Before you outsource any of your organization’s functions to a third party, you need to do your research. Will the vendor handle PHI on behalf of your organization? If so, they’re a business associate (BA). Then conduct due diligence to be sure you can trust the vendor with your information. Once you finish these initial steps, it’s time to enter a contract with your vendor.
Negotiating and establishing a contract is a key part of vendor management. Contracting with a vendor poses new risks to your organization. Therefore, it’s important to thoroughly address risks in your vendor contract. This blog will discuss:
- The service level agreement
- Data ownership and confidentiality
- Security safeguards
- Breach notification
- Contingency plan
- Outsourcing to subcontractors
1. The Service Level Agreement
Of course, every vendor contract starts with a service level agreement (SLA). You must set the scope of services and performance standards from the beginning of the vendor relationship. You establish what is or is not an acceptable outcome in the SLA.
Establish the following:
- What you consider acceptable work
- The cost of the service or product
- The timeframe of the service and contract termination
- When and how you will make payments
- Communication methods
- The venue, whether on-site or remote
- Milestones, if applicable
- Vendor reports, whether in-person or in writing
- Expense payments, whether your organization will cover the vendor’s expenses
- Compensation for successful deliverables
- Corrective action in case the vendor fails to meet standards
When drafting your SLA, don’t rely on verbal agreements or promises. Put everything in the written contract so it’s legally binding.
2. Data Ownership and Confidentiality
Data ownership. Though you are outsourcing activities or services to your vendor, you’re not outsourcing data ownership. Your confidential information still belongs to your organization, and you are still responsible for it. Make sure you clarify data ownership in your contract.
Confidentiality. Establish that the vendor will keep all personally identifiable information confidential. They shouldn’t share it unless requested to or unless otherwise negotiated.
“A confidentiality provision should, at a minimum, define the information that is to be treated as confidential, limit the permitted use, prohibit disclosure outside of the permitted use (except in certain circumstances, e.g., when required by law, and then only after notice is provided), and require return or destruction upon termination of the agreement.” – HealthITSecurity.com
This is different than in a business associate agreement (BAA). In a BAA, the vendor/business associate provides assurances that they won’t impermissibly use or disclose protected health information (PHI). However, the principle of privacy is similar.
Also, consider how you and the vendor will control confidential data during and after the contract period. They should have clear policies for transferring the data to you or destroying it when the contract period ends.
3. Security Safeguards
Vendor security is an important issue to iron out during negotiations and contracting. In the last blog, we saw how pre-contract security surveys help you gauge a vendor’s security posture before you entrust your data to them.
To prevent a breach, your vendor should have security safeguards. Safeguards protect your data from unauthorized access, destruction, loss, or alteration. This includes administrative, physical, and technical safeguards.
In the contract, you should clarify your security expectations. For example, you could require:
- Intrusion detection and a means to stop unauthorized activity
- Not using mobile devices to house data
- Data encryption
- Access controls to limit access to your data
4. Breach Notification
“From data breaches that happened from a #vendor, only 15 percent of firms affected reported that the vendor informed them when a #breach happened.” Read more here:https://t.co/VRPKZLPsiG#HIPAA— HIPAAtrek (@hipaatrek) May 3, 2019
Vendor breaches are all too common. In the contract, require your vendor to promptly notify you if they impermissibly disclose your information. They should notify your organization, mitigate the breach, and pay all associated costs. In a HIPAA BAA, you also specify breach notification responsibilities (more about this in an upcoming blog).
5. Contingency Plan
Your organization has a contingency plan. So also should your vendor. Both you and your vendor share the responsibility for keeping critical services active during an emergency. For example, what good will a fuel provider for your emergency generator be if the power outage also affects them and they have no backup plan?
During pre-contract negotiations, ask for your vendor’s contingency plan, and put it in the contract. They should have:
- Written plans you can inspect,
- A secure method of backing up your data, and
- Concrete recovery times to return to normal operations.
6. Outsourcing to Subcontractors
If your vendor has access to confidential data, be wary of them outsourcing to subcontractors. Are you comfortable with them transferring your data to a downstream vendor? If you allow subcontracting, make sure your vendor uses security measures with the subcontractor. Has your vendor conducted due diligence with them?
According to Phillips and Sanchez in their Health Care Compliance Association presentation on vendor oversight:
“Any outsourcing arrangement must be viewed as an extension of your company into the subcontractor’s organization…You can delegate authority to perform activities and functions, but you can’t delegate responsibility.”
Business associate agreements. You will not enter a BAA with a subcontractor, even if they handle your organization’s PHI. Your vendor should have a BAA in place with the downstream subcontractor. See this example of a Business Associate – Subcontractor Agreement.
Location. Also, consider whether the vendor is outside of the country. You don’t have jurisdiction over subcontractors, especially those outside of the country. This is another risk you must clarify in your contract.
Vendor Contracts – Conclusion
After conducting due diligence with your vendors and selecting the one that meets your organization’s needs, you’re ready to negotiate and enter a contract with them. There are many important provisions to cover in a vendor contract. This blog looked at a few that will help you reduce the risk to your data. Nevertheless, it’s always a good idea to consult with a lawyer before entering a legally binding vendor contract.
Keep in mind that, as most healthcare operations involve PHI, most of your vendors will also be business associates. Therefore, we need to look more closely at BAs and BAAs. The next two blogs will discuss key facts about HIPAA business associate agreements, as well as provisions you should consider as you enter this agreement with your BAs.
Good contract and vendor management helps healthcare organizations reduce operating costs and risks, stay compliant, and develop quality vendor relationships. However, since healthcare organizations often manage hundreds of contracts, it’s not enough to rely on binders and manual workflows.
Need Guidance? Check out our Business Associate Decision Tree!
Download our decision tree for determining when a BAA is required.
HIPAAtrek’s NEW Contract Management Module simplifies and streamlines contract management with a fully customizable workflow. Manage your contracts from negotiation to termination with custom stages, so you will always know where your vendor contracts stand. Contact us to learn more about this up-and-coming feature or request a demo of HIPAAtrek today.
The goal of this five-part series is to show healthcare CEOs and CFOs that effective, HIPAA-compliant vendor management is vital to the finances, performance, and reputation of their organizations. Furthermore, healthcare organizations will see a positive ROI when they foster successful vendor relationships that yield high-quality, secure services.