HSS Vendor Management
HSS strives to maintain the highest standards and understand the importance of communicating and enabling positive accountability for everyone who contributes to our culture and performance. Vendors are integral to our operations and we aim to conduct business with Vendors who share our Mission, Values and Purpose, and comply with our policies and expectations. This website provides up-to-date announcements, site access guidelines, purchasing guidelines, vendor-related policies and other resources to support our Vendors.
- ALL VENDORS must be registered and credentialed with Green Security and in receipt of their Green Security ID Badge for access to any HSS facility (please consult the Vendor Onsite Visit tab for site-specific access information). Register here. Already have a Green Security account? Log in and add HSS to your list of participating accounts.
- ALL VENDORS accessing the HSS Main Campus and contiguous buildings (Belaire and Pavilion) must enter through the dedicated Vendor Entrance, located on 70th Street (please consult the Vendor Onsite Visit tab for additional information).
Code of Conduct
HSS is committed to promoting the highest standards of legal and ethical conduct and integrity at every level of our enterprise.
We recognize that everyone – trustees, employees, medical staff, volunteers and others who comprise or have a relationship with HSS - must cooperate willingly and participate actively in order to have an effective compliance program. It is our expectation that everyone will act in accordance with our HSS Code of Conduct and HSS Vendor Code of Conduct and conform to their standards and supporting guidance, policies and procedures.
Please feel free to contact the HSS Vendor Management Team at 646.714.6826 or VendorManagement@hss.edu, the HSS Office of Corporate Compliance at 212.774.2070, the Confidential Compliance Helpline at 1.888.651.6234, or visit hss.ethicspoint.com. A caller is not required to disclose their identity when reporting into the Compliance Helpline or reporting concerns through hss.ethicspoint.com.
Vendor Credentialing - Green Security
To support HSS’s commitment to securing our facilities and protecting our patients, staff, visitors and Vendors, HSS is requiring all Vendors accessing HSS facilities and/or HSS networks and applications to register with HSS’s Vendor Management System, Green Security. Green Security provides enhanced credentialing and comprehensive background checks for all HSS Vendors.
Effective April 24, 2023, all Vendors are required to register with Green Security and maintain the required credentials, training and education for compliant business practices with HSS, and authorized access to our network and facilities. Vendors are responsible for all costs associated with Green Security registration and credentialing.
When visiting any HSS facility, Vendors are expected to check-in through Green Security and prominently display their Green Security ID badge while onsite, at all times. Please consult the “Vendor Access – Site Specific Access Protocols” section for site-specific access and check-in information.
For Green Security registration or technical support questions, please contact Green Security at 866-750-3373 or support@greensecurityllc.com.
HSS Vendor Badge Requests
HSS Vendor badge requests (new or reactivations) must be approved by the Office of Vendor Management. Vendors requesting an HSS Vendor badge must also be registered and credentialed with Green Security, and in receipt of a Green Security ID badge.
When onsite at HSS, all Vendors are required to adhere to all HSS Vendor-related policies, check-in protocols and the Vendor Code of Conduct.
To request a new or reactivation of an HSS Vendor badge, e-mail the following information to: VendorManagement@hss.edu
Vendor Information:
Company:
Name:
Email:
Cell Phone Number:
Date of Birth:
HSS facilities you plan to access:
Frequency of visits to HSS per week:
Specialty (e.g. Spine, Sports Medicine, etc.):
Specific doors you are requesting access to:
HSS Sponsor (HSS Director or above verifying the need for a Vendor to be issued an HSS ID and authorizing that ID holder to have access to specific identified areas in HSS facilities):
Vendor Access – Site-Specific Access Protocols
Main Campus
For access to HSS Main Campus, Belaire and Pavilion buildings: All Vendors must enter through the dedicated Vendor Entrance located on the E. 70th Street ramp during the following hours:
- Monday-Friday 5am-5pm
- Saturday 6am-4pm
Vendors accessing the Main Campus and contiguous buildings (Belaire and Pavilion) outside of the Vendor Entrance’s operating hours must check-in with staff in the Main Hospital’s lobby.
Vendors can no longer enter the Main Campus and contiguous buildings via Main Lobby, Belaire, Pavilion, 72nd street or the NYP bridge. Any Vendors attempting to enter through these locations during the Vendor Entrance’s operating hours will be re-routed to the designated Vendor Entrance. Vendor compliance with these entry protocols will be monitored and enforced.
Site-Specific Access Protocols
For site-specific physical access protocols, please reference the table below with information regarding Vendor entry locations and Green Security check-in instructions.
For Green Security Self Check-in Services: Please scan your Green Security ID badge at the designated kiosk in the corresponding site's Vendor entrance location, as indicated below.
For Green Security Mobile Check-in Services: Please check-in via your Mobile device (through your account on the Green Security mobile application or Green Security website) and present your daily pass to Security at the corresponding site's Vendor entrance location, as indicated below. For additional check-in instructions through your mobile device, please download the Green Security mobile application (iOS and Android) and follow check-in instructions provided.
|
Location |
Vendor Entrance & Check-in location |
Check-In Mode |
|
Main Campus Building |
Vendor Only Entrance on E. 70th Street Ramp |
Green Security Self-service Check-in kiosk |
|
Belaire |
Vendor Only Entrance on E. 70th Street Ramp |
Green Security Self-service Check-in kiosk |
|
Pavilion |
Vendor Only Entrance on E. 70th Street Ramp |
Green Security Self-service Check-in kiosk |
|
75th Street Campus |
Ground Floor Main Entrance at Security Podium |
Green Security Self-service Check-in kiosk |
|
Manhattan ASC |
Ground Floor Main Entrance at Security Podium |
Pre-approved appointment only. Green Security Self-service Check-in kiosk |
|
HSS Ortho Injury Care |
Ground Floor Main Entrance at Security Podium |
Green Security Self-service Check-in kiosk |
|
HSS Midtown |
Ground Floor Main Entrance at Security Podium |
Green Security Self-service Check-in kiosk |
|
Westside ASC |
Ground Floor Main Entrance at Security Podium |
Green Security Self-service Check-in kiosk |
|
Hudson Yards |
Ground Floor Main Entrance at Security Podium |
Follow Hudson Yards current building Security check-in procedures Additionally, Green Security Mobile Check-in; Present your mobile device pass to HSS Front Desk Registration Staff |
|
HSS ASC of Mahwah Mahwah, NJ 07430 |
Entrance at Security Podium |
Green Security Self-service Check-in kiosk |
|
HSS Paramus |
Ground Floor Main Entrance at Security Podium |
Green Security Self-service Check-in kiosk |
|
HSS Saddle River |
Ground Floor Entrance at Front Desk Registration |
Green Security Self-service Check-in kiosk |
|
HSS Stamford |
Ground Floor Main Entrance at Security Podium |
Green Security Self-service Check-in kiosk |
|
HSS Westchester |
Ground Floor Main Entrance at Front Desk Registration |
Green Security Self-service Check-in kiosk |
|
HSS Long Island |
Ground Floor Main Entrance at Suite 101 or Suite 106 Front Desk Registration |
Green Security Self-service Check-in kiosk |
|
HSS Brooklyn |
Ground Floor Main Entrance at Security Podium |
Follow Industry City's current building Security check-in procedures Additionally, Green Security Mobile Check-in; Present your mobile device pass to HSS Front Desk Registration Staff |
|
HSS Queens |
Ground Floor Main Entrance at Front Desk Registration |
Green Security Mobile Check-in; Present your mobile device pass to Front Desk Registration Staff |
|
HSS Florida WPB |
Ground Floor Main Entrance at Security Podium |
Green Security Self-service Check-in kiosk |
|
HSS Florida Wellington |
Ground Floor Entrance at Front Desk Registration |
Green Security Mobile Check-in; Present your mobile device pass to Front Desk Registration Staff |
|
HSS Pediatric Rehabilitation & Young Athlete Center |
Ground Floor Entrance at Security Podium |
Green Security Self-service Check-in kiosk |
Site Access Policies
Vendor Resources
If you have a question or concern, HSS offers the following resources to assist and support you:
For General Vendor Management Questions or Concerns:
- Vendor Management Team: 646.714.6826 or VendorManagement@hss.edu
For registration or technical support questions regarding HSS’s Vendor Management System, Green Security:
- Green Security: 866.750.3373 or support@greensecurityllc.com
For Safety, Security, and Facility Questions or Concerns:
- Engineering: 212.606.1460
- Environmental Services: 212.606.1460
- Security: 212.606.1840
For Privacy and Information Security Questions or Concerns:
- Corporate Compliance: 212.774.2398
- Confidential Helpline: 888.651.6234 or hss.ethicspoint.com
For suspected violations of our Code of Conduct, HSS policy, laws, or regulations relating to HSS:
- Corporate Compliance: 212.774.2398
- Legal Affairs: 212.606.1592
For Harassment, Bullying, or Discrimination Questions or Concerns:
- Employee Relations: 646.797.8672 or 212.774.2287
- Corporate Compliance: 212.774.2398
- Confidential Helpline: 888.651.6234 or hss.ethicspoint.com
Our Confidential Helpline is ALWAYS available to you. Our toll-free Confidential Helpline is administered by an independent company and is available 24 hours per day, 7 days per week. Calls to the Confidential Helpline are never recorded and cannot be traced. When you call the Confidential Helpline, a representative from the independent company will document the information you share and forward that information to HSS’ Office of Corporate Compliance. Corporate Compliance will ensure individuals with appropriate expertise effectively respond to your question or concern. After reporting your question or concern, you will receive a case number and that will be your reference if you want to call the Confidential Helpline to receive a status update or provide additional information.
Purchasing Guidelines
Supplier Onboarding
HSS Supply Chain is utilizing Workday Strategic Sourcing (WSS) which enables us to collect information to build accurate Supplier profiles for all new Vendors. Via WSS, Suppliers must provide required documentation to become an approved HSS Supplier.
Building accurate Supplier profiles is necessary to conduct efficient business with your company including timely ordering and payment processing.
Vendor Invoice Submission
E-mail: apinvoices@hss.edu
Mail:
Hospital for Special Surgery
Attention: Accounts Payable
535 East 70th Street
New York, NY 10021
Vendor Requests for GHX Access to Submit Bill-Only Requisitions
Vendors who need to submit bill-only requisitions on a regular basis for loaner implants/instruments may request access to GHX by completing and submitting the Sales Representative GHX Access Request Form to an HSS Buyer or directly to OR Strategic Sourcing for review and approval.
- Criteria for granting access
- Vendors need to submit bill-only items to GHX
- Vendors utilize bill-only items regularly
- No other Representatives from the same Vendor division have access
- Access will be denied if
- Vendor is making a request simply for coverage purposes
- Another Representative from the same Vendor division already has access to GHX
- If access denied
- OR Materials Management team will submit Vendor’s bill-only items to GHX on behalf of Vendor
- OR Strategic Sourcing team will notify vendor access is denied and advise they send their bill-only items directly to OR Materials Management team for GHX submission
Information Security
To ensure the safety of our patients’ data we have issued the following guidance pertaining to information security requirements for vendors working with HSS. While not all-inclusive, we encourage review of this guidance to align with our policies and expectations.
The following classifications of vendors are arbitrary and not restrictive. If the below five classifications do not describe your vendor relationship with HSS, or if you have any questions or concerns, feel free to contact Corporate Compliance (212.774.2398). Similarly, if a vendor cannot adhere to the below standards, Information Security can review the security standards on a case-by-case basis.
Type 1 (IT Solutions) - SaaS/Web-Portal | Vendor provides a cloud or web-based system
Access Management:
- Aligned to HSS network connection requirements
- SSO or AD-integration; and MFA capabilities
- Role-based access and privileged access management features (including for vendor/support/service accounts)
Technical Security Mechanisms:
- Network penetration testing (including web-application level)
- Change and patch/upgrade management procedures
- Audit logging and SIEM integration
Contingency Management:
- Disaster Recovery and Business Continuity procedures
- Incident Response procedures and reporting thresholds defined
Certifications and Attestations:
- SOC 2 Type II
- Cybersecurity evaluations (i.e., ISO 27001, HIPAA, HIRUST, NIST CSF, NIST 800-53, etc.)
Data Protection:
- Encryption at rest (AES 256-bit) and in transit (TLS v1.2+) aligned to HSS data security requirements
- Tenant isolation and segmentation
- Secure software development lifecycle procedures
Other:
- Data protection agreement in contract and/or BAA
Type 2 (IT Solutions) - IoT/IoMT | Vendor provides a (medical) device that is internet-integrated
Access Management:
- Aligned to HSS network connection requirements
- Role-based access and privileged access management features (including for vendor/service accounts)
Technical Security Mechanisms:
- Vulnerability scanning
- Network penetration testing (including web-application level)
- Change and patch/upgrade management procedures
- Audit logging and SIEM integration
Contingency Management:
- Remote-wipe capability (if local storage of data on device)
Certifications and Attestations:
- FDA approval and 524B
- SOC 2 Type II
- Cybersecurity evaluations (i.e., ISO 27001, HIPAA, HIRUST, NIST CSF, NIST 800-53, etc.)
Data Protection:
- Encryption at rest (AES 256-bit) and in transit (TLS v1.2+) aligned to HSS data security requirements
Other:
- Data protection agreement in contract and/or BAA
- Device software and version support
Type 3 (IT Solutions) - On-Premises | Vendor system or application is hosted on HSS network within HSS data center(s)
Access Management:
- Aligned to HSS network connection requirements
- SSO or AD-integration; and MFA capabilities
- Role-based access and privileged access management features (including for vendor support/service accounts)
Technical Security Mechanisms:
- Vulnerability scanning
- Network penetration testing (including web-application level)
- Change and patch/upgrade management procedures
- Audit logging and SIEM integration
Contingency Management:
- Disaster Recovery and Business Continuity procedures
- Incident Response procedures and reporting thresholds defined
Certifications and Attestations:
- SOC 2 Type II
- Cybersecurity evaluations (i.e., ISO 27001, HIPAA, HIRUST, NIST CSF, NIST 800-53, etc.)
Data Protection:
- Encryption at rest (AES 256-bit) and in transit (TLS v1.2+) aligned to HSS data security requirements
Other:
- Data protection agreement in contract and/or BAA
- See onsite visit requirements for maintenance and support
Type 4 (IT Services) - Network/ VPN Access | Vendor has a network drop on HSS network (IPSEC, VPN)
Access Management:
- Aligned to HSS network connection requirements
- SSO or AD-integration; and MFA capabilities
- Role-based access and privileged access management features (including for vendor support/service accounts)
- Periodic user access reviews
Technical Security Mechanisms:
- Network penetration testing (including web-application level)
- Change and patch/upgrade management procedures
- Audit logging and SIEM integration
Contingency Management:
- Disaster Recovery and Business Continuity procedures
- Incident Response procedures and reporting thresholds defined
Certifications and Attestations:
- SOC 2 Type II
- Cybersecurity evaluations (i.e., ISO 27001, HIPAA, HIRUST, NIST CSF, NIST 800-53, etc.)
Data Protection:
- Encryption at rest (AES 256-bit) and in transit (TLS v1.2+) aligned to HSS data security requirements
- Data loss/leak prevention mechanisms
Other:
- Data protection agreement in contract and/or BAA
Type 5 (IT Services) - Vendor receives HSS data through digital transfer mechanisms (i.e., SFTP) or in-person physical transfers
Access Management:
- Secure data exchange method (e.g., SFTP, secure portal)
- Periodic user access reviews
Technical Security Mechanisms:
- Network penetration testing (including web-application level)
- Change and patch/upgrade management procedures
- Audit logging and SIEM integration
Contingency Management:
- Disaster Recovery and Business Continuity procedures
- Incident Response procedures and reporting thresholds defined
Certifications and Attestations:
- SOC 2 Type II
- Cybersecurity evaluations (i.e., ISO 27001, HIPAA, HIRUST, NIST CSF, NIST 800-53, etc.)
Data Protection:
- Encryption at rest (AES 256-bit) and in transit (TLS v1.2+) aligned to HSS data security requirements
- Data loss/leak prevention mechanisms
Other:
- Data protection agreement in contract and/or BAA