Managing third parties with relevant privacy and security policies

Ensure contracts with third parties (including data processors) include relevant privacy and information security requirements.

Most health care institutions require, to some degree, the assistance of third parties who may have access to information through physical means (office, filing cabinets, laboratories, etc.), or through logical mean (databases, applications, information systems or an Intranet). A third party agreement is a type of Confidentiality Agreement used when an organization is planning to disclose confidential or proprietary information to a third party.

Similar to the employee Confidentiality Agreement, it ensures that the third party is aware and accepts responsibility and accountability for protecting confidential information. It also demonstrates due diligence and may give the organization legal recourse if the third party breaches the agreement.

  • It is important that third parties accept their responsibility for safeguarding the confidentiality, integrity and availability of information.
  • Demonstrate their ability to undertake and maintain security and privacy responsibilities.
  • Third-party agreements should be signed and dated; the original should be received by the organization before the third party is granted access to confidential information.

Source :
https://www.ehealthontario.on.ca/images/uploads/pages/documents/InfoSecGuide_Complex.pdf