getVendorVettingChecklist
Generate a HIPAA compliance checklist for third-party vendors to ensure they meet security and privacy requirements before integration.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| schema | Yes |
Implementation Reference
- server.ts:271-290 (handler)The asynchronous handler function for the 'getVendorVettingChecklist' tool. It accepts a 'vendorName' parameter and returns a structured response containing a markdown-formatted checklist for vetting third-party vendors for HIPAA compliance.async ({ vendorName }) => { return { content: [{ type: 'text', text: ` # Business Associate Vetting Checklist for ${vendorName} Before integrating with ${vendorName} or any vendor that will handle PHI, you must perform due diligence. 1. **Will They Sign a BAA?**: This is the first and most important question. If the answer is no, you cannot use them for PHI. Period. 2. **Review Their Compliance Documentation:** Does ${vendorName} have a public-facing trust center or compliance page detailing their HIPAA-eligible services? 3. **Check for Independent Audits:** Do they have a SOC 2 Type 2 report or a HITRUST certification? Request and review these documents. 4. **Shared Responsibility Model:** Does ${vendorName} clearly document what they are responsible for versus what you are responsible for in maintaining compliance? 5. **Data Residency and Control:** Can you control where the data is stored geographically? 6. **Breach Notification:** What is their process and timeline for notifying you in the event of a breach on their end? This must be outlined in the BAA. 7. **Data Disposal:** What is their policy for securely deleting your data when you terminate your service with them? ` }] }; }
- server.ts:267-269 (schema)The Zod schema defining the input parameters for the tool: an object with a required 'vendorName' string.schema: z.object({ vendorName: z.string().describe("The name of the third-party service being considered, e.g., 'Twilio', 'Google Cloud', 'Zendesk'"), }),
- server.ts:263-291 (registration)The registration of the 'getVendorVettingChecklist' tool using server.tool(), including description, schema, and handler function.server.tool( 'getVendorVettingChecklist', { description: 'Provides a checklist for evaluating a third-party vendor (Business Associate) to ensure they meet HIPAA compliance standards before integration.', schema: z.object({ vendorName: z.string().describe("The name of the third-party service being considered, e.g., 'Twilio', 'Google Cloud', 'Zendesk'"), }), }, async ({ vendorName }) => { return { content: [{ type: 'text', text: ` # Business Associate Vetting Checklist for ${vendorName} Before integrating with ${vendorName} or any vendor that will handle PHI, you must perform due diligence. 1. **Will They Sign a BAA?**: This is the first and most important question. If the answer is no, you cannot use them for PHI. Period. 2. **Review Their Compliance Documentation:** Does ${vendorName} have a public-facing trust center or compliance page detailing their HIPAA-eligible services? 3. **Check for Independent Audits:** Do they have a SOC 2 Type 2 report or a HITRUST certification? Request and review these documents. 4. **Shared Responsibility Model:** Does ${vendorName} clearly document what they are responsible for versus what you are responsible for in maintaining compliance? 5. **Data Residency and Control:** Can you control where the data is stored geographically? 6. **Breach Notification:** What is their process and timeline for notifying you in the event of a breach on their end? This must be outlined in the BAA. 7. **Data Disposal:** What is their policy for securely deleting your data when you terminate your service with them? ` }] }; } );