[unisog] Security standard compliance language in contracts

Chris Green cmgreen at uab.edu
Tue Nov 29 22:50:34 GMT 2005

On 11/29/05 11:55 AM, "Mayne, Jim" <J.Mayne at tcu.edu> wrote:

> We are looking at using a firm to provide online W2's. If we were to work with
> this company does anyone have any suggested language to put in the contract
> regarding compliance with security standards and if so for which standards?

Hit send when I meant to hit save as draft...

In our HIPAA business associate agreement, we say things like:

" Reporting of Unauthorized Use.  Business Associate will promptly report to
Covered Entity any use or disclosure of the PHI not provided for in this
Agreement upon becoming aware of it and any security incident of which it
becomes aware; """

We don't call out a specific security standard (other than applicable law
such as HIPAA) but there is lots of language to push the remediation onto
the business associate.  We haven't found one general enough for us to adopt
much less push it out upon others.

Push disclosures and threats onto them and have real penalties.  I don't
know how much insurance has taken off for this world but you could require
they be insured for X$ and let that be the insurance company's problem to

I'm sure your Legal Department will help craft the right risk mitigations.
Chris Green
UAB Data Security, 5-0842

More information about the unisog mailing list