THIRD PARTY RISK MANAGEMENT

September 9, 2019 / HIPAA

Managing third party service providers, or vendors, is an ongoing legal and contractual obligation for all businesses. While there is no “one size fits all” risk management program, there are a lot of great checklists and recommendations available. Checking a few resources before signing a new vendor service agreement and setting up a Google Alert or two can potentially help you avoid picking a bad apple.

Credentials, exclusions, and breaches:

If the vendor will provide software or other technology services, consider asking the vendor to

    • Provide a copy of its most recent security audit (e.g. a SOC 2 Type 2) performed by a third-party auditor.
    • List the location(s) where your data will be stored.
    • Ask the vendor how often the data is backed up.
    • Are background checks performed on its employees?

To set up a Google Alert:

If the vendor is a Business Associate and the Business Associate Agreement (separate from the service agreement) is not your template, be sure it has the appropriate provisions before signing it. It is best practice to review these items on an annual basis for all third-party service providers even if it is not a business associate, but especially as part of the required HIPAA risk assessment.

  1. Go to www.google.com/alerts
  2. In the box at the top, enter a topic, person, or company you want to follow. A new window will appear.
  3. Before you click Create Alert, you select settings. Click Show options to select frequency of alerts, source, language, region and where you want to receive the alerts.
  4. After you’ve set your options, click Create Alert. You will get emails whenever Google finds matching search results.
Back to TMC Blog Gallery