Privacy & Security Technology

All Kaiser Permanente IT vendors, contractors and suppliers who provide IT solutions are required to comply with Kaiser Permanente's standard for quality IT solution delivery, based on the Solution Delivery Life Cycle (SDLC) defined framework and affiliated sub-processes.

If supplier’s services include processing, storing, using or transmitting payment cardholder data, then supplier will comply with the Kaiser Permanente Payment Card Industry Data Security Requirements.

Suppliers must comply with Kaiser Permanente's Edge Security Requirements if supplier will be supplying or supporting a device that falls into the governance of Kaiser Permanente’s Edge Cybersecurity Program, which includes medical, lab, clinical research and imaging devices, pharmacy devices, facilities automation and security systems, and IoT devices.

Suppliers must comply with Kaiser Permanente's Data Security Requirements if supplier will be accessing, generating, processing, hosting, or storing* personally identifiable information, data, or records relating to any patient, member, employee, or contractor of any Kaiser Permanente entity. (* Examples include application management, data processing, hosting, or system integration services.)

Kaiser Permanente is committed to providing access to its healthcare services, programs, and activities free from discrimination on any basis, including disability. This commitment includes ensuring the digital products and services we provide to our members, patients, and other users are accessible. The Digital Products and Services Accessibility Requirements contain the minimum accessibility requirements for Suppliers of digital products and services.

If a supplier will have access to Kaiser Permanente's computer system to perform services, then the supplier shall comply with the computer system access requirements.