Risky business: choosing information service providers.

• Author: Johnson, Robert, Bob

Organizations seeking service providers that will handle their corporate information must ensure the providers' ability to comply with a variety of regulatory requirements and industry standards for protecting it--or leave themselves open to legal liability, public embarrassment, or financial ruin if that information is compromised.

There is liability inherent in selecting any service provider, whether for landscaping the campus or cleaning the office. Mitigating such liabilities usually falls to the purchasing or contracting department or to a firm hired to handle procurement and contracting.

But, there is one type of service provider that every organization must scrutinize more closely: information-related vendors, such as records storage firms, billing services, imaging services, IT asset management firms, and data disposal contractors. Following are important criteria to evaluate when selecting a service provider in this category.

Regulatory Requirements

Data protection laws around the globe apply to selecting data-related vendors, including these U.S., Canadian, and EU regulations.

HIPAA, GLB

The grandfathers of these U.S. laws are the Health Insurance Portability and Accountability Act (HIPAA) and the Financial Services Modernization Act, which is more commonly referred to as Gramm-Leach-Bliley (GLB). The former law applies to medical information and the latter to personal financial data.

Ironically, neither is a data protection law at heart; they both deal with a wide range of issues surrounding the explosion of electronic data, and GLB concerns issues as eclectic as interstate banking and co-mingling of banking, equities, and insurance by financial institutions. Still, they both include meaningful and specific provisions on data protection.

A quote on the U.S. Department of Health and Human Services' (HHS) website speaks to an organization's due diligence burden:

The [HIPAA] Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. In this context, the "covered entity" is the information owner, or the organization for whom the information is being handled. The "business associate" is the service provider.

A defense for this provision can be found in Proposed Modifications to HIPAA under HITECH, a 2010 HHS publication that provides early implementation advice.

... The covered entity remains liable for the acts of its business associate agents, regardless of whether the covered entity has a compliant business associate agreement in place. This change is necessary to ensure, where the covered entity has contracted out a particular obligation under the HIPAA rules, that the covered entity remains liable for the failure of its business associate to perform that obligation on the covered entity's behalf. Further evidence is less direct but also telling. Under the new breach notification requirements, the service provider must notify only the information owner that a breach has occurred.

If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach. A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach. To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any information required to be provided by the covered entity in its notification to affected individuals.

While the service provider...