Vendors, suppliers, and third-party contractors (often collectively referred to as “vendors”) are an integral part of the healthcare ecosystem. Our research shows, on average, a hospital with 1,000+ employees also contracts with and/or relies upon an even larger network of vendors.
So what does that mean for your healthcare organization’s compliance program? Is your organization properly vetting and monitoring compliance of your entire vendor network?
In this post, we’ll break down the definition of healthcare vendors and summarize the most important and impactful laws and regulations that apply to vendors and the healthcare organizations that contract with them.
Following Sections 1128 and 1156 of the Social Security Act, the HHS Office of Inspector General Exclusions Program mandates that healthcare organizations refrain from doing business with “excluded or sanctioned” individuals or entities. In addition to exclusion monitoring of individuals within your workforce and provider networks, you are responsible for ensuring your network of vendors are also clear of any state or federal exclusion lists, such as the OIG’s List of Excluded Individuals and Entities (LEIE).
Healthcare organizations that contract with vendors are responsible for vetting and monitoring the continued compliance and status of its own vendor networks – an ongoing task that for many healthcare organizations creates vulnerability to monetary risk and penalties. Regulators and enforcement agencies at both the state and federal levels are serious about issuing fines and penalties to the organization that contracts with an excluded vendor, as well as the vendor itself – a growing trend we expect to continue.
What is considered a healthcare vendor?
The answer is simple – a healthcare vendor is defined as any entity or individual that is paid by a healthcare organization for goods or services. This means everyone from a medical device supplier, a consultant, to a printer can be considered a healthcare vendor regardless of whether they have a contract with the organization or physically interact with a facility and/or its patients.
To better demonstrate the scope of what the OIG would consider a vendor, let’s consider three typical vendor profiles and the impact of their activities in and on a healthcare organization.
- Vendor X provides revenue cycle management software. It handles Protected Health Information and processes and stores such data for a hospital.
- Vendor Y is a supplier of surgical instruments to a hospital. As such, it sends representatives on site to deliver and pick up equipment.
- Vendor Z provides contract janitorial services. As such, its staff visits on site to perform services and have access to patient rooms, equipment, medications and/or personal items.
Which regulations govern vendor compliance?
Federal regulators such as the HHS-OIG, the Department of Justice (DOJ), the Centers for Medicare and Medicaid Services (CMS), and others have regulations and guidelines regarding the prohibition of reimbursements of federal healthcare dollars (Medicaid, Medicare, CHIPS, TriCare, and others) to excluded vendors. Further, the submission of certain claims for services not rendered, over-billing, or fraudulent payments by vendors and payments made by the employer who contracts with the vendor may be subject to a claim for False Claims Act violations and/or Stark Law claims. Accordingly, the OIG-LEIE includes excluded individuals and entities of those persons, vendors, and owners of an excluded vendor.
At ProviderTrust, we categorize vendors in accordance to the possible risk factors that their services may have to your healthcare organization, looking specifically at access to data, onsite access or storage, and processing of data. For healthcare organizations, vendor services require a more thorough and specific due diligence in order to assess risk and to document compliance with any or all of the following regulations and laws listed below:
1. Privacy/Protected Health Information
PHI 45 CFR 160.103: A healthcare organization is responsible for ensuring patient data is secure and that any third-party vendor who processes, stores or handles such data does so in a secure and compliant manner. The vendor is referred to as a first-tier, downstream vendor. In addition, if the vendor is located offshore, additional safeguards must be documented. Finally, in order for the healthcare organization to get reimbursed by Medicare, Medicare Advantage and/or Medicaid, CHIPS or TriCare, the vendor must meet certain minimum requirements regarding safeguarding Protected Health Information (PHI).
Additionally, healthcare organizations choose to meet certain industry standards to evidence their own compliance with safeguarding PHI or Personally Identifiable Information (PII), such as HiTRUST, and or SOC. Accordingly, vendors should also be SOC accredited and/or meet HiTRUST standards.
PII NIST SP 800-12, and/or other ISO and NCQA standards apply. If a vendor handles PII, which most do, then there are safeguards that the vendor must prove are in place to protect such PII from breach of data/privacy. This is evidenced by policies and procedures documenting disaster recovery, incident response, and other data privacy controls. All parties do not want to have the government intervene in an identity theft incident or breach of data recovery action by the Office of Civil Rights.
2. Federal Health Care Dollar Reimbursements
CMS (Medicare, Medicare Advantage, Medicaid, CHIPS, TriCare): Violations of simply submitting a false claim, a bill for services not rendered, a claim involving false billings, over-billing and fraud can subject both the healthcare organization and the vendor to one of the following:
- False Claims Act (criminal and civil liability)
- Patient safety
- Worthless or poor quality of services or products
- RAC/MAC/CPIC audits
- Patients’ rights
- Staffing levels
- Quality of care
- Loss of reimbursements
3. Regulatory and Audit/Compliance Regulations
HHS-OIG: This is the enforcement arm of the federal government and has a broad brush of civil fines, penalties, and the ability to seek criminal action against fraudulent actors. As such, the healthcare organization should ensure that its vendors have documented:
- Required compliance plan
- Code of conduct
- Training
- Policy/procedure
- Conflict of interest
- Monitor effectiveness
- Audit
- Annual risk assessment
Exclusions (State and Federal), Section 42 U.S.C. 1124: The OIG can impose exclusions of an individual or an entity, including vendors, and can include its owners, managers and even referring physicians. The fines and penalties are imposing and swift. If the individual or entity is excluded, no federal healthcare dollars can be paid, in whole or in part, for any services directly or indirectly provided by and through the excluded party. This includes owners who hide behind the corporate veil, as well as managers and is regardless of whether such person or entity provides direct care to patients. It also includes suppliers. The infractions can impose civil fines and penalties (see OIG Special Advisory Bulletin 2013) on the following:
- Individuals
- Entities
- Vendors
- Owner
- Referring physicians
4. Insurance Coverage and Indemnification Clause
How much insurance does your vendor carry and are you named as an additional insured? Does the coverage meet your minimum contractual requirements? Did the vendor agree to indemnification for its negligence, omissions, and/or employees? These are important sections and usually contractual requirements that your organization has required. If the answers are unknown, you may not have adequate protections or coverage when needed.
