All Kaiser Permanente IT vendors, contractors and suppliers who provide IT solutions are required to comply with Kaiser Permanente's standard for quality IT solution delivery, based on the Solution Delivery Life Cycle defined framework and affiliated sub-processes.
If supplier’s services include processing, storing, using or transmitting payment cardholder data, then supplier will comply with the Kaiser Permanente’s Payment Card Industry Data Security Requirements.
Suppliers must comply with Kaiser Permanente's Medical Device Security Requirements if Supplier will be supplying or supporting any device that falls into the governance of Kaiser Permanente’s medical device cybersecurity program, to include but not limited to medical devices (including laboratory and imaging), pharmacy devices, clinical research technologies, and supporting devices.
Suppliers must comply with Kaiser Permanente's Data Security Requirements if supplier will be accessing, generating, processing, hosting, or storing* personally identifiable information, data, or records relating to any patient, member, employee, or contractor of any Kaiser Permanente entity. (*Examples include application management, data processing, hosting, or system integration services.)
If a supplier will have access to Kaiser Permanente's computer system to perform services, then the supplier shall comply with the Computer System Access Requirements.