As part of the University's contract review process, UAB IT is responsible for reviewing any University contract that includes an IT or IT related component prior to such contract being executed. The information below, is provided to help facilitate the speedy processing of contracts once they are routed to IT for review. Questions on the process or requirements should be directed to UAB IT
WHAT CONSTITUTES AN IT RELATED CONTRACT OR AGREEMENT?
- Contracts* for software, subscriptions, or services (including software maintenance) that include
- Hosting/processing/transmission of UAB data external to UAB
- PCI (Payment Card Industry) acceptance/processing of credit card transactions
- Design, creation, maintenance, support, and/or hosting of any website/webpage
- Personally identifiable information (PII) or personal health information (PHI) - does not include Health System Agreements which are managed by HSIS
- Audit language
- Custom software development
- Agreements for products where a similiar product or standard is already available/supported at UAB
- Hardware purchase with embedded software with any of the above
- *NOTE: For agreements that include the type of information listed above, documents/agreements must be executable, meaning they have signature lines for both UAB and the vendor. Printing a 'click-agreement' or printing language from a website and submitting as an 'agreement' for review does not guarantee that the vendor will ever see changes/addendums that UAB may make or add to the agreement.
WHAT DOES IT LOOK FOR WHEN MY CONTRACT IS REVIEWED?
- The primary goal is to minimize risk to you and UAB. New agreements are normally subject to a more detailed review than renewal agreements. IT will review the checklist (see the FORMS section below) that you submit with your agreement for a quick determination of what review may be needed.
- For new agreements:
- As necessary:
- Confidentiality and Information Security provisions are reviewed to ensure appropriate confidentiality language is present, provisions to follow UAB on-site rules are present (if applicable), and the the vendor performs background checks on their employees. For agreemnts that include HIPAA or PHI a Business Associate Agreement (BAA) will also be required. The BAA is handled by the UAB Legal and/or Privacy office and not by UAB IT.
- For agreements where the vendor is hosting/processing/or transmitting UAB information additional language is needed: appropriate vendor controls are in place to protect UAB's data and that such controls are audited appropriately; that provisions are included for the return of UAB data at the end of the agreement; and that the vendor will notify UAB in the event of any security event involving UAB data. If the vendor is processing payment transactions language supporting the PCI (payment card industry) standards are required.
- Indemnification and Liability provisions are reviewed to ensure that the vendor indemnifies UAB from any claims that their product breaches any copyright, trademark, or patents and that they will defend any such claim at their expense. In addition, most vendors limit any claims for any breach to a small dollar amount...IT adds language removing that limitation when the breach is for confidentiality or information security claims.
- Web/website development agreements are reviewed to ensure the vendor is aware of and will follow UAB branding requirements, security standards, and 508 compliance requirments.
- Audit language is reviewed and modified if needed (vendor's right to come on site at-will to audit);
- Language is added that the "Written Agreement Governs". This is to prevent a conflict when a 'click' agreement may have to be accepted by a UAB employee to actually download, run, or maintain the product.
- IT will aslo look to see if a similar service/product is already in place at UAB. If so, IT will work with the requesting department to understand and document the justification/business case for going outside the standard service/product.
- As necessary:
- For renewals:
- If the renewal inidicates it is governed by an existing agreement and that existing agreement was reviewed by IT initially, then the only IT review is to ensure no changes to any language are being requested by the vendor and that the renewal is consistent with the underlying agreement.
- If the renewal is for an agreement that was not reviewed by IT initially, then IT will need to review the underlying agreement and work with the department on what options may be available to make modifications based on the criteria above for new agreements. Modifications to existing agreements may take more time and may ultimately result in modifications not being possible...potentially increasing the risk to UAB.
- Language to cover all of the items above are is provided in the applicable IT Addendum (see the FORMS LIBRARY section). The addendum can be printed and submitted to the vendor for signagure prior to routing that agreement for signature at UAB. This will greatly speed up the review process in IT.
- For new agreements:
QUICK TIPS FOR A SMOOTH IT CONTRACT REVIEW
- Complete the IT Checklist and attach it to your contract when routing (see the FORMS LIBRARY section);
- If any of the items 'checked' on the list indicate an IT addendum is needed, go ahead and send the addendum to the vendor for signature prior to routing for UAB review/signature (see the FORMS LIBRARY section).
- UAB Contracts/Procurement also require a generic addendum be added in most cases. If you send the vendor an IT addendum, also include the UAB addendum. (See the FORMS LIBRARY section).
- Provide any backup information such as master agreements, statements of work, etc.
- Submit agreements that are 'executable'...(signature lines for both parties and are not simply printed off of a website).
TIPS FOR WHAT MAKES FOR A GREAT CONTRACT (IT RELATED OR NOT)
Below are some items that should be considered when negotiating any agreement, not just IT related agreements.
- Don't base fees/costs on FTE numbers as these numbers can change each year;
- No annual escalators;
- Include vendor service level expectations with remedies if they are not met/maintained;
- Include 'piggyback clauses' where the agreement can be used by other institutions in the UA System;
- If the vendor holds/processes any UAB data, make sure the agreement contains a data exit clause that ensures UAB data is returned at no cost to UAB and in a timely manner;
- For agreements with professional services:
- clearly define responsibilities and expectations of each party
- limit travel costs for any on-site work to actual costs and to no more than 15% of the actual professional services you pay
- include language indicating the vendor will follow UAB on-site rules if working on UAB property (see the FORMS LIBRARY SECTION)
- include language indicating the vendor must be aware of and follow UAB's Acceptable Use of Computer policy (see the FORMS LIBRARY SECTION) when connecting devices to the UAB network
- Don't agree to pay for services/products up front. Base payment on milestones or completion and UAB written acceptance;
- In most cases agreements should renew annually upon mutual agreement and with issuance of a UAB PO. Agreements should not renew automatically or where you are required to notify the vendor 60 days prior to the renewal date.
- For contracts that IT intiates a standard agreement review template is used to evaluate risk. You can download a copy of that template here for your own use.
- IT Routing Checklist - should be completed and attached to the routing packet. This checklist should help you determine which (if any) IT Addendum may be required.
VPIT Routing Form (required when submitting new and renewal agreements)
- Vendor Disclosure Form (for agreements over $15K - this is required annually) - https://financialaffairs.uab.edu/forms.asp
- The UAB Information Technology Addendums cover additional confidentiality, information security, and liability language to mitigate any issues related to the items/concerns above. (NEW Streamlined Addendums Coming Soon) Any changes to the IT addendum must be re-routed to UAB Contracts for a review and approval.
- UAB IT Basic Addendum (Basic with no hosting of data or web development/hosting)
- UAB IT Hosting Addendum (includes additional language when UAB data is being hosted/transmitted/processed by a 3rd party)
- UAB IT Web Addendum (includes additional langage for web site branding, technical requirements and 508 compliance)
- UAB IT Full Addendum (includes both hosting and web language)
- UAB Acceptable Use of Computer Resources policy
- Business Justification/Exception Form - Coming Soon (for use when you are reqesting an exception to purchase a non-standard or similar product/service)
- General UAB Addendum (found on the Financial Affairs contract website) - covers information related to State, University, and Legal issues/clarifications. Any changes to the UAB addendum must be re-routed to UAB Contracts for a review and approval.
- Business Associate Agreement (BAA) ( found on the UAB HIPAA website) - For agreements that include HIPAA (health related information).
- W-9 Form (needed for 'new' vendors) - https://financialaffairs.uab.edu/forms.asp or https://www.irs.gov/pub/irs-pdf/fw9.pdf
- NDA Agreement (also known as the confidentiality agreement that outlines confidential material, knowledge, or information that parties wish to share)
- Fee for Service (UAB providing or receiving, found on the Financial Affairs contract website)