I read an interesting article recently on the IAPP website that I think is near and dear to a compliance or security officer’s heart:  Breaking up with a Vendor. Here are the top tips for terminating a relationship with a Business Associate.

One of the highest risks for a health provider, system or payer is the unknown level of data security provided by a service provider who is doing work on their behalf.  There are so many other business risks to worry about, not to mention the organization’ strategy and operational implementation.  So when your one and only vendor has a breach and you discover that their security practices are incredibly inadequate, well, it may feel like you’re facing a relationship break-up.

Stick or quit?

As the author points out “how a relationship with a vendor is terminated depends on the type of vendor in consideration.”At one end of the spectrum, are they providing commodity services, such as data back-up? Or at the other end, strategic and customized services, such as data analysis critical to your revenue stream.  And then, perhaps there is a more personal, long-time trusting relationship involved.

Minimize the heartache

The article goes into great detail about contract termination provisions, return of data, termination of access and the potential business impact of changing vendors.  But the key to minimizing the time, cost and stress involved in changing service providers is to prepare in advance.

In a much calmer moment, at least for your high-risk business associates (amount of data, sensitivity of data, criticality to your business, etc.), carry out the following steps:

  1. research other potential service providers
  2. identify likely replacements
  3. ensure appropriate contract termination provisions, and
  4. have a plan of transition and communication.

And by the way, it’s not too late to request an annual attestation or independent assessment of security measures of current business associates – it may serve to expedite the preparation of that transition plan.

For more information and advice on managing your Business Associates, sign up for one of our upcoming webinars.

Mary Chaput

CFO & Chief Compliance Officer at Clearwater Compliance
Mary has 35 years of international and domestic business experience spanning the healthcare, information services, manufacturing and venture capital consulting industries.She is Clearwater’s CFO and Compliance Officer. As an experienced corporate CFO and risk manager, Mary works actively with customers and prospects to identify and prioritize their risks and to develop effective remediation plans within their budgets.