• Suppliers
  • Metadata
  • Ensure suppliers and vendors have appropriate safeguards
  • Document security mechanisms, SLAs and management information in agreements
  • Business Associate suppliers
  • Enforcement
  • References

Suppliers

MedStack Confidential

Metadata

• responsible officer: CTO
• approved by: CTO
• date
  • effective: 2018-06-20
  • revised: 2020-08-05
  • reviewed: 2022-08-31
• Applicability: standard

Ensure suppliers and vendors have appropriate safeguards

• Use only major public cloud service providers to handle PHI
  • Use recognized independent standards to determine the supplier’s security and compliance, such as ISO 27001, SOC2 and HITRUST.
  • Do not provide PHI to any other suppliers.
• Acquire and maintain documentation for the safeguards
  • Sign contracts with suppliers that enforce our compliance requirements.
  • Where HIPAA is applicable, obtain a HIPAA BAA from the supplier.
  • Acquire and retain the supplier’s documentation.
  • Acquire updated documentation annually.
• Review
  • Review updated vendor documentation annually.

Code	Section	Title
ISO	A.15.1.1	Information security policy for supplier relationships
ISO	A.15.1.2	Addressing security within supplier agreements
ISO	A.15.1.3	Information and communication technology supply chain
ISO	A.15.2.1	Monitoring and review of supplier services
SOC2	CC2.3	COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2	CC2.3	COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2	CC3.2	COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
SOC2	CC3.2	COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
SOC2	CC3.2	COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
SOC2	CC4.2	COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	P6.5	The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorized disclosures of personal information. Such notifications are reported to appropriate personnel and acted on in accordance with established incident response procedures to meet the entity’s objectives related to privacy.

Document security mechanisms, SLAs and management information in agreements

• with our vendors
• with our customers

Code	Section	Title
ISO	A.13.1.2	Security of network services

Business Associate suppliers

• US law (HIPAA) requires a chain of Business Associate relationships.
• A Business Associate is a person or entity to whom a we delegate a function, activity, or service involving PHI, and who is not our employee.
• Sign Business Associate Agreement (BAA) contracts that meet all of the requirements and standards of HIPAA, State law, and our policies and procedures.
• Subcontractors of Business Associates are Business Associates themselves.
  • Business Associates include the following if they handle PHI
    • Sub-contractors
    • Patient safety organizations
    • Health Information Organizations (HIOs) (and similar organizations such as Health Information Exchanges (HIEs) and regional health information organizations)
    • E-prescribing gateways
    • Personal Health Record (PHR) vendors that provide services on behalf of a covered entity
    • Other firms or persons who “facilitate data transmission” that requires routine access to PHI

Code	Section	Title
HIPAA	164.308(b)	Business associate contracts and other arrangements
HIPAA	164.314(a)	Standard: Business associate contracts or other arrangements

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title
ISO	A.15.1	Information security in supplier relationships
ISO	A.15.2	Supplier service delivery management
ISO	A.15.2.2	Managing changes to supplier services
CHI	PR2	Third-Party Agreements
CHI	SR6	Addressing security in third-party agreements
SOC2	CC2.3	COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.
SOC2	CC8.1	The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives.
SOC2	CC9.2	The entity assesses and manages risks associated with vendors and business partners.
SOC2	P1.1	The entity provides notice to data subjects about its privacy practices to meet the entity’s objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner for changes to the entity’s privacy practices, including changes in the use of personal information, to meet the entity’s objectives related to privacy.
SOC2	P2.1	The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to the data subjects and the consequences, if any, of each choice. Explicit consent for the collection, use, retention, disclosure, and disposal of personal information is obtained from data subjects or other authorized persons, if required. Such consent is obtained only for the intended purpose of the information to meet the entity’s objectives related to privacy. The entity’s basis for determining implicit consent for the collection, use, retention, disclosure, and disposal of personal information is documented.
SOC2	P6.1	The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity’s objectives related to privacy.
SOC2	P6.4	The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity’s objectives related to privacy. The entity assesses those parties’ compliance on a periodic and as-needed basis and takes corrective action, if necessary.

August 30, 2022

Powered by