I read an interesting article recently on the IAPP website that I think is near and dear to a compliance or security officer’s heart: Breaking up with a Vendor. Here are the top tips for terminating a relationship with a Business Associate.
One of the highest risks for a health provider, system or payer is the unknown level of data security provided by a service provider who is doing work on their behalf. There are so many other business risks to worry about, not to mention the organization’ strategy and operational implementation. So when your one and only vendor has a breach and you discover that their security practices are incredibly inadequate, well, it may feel like you’re facing a relationship break-up.
Stick or quit?
As the author points out “how a relationship with a vendor is terminated depends on the type of vendor in consideration.”At one end of the spectrum, are they providing commodity services, such as data back-up? Or at the other end, strategic and customized services, such as data analysis critical to your revenue stream. And then, perhaps there is a more personal, long-time trusting relationship involved.
Minimize the heartache
The article goes into great detail about contract termination provisions, return of data, termination of access and the potential business impact of changing vendors. But the key to minimizing the time, cost and stress involved in changing service providers is to prepare in advance.
In a much calmer moment, at least for your high-risk business associates (amount of data, sensitivity of data, criticality to your business, etc.), carry out the following steps:
- research other potential service providers
- identify likely replacements
- ensure appropriate contract termination provisions, and
- have a plan of transition and communication.
And by the way, it’s not too late to request an annual attestation or independent assessment of security measures of current business associates – it may serve to expedite the preparation of that transition plan.
For more information and advice on managing your Business Associates, sign up for one of our upcoming webinars.
Latest posts by Mary Chaput (see all)
- Call for State Privacy Laws to Align with HIPAA - February 13, 2017
- IF YOU HAVE TO DISCLOSE, LOOK YOUR BEST - December 27, 2016
- OCR is using audits to find risks and vulnerabilities that might not otherwise be known. - December 14, 2016