On Thu, Mar 28, 2013 at 7:55 AM, Donna Malzone <[log in to unmask]> wrote:
> I have posted to this listserv previously. I am the records manager for
> Coverys. We provide medical professional liability insurance. My company
> is in the process of securing an agreement with an HR Services solution
> vendor. Our company will now use their solution to manage our payroll and
> benefits. We will be providing no data feeds to them. All our information
> will be maintained by them.
>
> There is a provision in the agreement that states that they will not agree
> to be the official recordkeeper*. *I am a little concerned about this
> because they are maintaining all our information related to payroll and
> benefits. They have agreed to employ commercially reasonable storage
> including backup, archive and redundant data storage both onsite and
> offsite and take reasonable precautions to prevent loss of or alteration of
> our data files, but won’t guarantee any such loss or alteration. We have
> asked them to provide to us their disaster/recovery plan. Our IT
> department has reviewed the plan and is satisified.
>
> Does anyone see any risk to this scenario? If so, I would like to hear
> back from you. Also, do you think it’s prudent to add language to the
> contract that requires them to comply with our records retention schedule?
>
depending on the 'scope' of what you're referring to as benefits records,
if anything is subject to HIPAA requirements, then you should have
Business Associates Agreement in place appended to your contract
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
"The HIPAA Rules generally require that covered entities and business
associates enter into contracts with their business associates to ensure
that the business associates will appropriately safeguard protected health
information. The business associate contract also serves to clarify and
limit, as appropriate, the permissible uses and disclosures of protected
health information by the business associate, based on the relationship
between the parties and the activities or services being performed by the
business associate."
In addition, your IT department may be satisfied, but your risk and/or
legal department may not agree. When you look into the costs associated
with addressing data exposure of PII/PHI, if the exposure comes at the
hands of a third party and you've allowed them to absolve themselves of any
liability, YOUR organization is on the hook for notifications, credit
report provision and possible fines that should be shifted the the
responsible party.
Lose a tape in transit? Commingle information? Servers hacked? Bad things
happen to the best intentioned of people, and if you don't shift that
responsibility, it's on you.
I wouldn't be concerned with having them comply with your retention
schedule, you'd be better off disallowing them from destroying ANYTHING.
What happens if you have a legal action requiring a hold be placed on
information scheduled for destruction? Are you going to be sure someone is
notifying them of this in advance as well?
Larry
[log in to unmask]
*Lawrence J. Medina
Danville, CA
RIM Professional since 1972*
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]
|
