6 Steps to Ensure Vendor Compliance

office worker on computer

Can you imagine a world where a single person provides all healthcare? No third-party contractors, suppliers, referring Physicians, reliance upon pharmaceutical companies, suppliers or manufactures? Sounds a little lonely and unlikely.

Healthcare today requires a coordination of many people and organizations working in sync to provide quality and compliant care. No one person can provide all the care alone.  Since hospitals, long term care companies, clinics, dialysis companies, dental practices and the like rely upon third-parties, suppliers and contractors to provide care and service, knowing who you are working and partnering with is paramount to quality and compliant care.

Who are your Vendors/Contractors/Third Parties?

Believe it or not, we find this simple question has a tendency to cause waves of panic for a compliance officer. In most healthcare organizations vendor procurement is a separate department from human resources, compliance or even legal. Most of the compliance software that was developed to onboard, manage and track vendors, is not specific to the needs of healthcare and has not kept up with the complicated nature of and regulatory requirements imposed on knowing more about your vendor.

Traditional vendor management software contains enough fields to allow the organization to get paid: i.e., name, address, Federal Employer Identification Number (FEIN), contract pricing, contact, company assigned account number and term of the contract. However, ask your procurement department if they have 100% of the information; specifically, the FEIN, current address, and the company owners, and you’re likely to hear crickets and find holes in the database.

Further, the list of “vendors” will most likely include all parties your organization paid during a period of time. As such, we find databases typically contain duplicate entries for vendors based on past payments, with partial information and may even include things like employee expense reimbursements, patient overpayment reimbursements, checks to charity, etc.

Knowing who your current vendors are and having confidence their information is current, accurate and complete can be difficult and cause a compliance officer uneasiness and fear. It is evident most organizations do not streamline or coordinate their communication systems and data between vendor procurement and compliance.

(This does not imply any malfeasance – it’s just an area that seems to have been under-resourced).

Are your vendors qualified?

Okay, so now we recognize knowing who your vendors are and what role they play in the delivery of healthcare is a challenge. Next, let us determine if they are “qualified” to conduct their business. (Please note, this article does not address assessing their competency; rather it does reflect on the foundational elements of a compliant entity-legally speaking).

A company (a.k.a. vendor) is a legal organization recognized and legally authorized to conduct business by a State Secretary of State. Each state has a Secretary of State responsible for registering and enforcing compliance with required documents and reporting. A company is issued a Certificate of Good Standing if it can demonstrate compliance with certain enumerated required filings, such as Annual Reports, Tax Certificates, and registration. Such compliance is required annually. Failing to file or register can result in a company losing its registration, and subject it to fines and penalties.

The Secretary of State website provides a wealth of information. (e.g., corporate address, registered agent and corporate structure among them. The Secretary of State will also assign the company a unique company ID.

A company will also receive a FEIN from the IRS, once it is incorporated at the Secretary of State. That FEIN is key for several reasons. One being, the FEIN is the number associated with all 1099 and W-4 reported income. It is also the number some primary source exclusion and state disciplinary actions use to associate with the company.

Whose responsibility is it to ensure vendors are qualified?

It’s both yours and the vendor’s responsibility. Don’t get too comfortable relying on your vendor to adhere to YOUR compliance requirements, however, ask yourself, will your vendors self-disclose they are excluded by the OIG? Unfortunately, they probably will not, especially since they know they are likely to lose your business. Perhaps even more important to note, the company (you!) that hires or contracts with them, per the OIG’s stance, is responsible if it/she/he is excluded. Contracting or otherwise engaging with and excluded third-party vendor can cost your organization in fines and penalties.

As far as the OIG is concerned, the company that hires, contracts with or employs a third-party or person is responsible to the OIG IF the vendor is excluded. The OIG will fine you as the entity contracting with an excluded company. Also, keep in mind that companies AND company owners can be excluded.

It is also important to note, that relying solely upon a statement by or contractual provision requiring your vendor’s compliance is not, in and of itself, enough. Instead, you should include vendors in YOUR screening and monitoring program. See Effect of Exclusion Guidance from OIG (pages 11-14).

“An excluded person may not provide services that are payable by Federal health care programs, regardless of whether the person is an employee, a contractor, or a volunteer or has any other relationship with the provider. For example, if a hospital contracts with a staffing agency for temporary or per Diem nurses, the hospital will be subject to overpayment liability and may be subject to CMP liability if an excluded nurse from that staffing agency furnishes items or services to Federal health care program beneficiaries”. FN21

Footnote 21:  The hospital may reduce or eliminate its CMP liability if the hospital is able to demonstrate that it reasonably relied on the staffing agency to perform a check of the LEIE for the nurses furnished by the staffing agency (e.g., the staffing agency agreed by contract to perform the screening of the LEIE and the hospital exercised due diligence in ensuring that the staffing agency was meeting its contractual obligation.)

What other steps do we need to take?

You are probably asking yourself, do we need to check our vendors’ employees; particularly those they place in or send to our organization?

Technically, no. You definitely cannot do business with an excluded vendor whether it’s a company or an individual. If a company sends an employee to your organization, it is best practice to include such individual in your monthly OIG exclusion monitoring program.

To start, ensuring the vendor company is not excluded is, at minimum, your responsibility. You should seek to obtain a contractual commitment (i.e. attestation) from your vendors stating  they will not send an excluded individual to you. Additionally, conducting random audits of their compliance with your exclusion monitoring requirements is a best practice step you should include in your compliance program.

What information should you collect and check from your vendors?

    1. Legal name of entity
    2. D/B/A , if applicable
    3. Federal Employer ID Number (FEIN)
    4. Address of company
    5. Secretary of State ID number (helpful, when available)
    6. Information of owners with 5% or more ownership stake (Name, SSN, Address, DOB)
    7. State of incorporation
    8. Dunn & Bradstreet Number (helpful when searching
    9. Does the vendor handle personal identifiable information (PII) or personal health information (PHI)?
    10. Has the vendor signed a business associate agreement (BAA)?

How often should you monitor your vendors?

Monthly. See Effect of Exclusion Guidance .

Assuming you have conducted your due diligence on the vendor before officially engaging with them, it’s important that you begin to monitor the vendor for exclusions. It’s best practice to monitor, at minimum, at the OIG’s List of Excluded Individuals and Entities (LEIE) each month. It’s also recommended that the GSA’s site is searched monthly as well as all available state Medicaid exclusion lists be monitored since the vendor could also be excluded, debarred or sanctioned, and the record may only be reflected on one of these lists and not the OIG’s LEIE.   (Reference 6501 of the Affordable Care Act).


Vendors are integral in the delivery of healthcare. It is almost impossible to imagine healthcare without the involvement with or dependence upon vendors. Ensuring quality and compliant services is your responsibility. Ensuring vendor compliance in your compliance plan as well as monthly monitoring for exclusions is necessary to avoid potential civil fines and penalties from the OIG.

You might also enjoy:
Healthcare Compliance – applying lessons from kindergarten
How to get off the OIG Exclusion List
Fighting Healthcare Fraud with Fraud Enforcers: ROI is good for DOJ
OIG Compliance Program Guidance for Hospitals

Michael Rosen, ESQ

Written by Michael Rosen, ESQ
ProviderTrust Co-Founder,

Michael brings over 20 years of experience founding and leading risk mitigation businesses, receiving numerous accolades such as: Inc Magazine’s Inc 500 Award and Nashville Chamber of Commerce Small Business of the Year
Connect with Michael on Linkedin

Stay Up-to-Date

Subscribe and get the latest news and advice from industry experts delivered straight to your inbox.

Related Resources

Never miss an update

Get the latest healthcare news, advice from industry experts, and all things related to monitoring solutions delivered straight to your inbox.