By Rebekah Johnson, CIPP/US, HITRUST BA Council Member
I had the honor of being selected as one of the initial members of the Health Information Trust Alliance (HITRUST) Business Associate Council (BA Council).
The BA Council will leverage the thought leadership and experiences of its members to help drive efficiencies and effectiveness in third-party assurance.
Why the BA Council Matters
Many HIPAA-covered entities now require business associates that create, access, store, manage, or exchange protected health information (PHI) to become certified as compliant with HITRUST’s Common Security Framework (CSF). Ensuring a comprehensive and standardized approach to the privacy and security of PHI shared with third-party vendors has never been greater. Current approaches to complying with security requirements are inconsistent and uncoordinated, leading to higher costs and inefficient security processes.
The HITRUST Alliance will lean on this council to help shape HITRUST’s strategic approach. The BA Council will provide a forum for business associates and vendors to engage with HITRUST to ensure that programs such as Third-Party Assurance and HITRUST CSF Assurance are accommodating business associate and vendor perspectives and objectives. The input of these stakeholders will be critical as the BA Council streamlines efficiencies in the third-party assurance process.
By applying a single comprehensive framework to harmonize multiple regulations, standards and best practices, organizations can achieve a single assessment that may be reported out in multiple ways. Using the CSF Assurance Program for third-party risk management can result in significant reductions in cost and time.
My Role on the BA Council
My job on the BA Council will be to provide input, insight and directly engage with HITRUST and healthcare organizations relating to the HITRUST Third Party Assurance program. As a Compliance Solutions Engineer, I help clients identify and evaluate existing and future regulatory and compliance matters that impact their multi-channel communication programs and services, including outbound/inbound voice services, SMS, email, and others. I have more than 10 years’ technology development experience, and have often acted as the liaison between legal, executive and product and development teams to translate regulatory requirements into technology requirements.
The imperative to meet customers’ ever-increasing demand for speed, convenience and personalization can make data security and compliance a major concern. This is especially true when dealing with highly sensitive material, like protected health information (PHI).
In protecting the privacy of patients and maintaining the integrity of all involved parties, there is no room for uncertainty.
The Council will meet quarterly; the first session was held on April 26, 2016, during the HITRUST 2016 Conference in Dallas/Fort Worth.