Educause Security Discussion mailing list archives
Re: Doximity contract questions
From: "Menne, Michael S" <michael.menne () MNSU EDU>
Date: Mon, 4 Jan 2021 20:37:42 +0000
I don’t have any experience with this vendor specifically, but I recently worked with a vendor that was similarly difficult in a different way. They refused to update their HECVAT (they were using an incredibly old version). When we asked them specific questions, they answered with documents that were not relevant to the questions asked. Eventually, they walked away. The questions / suggestions below are generic and may or may not be viable in your situation. You may have already thought of many of them as well. With other vendors that we’ve tried to negotiate with, we’ve either enforced an addendum or stricken the clauses entirely so that they have to be litigated should it come to that. This one is a little different in that your physicians are already using it and some of the clauses aren’t something I would be comfortable striking from a contract. How bad does this vendor want your business? Is there some leverage you could use on your end to push them into negotiation? Is there a provision within HIPAA / HITECH / Omnibus update that talks about data ownership and addresses the BAA concerns? Is there an outside resource that could force the vendors hand in negotiation? We have had lawyers talk to lawyers in the past as well. Sometimes it goes well, sometimes it doesn’t. Our software contracts attorney is very strict on contact language. We have a standard contract template that we use that has our required language. Do you have something similar from the University that can be used? Until you are able to get a decent contract with them, I would open a dialogue with the physicians and CMO (or equivalent) and explain the data and HIPAA risks of continuing to use these services. If there is patient data, the University and the physicians are in violation of HIPAA by not having a BAA. Some (or many) of the physicians are probably not aware of the risks they have opened the University up to by accepting the terms that are in place in the standard EULA and not having a BAA. Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 Cell: (507) 405-0717 https://mankato.mnsu.edu/cyberaware [signature_1196775440] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Burns, Denis" <denis.burns () MED FSU EDU> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Monday, January 4, 2021 at 1:32 PM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Doximity contract questions If you are on the AAMC CoF, I apologies that you are seeing this again. Hi all, So, many organizations who were tempted by the relaxed enforcement and free offerings of Doximity are likely coming into the new year to find out that they are taking their “free hit of crack” away and want to be paid now. Our physicians have been using them w/o authorization and so we are working to secure an appropriate license for continued (acceptable) use. Their contract is short and lacking many details (zero data ownership language) and their BAA is incredibly one sided. They make it clear that they will never return of destroy any data you give them and they claim rights to do with it as they please until specifically told otherwise. Can anyone who is licensed and went through a regular contract/legal review shed some light on how you addressed these issues? Generally I would redline and/or attach an addendum, but the conversation that I have had with them was not pleasant and didn’t leave any warm fuzzies. I can’t help but feel that they are on the border of being hostile to work with. I look forward to any input that others may have. Thank you and happy New Years! -d Denis Burns Information Security and Privacy Officer - College of Medicine - Florida State University (850) 644-3648 – denis.burns () med fsu edu<mailto:denis.burns () med fsu edu> DO NOT provide your username, password, or any personal information requested by any email. FSU/MED WILL NEVER ask you for your username or password via email. DO NOT CLICK links or attachments unless you are positive the content is safe. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7C6c4994436fd9470e379308d8b0e767ca%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637453855219632761%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Wm0DF3nCtaYUz7bUwOSQhDdmfBvptph54aIGZmGpttQ%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Doximity contract questions Burns, Denis (Jan 04)
- <Possible follow-ups>
- Re: Doximity contract questions Menne, Michael S (Jan 04)