top of page

Oversee Service Providers


Retaining Service Providers


The Safeguards Rule requires you to oversee your service providers. There are four subparts to this requirement. First, you must take reasonable steps to select – and only retain - service providers that are capable of adequately protecting customer data. There are software-based programs that can manage this task. This will require the cooperation of your service providers. If they won’t cooperate, you must find service providers that will.


Written Contract


Second, you must obligate your service providers by written contract to implement the safeguards necessary to protect customer data. This obligation can be baked into the contract itself, be added as an addendum to an existing contract, or be a free-standing Safeguards Agreement, but it must be in writing.


Periodically Assess


Third, you must “periodically assess” your service providers with respect to this obligation. The same software used to vet service providers can support this effort as well.


Monitor


Fourth, you must monitor your service providers on an ongoing basis to verify they are maintaining adequate safeguards. This does not mean “continuous” oversight, but it must be regular. This last obligation is potentially overwhelming. Fortunately, the software we’ve been referencing probably satisfies both the “assessing” and “monitoring” requirements, and accomplish those tasks inexpensively.




Comments


bottom of page