We just had a VM audit last month and some recommendations were given to us.
What does your policy say about when you change a vendor from active to inactive? This would factor into what you should do.
If it was me, I would for sure get any due diligence documents to cover the time period you did utilized their services. This was something that came up in our audit recently, making sure we had proper DD items during the time period of service.
Also, if they're storing NPI, you need to find out the process for which they remove/purge this information.
Original Message:
Sent: 05-30-2023 01:04 PM
From: Michael Magone
Subject: Review for Offboarding Vendor
I would agree with Cheryl and waive the review. However, given it is a critical/high risk vendor, there is some likelihood that they store some sensitive/NPI data for your company. If that is the case, this may be a good opportunity to review the contract as you wrap up business and ensure that they remove/purge your data as you end your relationship.
Original Message:
Sent: 05-30-2023 11:05 AM
From: Cheryl Turner
Subject: Review for Offboarding Vendor
I would just make a note of it and waive the review. The reviews are done so we are sure our data is safe, secure and the vendor is doing well in order to continue the relationship. If you are terminating the relationship, the review is a moot point.
I hope this helps.
Cheryl
Original Message:
Sent: 5/30/2023 10:14:00 AM
From: Anonymous Member
Subject: Review for Offboarding Vendor
This message was posted by a user wishing to remain anonymous
One of our vendors is up for an annual review 30 days before our contract ends. They are rated as high inherent risk and are a critical vendor. Can anyone recommend how to handle this? I feel that gathering/reviewing everything would be kind of a waste since we will no longer be using this vendor, but I don't want to completely ignore it since they are critical and high risk.