Before you review our Business Partner Vetting ("BPV") Portal, you are going want to understand the following: "Why are third-party risks exploding?" You also need to understand "The insidious costs associated with BPV." If you are covered entity the HIPAA Security Rule mandates that you get "satisfactory assurances" from your business associates that they have implemented the necessary safeguards to ensure the protected health information (PHI) that you entrusted to them is well protected. Furthermore, if you are a business associate that also has business associates you will need to obtain similar kinds of assurances.
This view shows the Main Menu screen where an Expresso ® Admin clicks on Partners and a New Partner may be created.
Questionnaires may be saved if not fully completed in one session. Then the partner may return to the Portal to upload requested files, complete their Questionnaire, and submit their final results. Once submitted, all Expresso ® Admins are notified that a partner's questionnaire and files are ready for review. When Admins are notified of the Partner's questionnaire, they click on the link in the email they receive and can review all documents and Questionnaire results in the DOCS folder assigned to that Partner.
If you are a health care startup that is looking to make good on your "moon shot" you will need to be prepared for the questionnaires that are certainly coming your way if you are looking to win a deal from a large covered entity, or Big Pharma. If they ask you basic questions such as fill out our cyber-security questionnaire and provide us the following: (1) your latest risk assessment; (2) your cyber-security policies and procedures; (3) proof of staff training; (4) proof that you have complied with HIPAA's Contingency Standard; etc. etc.--then you will be in a world of hurt if you stumble on the basics, sending the message that you are not ready for prime time, at least not with respect to playing in the "big leagues."
Getting satisfactory assurances mean more than having a Business Associate Contract and less than yearly onsite inspections; the latter is impossible, and the law generally does not require that. The best practice that the industry has converged on is sending out questionnaires and asking for additional reports. As you might imagine this is a tedious process, averaging about twenty (20) hours per vendor per year. It's not just a question of the hidden costs, which are considerable, but the manual ad hoc nature of the process is error-prone, potentially costing your organization millions in reputation damages if you get it wrong.
Expresso ® 's BPV Portal streamlines the process by making your business partners come to Expresso ® to fill out the questionnaire and upload any additional files requested. A brief overview is provided here.