Headed to RSA in San Francisco? May 6-9 | Join us!

4 Miscellaneous HITRUST Regulatory Factors to Consider

Over the last few blogs, we have provided a comprehensive overview of the HITRUST landscape, from the authoritative sources at its core, to the optional regulations, or regulatory factors, that are commonly added on to a HITRUST assessment for industry-specific purposes 

This article is Part Four of a Four-part Series on the HITRUST Framework

Part One: 7 HITRUST Regulatory Factors to Consider for Healthcare 
Part Two: 7 HITRUST Regulatory Factors to Consider for Federal Compliance 
Part Three: 5 HITRUST Regulatory Factors to Consider for International and State-level Privacy Compliance
Part Four: 4 Miscellaneous HITRUST Regulatory Factors to Consider

Some of these regulatory factors are already incredibly important, and others soon will be. Furthermore, many of these regulatory factors lack any formal certification process, so adding them to a HITRUST assessment is a valuable approach to demonstrating compliance. 

There are only a few regulatory factors left for us to discuss, including one of the most important and influential – PCI DSS. This regulation is mandated by the credit card industry, but only organizations that process more than 6 million transactions per year need to be audited by a qualified security assessor (QSA). A-LIGN is one of these qualified security assessors, so if you have a PCI audit on the horizon, contact A-LIGN to learn more about how our compliance services can transform your business and help you provide your customers with peace of mind. 


First Introduced in HITRUST 2.0 – January 2010 

The Payment Card Industry Data Security Standard (PCI DSS) is among the oldest and most influential security regulations. PCI was developed by a consortium of credit card companies around the turn of the millennium, as ecommerce and online payments were growing in popularity. The intent of PCI DSS is to protect these payments and transactions from cyber-attacks and fraud. There are 12 requirements to achieve PCI compliance, which include controls and processes. Depending on the volume of annual transactions an organization processes, that organization may be required to produce a third-party assessment, while smaller organizations can provide a self-assessment. 

The A-LIGN Bottom Line: Any company that processes, stores or manages payment card information needs to become PCI compliant, but there are different levels of requirements. A level 1 merchant may process more than 6 million transactions per year, while a level 4 merchant may process less than 20,000. In fact, any organization that processes less than 6 million transactions per year only needs to complete a self-assessment questionnaire (SAQ). HITRUST is an excellent option for a SAQ. However, a level 4 organization must conduct an audit with a qualified security assessor (QSA), in which case adding PCI to a HITRUST assessment could serve as a gap assessment. Since A-LIGN is a QSA, we can enable a strategic approach to compliance by assigning a QSA to a HITRUST assessment to streamline the audit process. 

23 NYCRR 500 

First Introduced in HITRUST 9.1 – February 2018 

23 NYCRR 500 is a New York State law that introduced cybersecurity requirements for financial services companies. The requirements focus on risk management and cybersecurity protection, breach notification, and other written policies and procedures. It applies to any business that is regulated by the Department of Financial Services. 

The A-LIGN Bottom Line: This is another niche regulation, but it does tend to get a lot of scrutiny within the financial services industry since so many operate in New York City. Adding 23 NYCRR 500 to a HITRUST assessment may be helpful to identify any gaps. 

SCIDSA Requirements  

First Introduced in HITRUST 9.3 – October 2019 

The South Carolina Insurance Data Security Act is focused on cybersecurity protection for South Carolina insurance licensees. 

The A-LIGN Bottom Line: This is a niche regulation that is only applicable to a single industry operating in a single state. If you are a South Carolinian insurance company, these requirements apply to you and you should consider assessing your security posture, but for the overwhelming majority of organizations this regulatory factor does not matter. 

FTC Red Flags Rule Compliance 

The FTC Red Flags Rule is an identity theft prevention regulation. It is frequently referred to as the Fair Credit Reporting Act Identity Theft Rules and it appears in the Code of Federal Regulations as the “Detection, Prevention, and Mitigation of Identity Theft.” The regulation itself requires organizations to produce a written policy to prevent identity theft. 

The A-LIGN Bottom Line: This regulation is important for companies that have access to social security numbers, credit card numbers and other personally identifiable information, but the intent of this regulation has also been integrated into many other more common security frameworks and regulations, so it is unlikely to necessitate an individual assessment.  

Download our HITRUST checklist now!