Business Associate and Vendor Management


SCA delivers a user friendly online business associate / vendor management platform. Clients may utilize the secure portal for storing key records and documentation. SCA offers to assist the client with populating pertinent data and reviewing or assessing a business associate’s viability. The portal offers a true vendor management platform. Business associates are automatically “risk scored” based on the uploaded documentation and whether key information is presented properly. Built-in alerts assist the client with reminders that contracts are nearing renewal. All business associates that process, maintain, store, transmit or are granted access to protected health information should be evaluated for soundness and held accountable for the information assets entrusted to them. The portal will help you review whether the Business Associate or 3rd party service provider’s business processes include appropriate physical, administrative and technical safeguards to safeguard protected health information against unauthorized access or use. The portal also weighs the measures a service provider takes to safeguard protected health information and, where appropriate, the controls the service provider has to ensure any sub-contractor it employs has instituted appropriate security safeguards. Our cloud-based solution is available through yearly licensing. Actual data input and vendor management can be completed by you, and/or by SCA personnel.

Due diligence will include, as appropriate:

  • A background evaluation consisting of verification of recent references appropriate to the job the service provider proposes to perform
  • A check of local Better Business Bureau complaint files
  • A check of Federal Trade Commission complaint files
  • A review of the service provider’s years of experience and an evaluation of the qualifications of its key employees
  • A review the service provider’s insurance and bonding coverage including errors, omissions, property, casualty, information losses, dishonesty or fraud
  • A risk rating for each service provider based on the criticality, access to non-public information, and security measures the vendor has in place
  • A review and assessment of the service provider’s SSAE 16 or equivalent

Review of your contracts with service providers will determine if the contracts contain:

  • Acceptable confidentiality and non-disclosure provisions
  • Ownership and use of information provisions
  • A requirement the 3rd party service provider complies with all applicable state and federal privacy and information security laws and regulations
  • A requirement that the service provider furnish results of audits and tests sufficient to assure the institution that the service provider implements adequate security measures
  • A requirement that the service provider to take appropriate action to address incidents of unauthorized access to the institutions member or customer information
  • A requirement that the service provider disclose breaches in security resulting in unauthorized access to non-public information or to systems where the information is maintained
  • Appropriate liability and indemnification provisions
  • Appropriate security and due diligence for sub-contractors