Skip to content

Third Party Management Standard

Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Third Party Management Policy
Framework Reference: Secure Controls Framework – Third Party Management (TPM)


This standard defines how FrontRunnerHC (FRHC) participates in and supports the enterprise-wide Third Party Management program managed centrally by Summit Technology Holdings, LLC (STH). Third party vendor management is centralized at the STH level; FRHC’s role is to collaborate with STH processes rather than manage vendors independently. This standard documents FRHC’s obligations and compliance approach.


This standard applies to all FRHC employees, managers, and any staff involved in identifying, requesting, or working with third-party vendors, contractors, or business associates. It covers vendors that are critical to FRHC operations, that access FRHC sensitive data (including ePHI), or that have access to FRHC systems or networks.


STH maintains a centralized inventory of all third parties engaged across the enterprise, including those supporting FRHC. FRHC is responsible for notifying STH of all new vendor needs and changes to existing vendor relationships so that vendors can be inventoried and classified appropriately. FRHC does not maintain an independent vendor inventory outside of STH’s centralized system.

  • Parent Policy Mapping: STH Third Party Management Policy, Section 3.1
  • SCF Mapping: TPM-01 (Third-Party Management)

Vendor security and risk assessments are conducted by STH prior to contract execution and periodically thereafter based on vendor classification. FRHC cooperates with STH’s due diligence process by providing context, requirements, and information about the vendor relationship. FRHC does not conduct independent vendor risk assessments. Where FRHC identifies concerns about a vendor’s security posture or compliance, these are escalated to STH promptly.

  • Parent Policy Mapping: STH Third Party Management Policy, Section 3.2
  • SCF Mapping: TPM-02 (Third-Party Criticality Assessments)

3.3 Contracts and Business Associate Agreements

Section titled “3.3 Contracts and Business Associate Agreements”

All vendor contracts are negotiated and executed under STH authority. FRHC does not independently execute vendor contracts. Where a vendor accesses, processes, or stores ePHI on FRHC’s behalf, STH ensures a Business Associate Agreement (BAA) is in place prior to any data access. FRHC coordinates with STH to identify all vendors requiring BAAs. Contracts with vendors that handle personal information (as defined under 201 CMR 17.00) of Massachusetts residents — including vendors processing employee personal information such as payroll, HR, and benefits systems — must include written obligations requiring the vendor to maintain appropriate security measures consistent with 201 CMR 17.00.

  • Parent Policy Mapping: STH Third Party Management Policy, Section 3.3
  • SCF Mapping: TPM-04 (Third-Party Services)

STH oversees ongoing vendor monitoring, including collection of SOC 2 Type II reports, HIPAA attestations, and periodic security reviews. FRHC supports monitoring activities by escalating any vendor-related performance issues, security concerns, or changes in vendor scope to STH immediately. FRHC does not independently monitor vendors outside of STH’s program.

  • Parent Policy Mapping: STH Third Party Management Policy, Section 3.4
  • SCF Mapping: TPM-05 (Third-Party Contract Requirements)

Vendor termination and off-boarding activities are coordinated by STH. FRHC notifies STH when a vendor relationship is ending or when vendor access should be revoked, and cooperates with the termination process including confirming data return or destruction requirements. FRHC does not independently manage vendor termination.

  • Parent Policy Mapping: STH Third Party Management Policy, Section 3.5
  • SCF Mapping: TPM-08 (Review of Third-Party Services)

FRHC participates in STH’s vendor management governance program by submitting new vendor requests through STH’s process, cooperating with risk assessments, and promptly escalating concerns. FRHC management reviews active FRHC vendor relationships at least annually to confirm alignment with STH’s centralized inventory and BAA register. Evidence supporting FRHC vendor management compliance is retained within STH’s centralized records and made available for SOC 2 Type II audits and HIPAA Security Rule compliance assessments.


All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.

Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.


Parent Policy:

  • Summit Technology Holdings – Third Party Management Policy

Regulatory Requirements:

  • HIPAA Security Rule:
    • 45 CFR §164.308(b) – Business Associate Contracts and Other Arrangements
  • AICPA SOC 2 Trust Services Criteria:
    • Risk Mitigation (CC9.2)
    • Vendor Management (CC3.1)
  • Massachusetts 201 CMR 17.00: §17.03(2)(f) – Contractual Requirements for Third-Party Service Providers

Framework Alignment:

  • TPM-01 – Third-Party Management
  • TPM-02 – Third-Party Criticality Assessments
  • TPM-04 – Third-Party Services
  • TPM-05 – Third-Party Contract Requirements
  • TPM-08 – Review of Third-Party Services

RevDescriptionDateApproved
-Policy createdJuly 2021M Machin
1.0Formatting UpdateSeptember 2022WSI
2.0Updated and approved for 2024July 2024WSI
3.0Updated and approved for 2025July 2025M Machin
4.0Converted to StandardApril 2026M Machin
4.1Added 201 CMR 17.00 vendor contract requirement (§3.3); added MA regulatory citationApril 2026M Machin

Internal Use Only