One of our vendors is up for an annual review 30 days before our contract ends. They are rated as high inherent risk and are a critical vendor. Can anyone recommend how to handle this? I feel that gathering/reviewing everything would be kind of a waste since we will no longer be using this vendor, but I don't want to completely ignore it since they are critical and high risk.
I would just make a note of it and waive the review. The reviews are done so we are sure our data is safe, secure and the vendor is doing well in order to continue the relationship. If you are terminating the relationship, the review is a moot point.
I hope this helps.
I would agree with Cheryl and waive the review. However, given it is a critical/high risk vendor, there is some likelihood that they store some sensitive/NPI data for your company. If that is the case, this may be a good opportunity to review the contract as you wrap up business and ensure that they remove/purge your data as you end your relationship.
We just had a VM audit last month and some recommendations were given to us.
What does your policy say about when you change a vendor from active to inactive? This would factor into what you should do.
If it was me, I would for sure get any due diligence documents to cover the time period you did utilized their services. This was something that came up in our audit recently, making sure we had proper DD items during the time period of service.
Also, if they're storing NPI, you need to find out the process for which they remove/purge this information.
Good morning! I like everyone's perspective on this! I agree that checking the contract to determine how data will be stored/returned/handled will be key. For the due diligence monitoring collection and review, I had the following thought to consider: 1. Do you say in your policy or procedures that you review at a specific time, or is it more flexible to say that it is reviewed once a year? If you say once a year, I would agree to not collect updated information if the vendor is being terminated, especially if the replacement vendor has already been vetted, or you are reviewing that due diligence. I feel the most important part would be to document the justification for why you are not collecting the details. Thanks!! Tracey