USA Law and Practice Contributed by: Jeffrey Harvey, Randall Parks, Andrew Geyer and Cecilia Oh, Hunton Andrews Kurth LLP
• due diligence and third-party selection – perform - ing due diligence on third parties, including the party’s ability to perform and comply with applica - ble laws before selecting and entering into relation - ships; • contract negotiation – clearly specifying the rights and responsibilities of each party to the contract, seeking additional contract provisions when appro - priate, understanding the consequences of any resulting limitations, and engaging legal counsel for significant contracts; • oversight and accountability – overseeing manage - ment and implementing of strategies and policies to address third-party risks, thereby establishing responsibility and accountability for such risks; • ongoing monitoring – performing ongoing monitor - ing after the third-party relationship is established in a manner commensurate with the level of risk and complexity of the third-party relationship; and • termination – ending third-party relationships in an efficient matter, including consideration of appro - priate transition services. Importantly, the Interagency Guidance constitutes “interpretive guidance” only and does not carry the force or effect of law. However, a banking organisa - tion that chooses not to implement the risk manage - ment principles included in the Interagency Guidance may be found in violation of its broader obligation to operate in a safe and sound manner. Through pow - ers granted by Congress, prudential regulators pos - sess supervisory and oversight authority to examine banking organisations and determine, in their sole discretion, whether such banking organisations are engaging in unsafe and unsound business practices. Indeed, when circumstances warrant, such regulators may use their authority to “pursue corrective meas - ures, including enforcement actions” against bank - ing organisations that fail to properly manage risks in connection with their third-party relationships. Thus, while the Interagency Guidance is not legally binding on banking organisations, banking organisations will nevertheless be examined according to risk manage - ment principles embodied therein. Of course, financial service companies are subject to a wide range of substantive laws and regulations gov - erning their day-to-day activities and operations that
would continue to apply to such companies, even if those activities and functions are outsourced to third- party outsourcing providers. These laws and regula - tions may include requirements addressing data pro - tection, cybersecurity, anti-money laundering, audit and reporting, securities, consumer protection and other regulated activities. Healthcare Within the healthcare industry, outsourcing is impact - ed by the Health Insurance Portability and Account - ability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), which seek to ensure the privacy and security of protected health information (PHI). HIPAA and HITECH (and their implementing regulations) impose significant and onerous obligations, including compliance with HIPAA’s Privacy and Security Rules, on: • “covered entities” – ie, health plans, health clearing houses and healthcare providers that transmit any health information in electronic form in connection with a covered transaction; and • their “business associates” – ie, vendors of cov - ered entities with access to PHI that perform cer - tain functions on behalf of such covered entities. When entering into outsourcing arrangements with business associates, covered entities are required to enter into written agreements (in the form of busi - ness associate agreements) that protect the use and security of PHI. Under HITECH, business associates may be subject to direct civil and criminal penalties imposed by regulators and state authorities for failing to protect PHI in accordance with HIPAA’s Security Rule. In addition to the federal HIPAA and HITECH, many states have enacted state healthcare laws governing the use of patient medical information. Although the federal HIPAA pre-empts any state law that provides less protection for PHI, state laws that are more pro - tective will survive federal pre-emption. Insurance The insurance and reinsurance industry has contin - ued to outsource a variety of functions, as well as
94 CHAMBERS.COM
Powered by FlippingBook