• Suppliers
  • Metadata
  • Ensure suppliers and vendors have appropriate safeguards
  • Business Associate suppliers
  • Enforcement
  • References

Suppliers

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2019-06-17
  • reviewed: 2018-06-20
• Applicability: standard

Ensure suppliers and vendors have appropriate safeguards

• Use only major public cloud service providers to handle PHI
  • Use recognized independent standards to determine the supplier’s security and compliance, such as ISO 27001, SOC2 and HITRUST.
  • Do not provide PHI to any other suppliers.
• Acquire documentation for the safeguards
  • Sign contracts with suppliers that enforce our compliance requirements.
  • Where HIPAA is applicable, obtain a HIPAA BAA from the supplier.
  • Download and retain the supplier’s documentation.
• Review
  • Review updated vendor documentation annually.

    Code	Section	Title	Text
    ISO	A.15.1.1	Information security policy for supplier relationships	Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented.
    ISO	A.15.1.2	Addressing security within supplier agreements	All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information.
    ISO	A.15.1.3	Information and communication technology supply chain	Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain.
    ISO	A.15.2.1	Monitoring and review of supplier services	Organizations shall regularly monitor, review and audit supplier service delivery.

Business Associate suppliers

• US law (HIPAA) requires a chain of Business Associate relationships.
• A Business Associate is a person or entity to whom a we delegate a function, activity, or service involving PHI, and who is not our employee.
• Sign Business Associate Agreement (BAA) contracts that meet all of the requirements and standards of HIPAA, State law, and our policies and procedures.
• Subcontractors of Business Associates are Business Associates themselves.
  • Business Associates include the following if they handle PHI
    • Sub-contractors
    • Patient safety organizations
    • Health Information Organizations (HIOs) (and similar organizations such as Health Information Exchanges (HIEs) and regional health information organizations)
    • E-prescribing gateways
    • Personal Health Record (PHR) vendors that provide services on behalf of a covered entity
    • Other firms or persons who “facilitate data transmission” that requires routine access to PHI

      Code	Section	Title	Text
      HIPAA	164.308(b)	Business associate contracts and other arrangements	(1) Business associate contracts and other arrangements. A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with § 164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor. (2) A business associate may permit a business associate that is a subcontractor to create, receive, maintain, or transmit electronic protected health information on its behalf only if the business associate obtains satisfactory assurances, in accordance with § 164.314(a), that the subcontractor will appropriately safeguard the information. (3) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) or (b)(2) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of § 164.314(a).
      HIPAA	164.314(a)		(1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (2) Implementation specifications (Required) - (i) Business associate contracts. The contract must provide that the business associate will - (A) Comply with the applicable requirements of this subpart; (B) In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section; and © Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410. (ii) Other arrangements. The covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3). (iii) Business associate contracts with subcontractors. The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title	Text
ISO	A.13.2.4	Confidentiality or non-disclosure agreements	Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.
ISO	A.15.1	Information security in supplier relationships	To ensure protection of the organizations's assets that is accessible by suppliers.
ISO	A.15.2	Supplier service delivery management	To maintain an agreed level of information security and service delivery in line with supplier agreements.
ISO	A.15.2.2	Managing changes to supplier services	Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.
CHI	PR2	Third-Party Agreements	Organizations connecting to the EHRi and organizations hosting components of the EHRi must use contractual means to provide a comparable level of privacy protection while a third party, such as a service provider, is processing PHI. Such agreements should include the following information: 1 The purpose(s) for which PHI is being shared with the third party; 2 A listing of the PHI that will be shared with the third party; 3 The purposes for which the PHI may be used or disclosed by the third party; and 4 Obligations of the third party upon termination of the agreement.
CHI	SR6	Addressing security in third-party agreements	Organizations hosting components of the EHRi must base the following third-party arrangements on formal contracts containing all necessary security requirements: a) Outsourcing management or control of all or some part of EHRi hosted components; b) Third-party facilities management for EHRi hosted components; or c) Access to the EHRi by third parties.

November 13, 2019

Powered by