If I were you I would work with our legal and procurement departments to identify (by criticality and type of data access) which vendors need this verbiage and have the agreements amended to specifically require the vendor to meet your needs as it relates to privacy, security and breach requirements. An affadavidt of compliance may only be for a specific period of time as opposed to life of contract. If a vendor refuses, and they handle or store NPI, I would suggest executing on an exit strategy because that means they aren't willing to provide an assurance that they will protect your data which is a best practice. Good Luck!
------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management
Cenlar FSB
------------------------------
Original Message:
Sent: 12-15-2020 11:41 AM
From: Dawn Moreau
Subject: Affidavit of Compliance
Hello,
During our recent exam it was brought to light that some of our older contracts do not have complete privacy, security and breach language. (We have made sure that all new and currently renewed contracts were revised to have the necessary language.)
We have an Affidavit of Compliance drafted that we are going to ask those vendors with older contracts to sign. I'm looking for advice and/or recommendations on how to handle any push back we may receive when rolling this out. If the vendor doesn't sign, what can we do?
Thank you!