

Perform ongoing risk assessment, get actionable insights, and simplify your compliance process when using Microsoft cloud services with Compliance Manager.

Try Compliance Manager nowRead the Security, Privacy and Compliance blog

Frequently asked questions

Expand all

Yes. If your business requires a HITRUST certification for implementations deployed on Microsoft services, you can build on Azure HITRUST compliance when you conduct your compliance assessment. However, you are responsible for evaluating the HITRUST requirements and controls within your own organization.

You can download a copy of letter of certification for Azure and Office 365.

The in-scope services of HITRUST CSF certification are Exchange Online Archiving, Exchange Online Protection, Exchange Online, Skype for Business, Admin Center, SharePoint Online, Project Online, OneDrive for Business, Office Online, MyAnalytics, Microsoft Teams, Office ProPlus* in Office 365 Multi-tenant cloud and Office 365 GCC.

*Office 365 ProPlus enables access to various cloud services, such as Roaming Settings, Licensing, and OneDrive consumer cloud storage, and may enable access to additional cloud services in the future. Roaming Settings and Licensing support the standards for HITRUST. OneDrive consumer cloud storage does not, and other cloud services that are accessible through Office 365 ProPlus and that Microsoft may offer in the future also may not, support these standards.

Microsoft provides the most comprehensive offerings compared to other cloud service providers. To keep up with our broad compliance offerings across regions and industries, we include services in the scope of our assurance efforts based on the market demand, customer feedback, and product lifecycle. If a service is not included in the current scope of a specific compliance offering, your organization has the responsibility to assess the risks based on your compliance obligations and determine the way you process the data in that service. We continuously collect feedback from customers and work with regulators and auditors to expand our compliance coverage to meet your security and compliance needs.

When you store your data in a SaaS like Office 365, it’s a shared responsibility between Microsoft and your organization to achieve compliance. Microsoft manages majority of the infrastructure controls including physical security, network controls, application level controls, etc., and your organization has the responsibility to manage access controls and protect your sensitive data. The Office 365 HITRUST certification demonstrates the compliance of Microsoft’s control framework. Building on that, your organization needs to implement and maintain your own data protection controls to meet HITRUST CSF requirements.

Yes, you can find recommended customer actions in Compliance Manager, cross-Microsoft Cloud solutions that help your organization meet complex compliance obligations when using cloud services. Specifically, for HITRUST CSF, we recommend you perform risk assessments using the NIST 800-53 and NIST CSF assessments in Compliance Manager. In the assessments, we provide you with step-by-step guidance and the Microsoft solutions you can leverage to implement your data protection controls. You can learn more about Compliance Manager in this whitepaper.