HSCC Updates Model Contract Language Framework for HDOs & MDMs
The Health Sector Coordinating Council (HSCC) has published updated Model Contract Language for MedTech Cybersecurity to help healthcare delivery organizations (HDOs) and medical device manufacturers (MDMs) address the challenge of ensuring the cybersecurity of medical devices.
Medical devices can introduce cybersecurity risks that must be managed and reduced to a reasonable and appropriate level to comply with the HIPAA Security Rule. The devices must also meet the safety and effectiveness requirements of the Food and Drug Administration (FDA), which include cybersecurity for the entire life cycle of the devices.
The cybersecurity of medical devices is a shared responsibility between the HDO and the MDM; however, historically, cybersecurity accountability has been inconsistently reconciled in the purchase contract negotiation process due to factors such as uneven MDM capabilities and investment in cybersecurity controls, and varying cybersecurity expectations among HDOs.
If there are ambiguities in cybersecurity responsibilities due to the contract language – or a failure to clearly state in contracts the responsibilities of each party with respect to cybersecurity – it is likely to result in downstream disputes, insufficient security, and potential patient safety issues.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“In today’s partnership between HDOs and MDMs, cybersecurity requirements are often unclear, resulting in a lack of understanding and prioritization of cybersecurity best practices. For HDOs and MDMs alike, this leads to an investment in security controls that are not always aligned between stakeholders,” explained HSCC.
The HSCC Cybersecurity Working Group (CWG) formed the Model Contract Language Task Group in 2020 to help address these issues. The Working Group consists of 50 representatives from HDOs, MDMs, group purchasing organizations, and security and compliance specialists. After two years of deliberations, the Task Group published the first version of the Model Contract Language in 2022, which serves as a neutral framework for the contractual cybersecurity relationships between HDOs and MDMs.
The aim of the Model Contract Language is to help HDOs protect themselves and their patients from cybersecurity threats by establishing and maintaining appropriate security contract terms and commitments from MDMs concerning their products, services, and solutions. Version 1 has been downloaded more than 1,500 times from the HSCC CWG website since its publication.
In 18 months after publication, users submitted almost 100 comments to HSCC. The Task Group reconvened last year to review the feedback and has now incorporated many of the recommendations in Version 2, which it is hoped will simplify the contracting process, making it more predictable and less costly and time-consuming.
The main improvements made in Version 2 are revisions and expansions to align with the changed regulatory environment; updates to reflect increasing security maturity and better alignment with expectations between stakeholders; resolution of unclear separation in areas where terms describe shared responsibilities; and simplification of the language to improve clarity and structure to help speed up contract negotiations.
HSCC says the Model Contract Language can be used as a standalone agreement with an MDM, or as an addendum to a Business Associate Agreement (BAA), Master Service Agreement (MSA), or Request for Proposal (RFP). The document can serve as a template that can be tailored to meet the specific compliance needs of each HDO.
