Provider Third-Party Risk Management Initiative

Prominent Chief Information Security Officers (CISOs) from leading health systems and providers throughout the country have come together to establish the Provider Third-Party Risk Management Council to develop, recommend and promote a series of practices to effectively manage their information security-related risks in their supply chain and to safeguard patient safety and information.

Why is this important?

Effectively assessing the security posture up and down the supply chain is prohibitively expensive given the complexity of the risks posed by information privacy and system security concerns as well as an ever-changing regulatory landscape both domestically and internationally. The challenges they face go well beyond their resources and capabilities, posing a huge challenge for organizations and third parties to create, administer, respond to and manage assessments. In addition, ineffective security, compliance and assurance methods drive cost and confusion within organizations and across third parties.


Through collaboration, these CISOs have developed a set of resources for health systems and providers to help enable adoption and streamline the process.

All you need to know to get started with PTPRM …PTPRM On-Boarding Kit
HITRUST Third-Party Risk Management (TPRM) Qualification Methodology …helping organizations determine risk and appropriate assurances from their vendors

Watch the webinar on the Third-Party Risk Management Initiative
CISO’s Mission Resonates with Healthcare Peers ... Press Release
Provider TPRM Model Contract for 3rd Parties ... Model contract used by Council Participants for 3rd Party engagement
Provider TPRM Participation Agreement …To join the Initiative
Provider TPRM Council Charter …Background and Objectives on the Initiative
Provider TPRM Council datasheet …Information on the Council and Initiative
Industry Memo (.docx) …Industry Announcement
Vendor Memo (.docx) …Customizable Vendor Communication for Adopting Providers
HITRUST CSF and CSF Assurance …The HITRUST CSF and CSF Assurance Overview
HITRUST Assessment XChange …An Industry Exchange for Assessment Report Sharing
TPA Overview …HITRUST Third-Party Assurance
Press Release August 29, 2018 …Announcing the Initiative
To Ensure Vendor Security: UPMC Turns to the HITRUST CSF Assessment to Help Manage Third-Party Risk ... UPMC Case Study

Working Groups

We have deployed a listserv to foster more efficient collaboration and better discussions. We currently have three working groups:

  • General – comments and questions
  • Contracting – contracts
  • Vendor Engagement – how to communicate with vendors
All members will be included within the General working group. If you are also interested in joining the Contracting or Vendor Engagement working group, please sign up here.

For more information or questions, please email the council at

For more information on the Provider Third-Party Risk Management Initiative, complete the form below and a Provider Third-Party Risk Management Specialist will contact you back.