First Business Associate Council for Healthcare Industry to Help Drive Efficiencies and Effectiveness in Third-Party Assurance
<< All Press Releases

Date: March 31, 2016

HITRUST announces formation of council and names founding members representing leading technology, security, risk, compliance and audit experts

March 31, 2016 – Frisco, TX: HITRUST announced today the formation of the HITRUST Business Associate Council (BA Council), with the mission to give healthcare business associates a voice and drive efficiencies and effectiveness in third-party information security assurance. HITRUST also named the 17 founding members, representing a diverse cross-section of technology vendors supporting the healthcare and public health sector as well as security, risk, compliance and audit executives. The BA Council will hold four meetings over the course of the year with a kick-off event at the HITRUST 2016 annual conference on April 26, 2016.

The need to ensure the appropriate privacy and security of protected health information (PHI) shared with third-party vendors has never been greater, yet has become a significant undertaking. This is true for both the organization, or covered entity, requiring compliance and the vendor, or business associate, having to demonstrate compliance. The current approaches that rely on inconsistent and uncoordinated requirements have also led to high costs and taxed resources for the business associate being assessed.

The BA Council was created to ensure the healthcare industry is effectively collaborating with the vendors supporting the healthcare industry. The BA Council provides a forum to ensure business associates and vendors are able to provide input, influence, and directly engage with HITRUST and healthcare organizations relating to the HITRUST Third Party Assurance program. Through interaction with the BA Council, HITRUST will work to ensure that the Third Party Assurance and other programs are considering and accommodating business associate and vendor perspectives and objectives.

“The HITRUST Third Party Assurance Program has enabled industry organizations to agree on an appropriate set of requirements to achieve greater efficiencies and reduce costs to the business associates,” said Erick Rudiak, Vice President and Chief Information Security Officer, Express Scripts. “These objectives are in line with what we do every day at Express Scripts to drive out waste from healthcare, control client costs, and improve care.”

“The HITRUST Third Party Assurance program holds great potential to drive greater efficiencies in how our customers verify our information protection posture,” said Scott Pettigrew, Vice President and Chief Security Officer, HMS. “I welcome the opportunity to engage with industry organizations to ensure business associates are able to fully realize the benefits.”

The founding members of the BA Council include:

  • Arvato Digital Services: Richard Haft, Head of Risk, Information Security, and Compliance
  • Armor: Chris Drake, CEO and Founder
  • Availity: Debbie Hutchinson, Senior Manager, Audit and Third-Party Assurance
  • Azure (Microsoft): Hector Rodriguez, National Director, Health and Life Sciences
  • Catalyze: Travis Good, M.D., CEO and Co-founder
  • Change Healthcare: Susan Richards, Strategic Program Manager, Information Security
  • Cognizant: Andrew Frazier, Healthcare Information Security Officer
  • Dropbox: Patrick Heim, Head of Trust and Security
  • Epic Systems Corporation: Stirling Martin, Chief Security Officer
  • Fiserv: Brenda Magri, Director, Risk and Compliance, ISO
  • Healthedge: Taylor Lehmann, Chief Information Officer
  • HMS: Scott Pettigrew, Chief Security Officer
  • PDHI: Lee Penn, Chief Financial Officer and Chief Compliance Officer
  • RR Donnelley: Peter Tiemeyer, Chief Information Security and Privacy Officer
  • Salesforce: Izak Mutlu, Vice President – Information Security
  • West Corporation: Rebekah Johnson, Compliance Leader
  • Xerox Corporation: Troy Bos, Senior Manager, Internal Audit

“I expect the BA Council to provide HITRUST significant input and insights around our approach to third-party assurance and other programs affecting business associates and vendors,” said Daniel Nutkis, CEO, HITRUST. “Their input is crucial, and they are an equal partner as we drive better effectiveness and efficiencies in the third-party assurance process.”

The HITRUST Third Party Assurance and HITRUST CSF Assurance programs together can streamline the third-party risk management process. By applying a single comprehensive framework to harmonize multiple regulations, standards and best practices organizations can achieve a single assessment that may be reported out in multiple ways for an “assess once, report many” approach. Using the CSF Assurance Program for third-party risk management can result in significant reductions in cost and time. An increasing number of healthcare organizations are now requiring their business associates within the healthcare industry to obtain CSF Certification.

More information can be found on the HITRUST Third Party Assurance Program page.


Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST – in collaboration with public and private healthcare technology, privacy and information security leaders – has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.

HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry. For more information, visit

Chat Now

This is where you can start a live chat with a member of our team