Third-Party Risk Management

Managing third-party service providers, or vendors is an ongoing legal and contractual obligation for all businesses. While there is no “one size fits all” risk management program, there are a lot of great checklists and recommendations available. Checking a few resources before signing a new vendor service agreement and setting up a Google Alert or two can potentially help you avoid picking a bad apple.

Credentials, exclusions, and breaches:

  • S. Department of Health & Human Services – Office of Inspector General’s Exclusions Database
  • S. Department of State Terrorist Exclusion List
  • United States General Services Administration (GSA) check this especially if you have a Medicare/Medicaid or other federal contracts
  • S. Department of Health and Human Services – Office for Civil Rights Breach Portal or “Wall of Shame”
  • Perform a general internet search using the vendor’s name/company name + the following words (or other words related to its service) to ensure credibility:
    • Breach
    • Complaints
    • Lawsuit
  • Ensure the vendor’s contract has assurances that their compliance controls are adequate for HIPAA, OSHA, Medicare & Medicaid, as applicable.
  • Ask about their general and/or professional liability insurance coverage.

If the vendor will provide software or other technology services, consider asking the vendor to:

  • Provide a copy of its most recent security audit (e.g. a SOC 2 Type 2) performed by a third-party auditor.
  • List the location(s) where your data will be stored.
  • Ask the vendor how often the data is backed up.
  • Are background checks performed on its employees?

If the vendor is a Business Associate and the Business Associate Agreement (separate from the service agreement) is not your template, be sure it has the appropriate provisions before signing it. It is best practice to review these items on an annual basis for all third-party service providers even if it is not a business associate, but especially as part of the required HIPAA risk assessment.

To set up a Google Alert:

  1. Go to google.com/alerts
  2. In the box at the top, enter a topic, person, or company you want to follow. A new window will appear.
  3. Before you click Create Alert, you select settings. Click Show options to select the frequency of alerts, source, language, region and where you want to receive the alerts.
  4. After you’ve set your options, click Create Alert. You will get emails whenever Google finds matching search results.