Practical Tips for Managing Your “Fourth Party” Downstream Vendors


Post By: Tom Rogers, CPA, CCMP, Founder and CEO, Vendor Centric

Third-party vendor management has been a regulatory requirement for the health care industry for many years.  Expectations for entities with whom health care providers work – especially those providing outsourced services – continue to evolve. In an era fraught with data security breaches and in the midst of a global pandemic, managing third-party vendors is becoming all the more challenging.

Against this backdrop, there has been a great deal of discussion about the next wave of health care vendor management concerns – downstream entities, also known as fourth parties. It can be confusing, so here’s a quick review.

A vendor (i.e. your third party) is a company or entity with whom you’ve agreed, through a direct contractual relationship, to provide a particular product or service.

A downstream entity (i.e. your fourth party) is essentially a ‘vendor to your vendor’.  In most cases, your vendor will have a contractual agreement with these downstream entities but you will not.  This is where a heightened level of risk comes into play.  You may be relying (indirectly) on the products or services of these downstream entities, but you don’t have a direct contractual relationship with them.  In many cases, you may not even know they exist.

In the health care ecosystem, determining how to identify, assess and manage these downstream entities can get confusing. Health care organizations often rely on their own vendors to perform this work, but many vendors don’t even have a cohesive, effective set of policies, procedures and systems of their own.

So, it’s critical to not assume your vendors are doing a good job of monitoring these downstream entities.  You need to provide your own oversight too – so what should you do?

I recommend you start by getting your blocking and tackling in place. This consists of two things:  Determining how far downstream you need to go to create an inventory of your fourth parties and establishing some core oversight activities.

With regard to identifying your downstream entities, a good rule of thumb is to follow the data as far as you possibly can, particularly anywhere that PHI is being shared. A breach of that entity may very well expose the upstream institution’s confidential information, even if inadvertently. In today’s regulatory climate, undoubtedly the responsibility (and the potential for reputational harm) will flow back to the institution more so than the downstream entity.

In terms of core oversight activities, the following components are critical:

  • An effective third-party vendor management program – start by looking in the mirror to ensure your own program is comprehensive, effective and properly resourced. Managing your downstream entities should be a component of, not separate from, your own program so it’s critical you have one that works.
  • Clear standards and expectations for your vendors – contracts with your third-party vendors should articulate your expectations for the rigor they will use to identify, assess and monitor downstream entities. And your due diligence on these vendors should include assessing their ability to meet these standards.
  • Standards on appropriate oversight and notification – your vendor’s policies and procedures should also be evaluated for their ability to notify you in the event of a material breach, operational lapse or other noteworthy events.

In addition to these considerations, you should give additional attention to offshore contractors. They bring a heightened level of risk to your organization and, for Medicare plan sponsors, bring with them additional regulatory compliance requirements as well. Over and above the standard due diligence done on a vendor, in dealing with an offshore provider, additional steps must be considered, including, but not limited to:

  • Documentation as to why the service is conducted offshore
  • A check through the Office of Foreign Assets Control (OFAC) to ensure the downstream entity is not located in a sanctioned country or owned / managed by a politically exposed person or known criminal
  • A review of the third party’s frequency of visiting the offshore entity, change control procedures and related testing
  • Consideration given to the control and / or truncation of US patient information and other similarly restricted data to safeguard all PHI as much as reasonably possible
  • A review of the underlying entity’s business continuity and recovery planning in the event of a disaster or breach
  • Rights to audit or make onsite visits, at your institution’s discretion

In today’s highly matrixed and outsourced world, particular care must be taken to consider the role of downstream entities and their standards of care to ensure it meets or exceeds the institution’s expectations.  All relevant information should be thoroughly documented and any material concerns reported to senior management and / or the board of the institution.