(Legacy) Managing Vendor Agreements in The Guard

Sending agreements from Vendor management tool (who can create, where to create, where to add them to profile, how to send, and how to upload completed agreements)

The HIPAA Privacy Rule permits Covered Entities and Business Associates to disclose protected health information (PHI) to a Business Associate if they obtain satisfactory assurance that the Business Associate will appropriately safeguard the information. Managing your Vendors and documenting those assurances in the form of Agreements and Vendor Audits is an integral part of your overall HIPAA Compliance efforts. In this article, we’ll show you how to create and edit the Agreement templates, attach them to your vendor profiles, send them to Vendors via the Guard, and upload signed Agreements.

There are two kinds of Vendors under HIPAA:

•    Business Associates:  Vendors you hire with whom you share PHI so they can do the job for you (Shredding companies, EHR Vendors, Data Storage services like Dropbox, Google, AWS, MSP, or IT companies, etc.).  You'll need Business Associate Agreements with each, and you'll send a Vendor Audit to them to document how they can protect the data.  

•    Non-BA Vendors:  Companies you do not share PHI with but who may encounter it when on premises (Cleaning Crews, Alarm Companies, Building Management, etc.). You send them Confidentiality Agreements so that they understand their responsibility to keep patient data private, and they confirm that they agree to do so.

The Guard includes Agreement templates that Officers and Administrators can update with your company and Officer information and then send directly from the Guard with just a few clicks.

Officers and Org Administrators can access the templates from the Document Manager by clicking the Document icon in the Navigation Panel on the left and then clicking on the Business Associate and Confidentiality Forms folder.

In that folder, you’ll find templates for Business Associate Agreements for those Vendors or services you hire who can access or work with PHI and Confidentiality Agreements for Non-Business Associates who do not have access to patient data but may encounter it in your Office. These include:

• BAA BA to BA v1.0.docx (A Business Associate Agreement template between Business Associates.)
• BAA CE to BA v1.0.docx (A Business Associate Agreement template between a Covered Entity and the Business Associate Vendor that they hire).
• Confidentiality Agreement (A Confidentiality Agreement template between Covered Entities or Business Associates and a Non-Business Associate Vendor like cleaning crews and landlords).

There are two ways to edit the documents:

• Edit the Document Directly in the Guard
  1. Click on the 3 dashes icon in the rightmost column of each file and select the Edit Document option in the menu that appears.
  2. Edit the documents by adding your company information in the appropriate places in the respective documents (in the Covered Entity fields in the Covered Entity Business Associate Agreement or, “If a Business Associate, fill in the appropriate Business Associate field (BA1 or BA2)”; add your Company name to the top of the Confidentiality Agreement.) 
  3. When completed, click the Save as New Document button in the upper right, enter a new File name and click the Save button.

Once you edit a file and save it, the file first goes to the Unapproved Documents staging area so you or teammates can review the document and approve it or reject it in favor of additional changes.   Once approved, the file will appear in the original Business Associate Agreements and Confidentiality Forms folder in the Document Manager.  To review and approve Unapproved documents:

1. Above the folder list, click the blue Unapproved Documents button to review your edited template.
2. Click the Approve button to activate the changes and complete the Save process.
3. For Agreement templates, keep the Default option selected (No, Do Not Require Attestation).  You’ll only answer Yes, Require Attestation, when you want teammates to train on a document.
4. Once approved, the file will appear in the original Business Associate Agreements and Confidentiality Forms folder in the Document Manager.

• Download the Document to Edit It
  1. Click on the 3 dashes icon in the rightmost column of each file and select the Download Document option in the menu that appears.
  2. Edit the Document in your word processing program (these are Microsoft Word documents) and save the file with a new file name (for example, including your company name in the file name)
  3. Return to the Document Manager, click on the Business Associate Agreements and Confidentiality Forms folder, and then click the blue Upload Documents button to upload your updated document.
     • ***It is critical that you upload the Agreement templates into the Business Associate Agreements and Confidentiality Forms folder. The Vendor Management profiles are looking for files in this folder when attaching and sending the templates to the Vendors.
  4. In the Upload Documents window that appears, uncheck the Requires Attestation box and then either drag and drop the file in the gray Upload box at the bottom of the pop up or click the gray Upload box to search your computer for the document.   Then click the blue Upload button to upload it.

After editing an Agreement template, it is easy to send the Agreement directly from the Guard to your Vendors (here is a link to Instructions for Adding Vendors to the Vendor Management page.)

When adding Vendors to the Vendors page, you can upload an Agreement you already have, or you can use Compliancy Group’s Agreements.  You can access the Vendor’s Detail page either by clicking the Add Vendor button (if adding the new Vendor to the list) or simply by clicking the Vendor in the Vendor List if previously added. 

To upload an Agreement, you already have or upload a Compliancy Group policy that has been returned signed, scroll to the bottom of the page to find the Upload Document section.  Follow these steps to upload a document:

• Click the Browse button to search your computer for the folder where you saved the Agreement.  Select the document and then click the Open button.
• Select the type of Agreement you are uploading from the Type dropdown.
  1. BA Agreement (default option)
  2. Vendor Audit (supporting documentation from the Vendor about protections they have in place to safeguard data you disclose to them; only required for Business Associates, not Non-Business Associates like Cleaning Crews)
  3. Miscellaneous (when uploading Confidentiality Agreements for Non-Business Associates and other types of documents)
• Click the blue Upload button.
• Scroll to the bottom of the page and then click the Add Vendor button (if uploading the Agreement as part of data entry for a new Vendor) or the Save button (if returning to a Vendor you’ve previously added).

To select a Compliancy Group Agreement to send to a Vendor, follow these steps:

• On the Vendor’s detail page, you’ll find two dropdowns:   BA Agreement and Confidentiality Agreement.  Depending on the Agreement you need, you’ll select it from the corresponding dropdown (Remember: It is critical that you upload the Agreement templates into the Business Associate Agreements and Confidentiality Forms folder.  The Vendor Management dropdowns are looking for files in this folder.)
• Once you select a template, scroll to the bottom of the page, and then click the Add Vendor button (if uploading the Agreement as part of data entry for a new Vendor) or the Save button (if returning to a Vendor you’ve previously added).
  1. This will NOT send the agreement to the Vendor; it will merely attach the template to the record.

After attaching the Agreement templates to the Vendors, you’ll send them by checking the checkbox for each Vendor to select it (you can send to multiple Vendors all at once!)  Then click the Choose Action button and choose one of the following options:

• Send BA Agreement to Selected:  This will send the Business Associate Agreement template that you selected from the BA Agreement dropdown
• Send Confidentiality Agreement to Selected:  This will send the Confidentiality Agreement template that you selected from the Confidentiality Agreement dropdown

For Business Associates, you may need to send a Vendor Audit which is a small questionnaire the Vendor will fill out to document the protections they have to safeguard data you disclose to them (this is ONLY for Business Associates, not for Non-Business Associates like Cleaning Crews, Landlords, Maintenance teams, etc.) To do so, check the checkbox for each Business Associate to select it (you can send to multiple Vendors all at once!)  Then click the Choose Action button and click the Send Vendor Audit to Selected option.

This will send an email to the email address you entered as part of that Vendor’s contact information.  That email will include a link to a web-based questionnaire.  The Vendor will answer questions and submit them directly to the Guard.  

Once they complete the questionnaire, you’ll be able to review the answers by clicking the three dashes icon in the rightmost column of that Vendor, then click the View Vendor Audit option in the menu that appears. (Note: The View Vendor Audit option will only appear in the menu when the Vendor completes the questionnaire. The Audit Status column will note when the questionnaire is completed.)

Following these steps will ensure that you can easily send and track the required Agreements and Audits with all your Vendors.  

If you need any help or have any questions, you can send a Help request to our Customer Support team via the Help button on every page of the Guard or by email at support@compliancygroup.com.