Vendor Risk Management and Exclusions


Vendor risk management is a process that ensures your vendors won’t create the potential to impact business performance negatively. In business, forming a risk management strategy is essential in protecting the health of your organization. Specifically, when it comes to healthcare, it’s common to outsource various services. With this in mind, just like your organization is liable for the internal risk associated with your own employees and services, you’re also responsible for third-party vendors.

To simplify, since vendors can pose numerous risks to your organization, you must do your homework. This research not only applies to the beginning of your working relationship but throughout and even after it concludes.

In this post, you’ll learn what’s at stake when it comes to vendor risk management, how you can get started, and how using a service may be beneficial.

What’s at stake in vendor risk management?

Following Sections 1128 and 1156 of the Social Security Act, HHS OIG mandates that healthcare organizations refrain from doing business with “excluded or sanctioned” individuals or entities. What this means for you is that you’re responsible for ensuring that your network of vendors and owners are not excluded from any state or federal list.

But this is only one part of vendor risk management. In fact, vendor risk management acts as an umbrella with numerous topics underneath, such as cybersecurity, compliance, strategy, reputation, operational, transaction, and credit.

The following are the risks mitigated by VRM:

  • Cybersecurity (data breaches and data leaks)
  • Compliance (when laws, rules, or regulations are violated).
  • Reputation (negative public opinion brought forth by vendor practices) 
  • Operational (internal breaches, processes, and system failures)
  • Transaction (issues with a service or product delivery)
  • Credit (a third party or any creditor tied to your third-party vendor is unable to meet the contractual terms or financial agreements with an organization)

What if I don’t monitor my vendors?

Suppose your organization arranges or contracts with an individual or entity excluded by the OIG. This means that that specific individual or entity has been excluded from program participation for the provision of items or services reimbursable under such a Federal program. In that case, you, as the provider, may be subject to CMP liability if they render services reimbursed by such a program.

Penalties could include: 

  • Up to $10,000 for each item or service furnished by the excluded individual or entity
  • An assessment of up to three times the amount claimed
  • Program exclusion

To look at it from another perspective, let’s say you purchase 20 boxes of scalpels for $20/box from a scalpel supplier, and it’s found that your vendor appears on the OIG exclusion list.

Your fine could look something like this:

$10,000 per item x20 = $200,000
$400 (total purchase price) x3 =$1,200
Total = $201,200

So because this occurred, a $400 purchase now costs your organization $201,200. The costs associated with an exclusion are significant.

Getting Started with Vendor Exclusion Monitoring

Companies work with hundreds (and sometimes even thousands) of vendors annually. With such high numbers, most healthcare organizations struggle to bundle vendor data into a centralized system. Instead, without such a system, it’s extremely challenging to establish an effective vendor risk management strategy.

By using a service, you won’t have to stress about changes in business names, addresses, and ownership information. Services can provide vendors with annual prompts to update their information, in addition to smarter data verification and data accuracy validation on your side.

With services, such as ProviderTrust’s VendorProof, you’ll have smarter, more effective monitoring that discovers items, such as OIG vendor exclusions that no one else can. Our onboarding process can be streamlined, configuring a custom new vendor workflow for your organization. Vendors can provide you their business information, and then that data flows back into your organization’s existing systems.

If I use a service, how will my vendors be contacted?

We will communicate with your vendors primarily via direct mail, email, and digital marketing. Some vendors will also receive calls from our VendorCare to confirm contact information. We’re happy to work with your organization’s marketing or communications team to align messaging and brand standards.

Effortless vendor onboarding

Say goodbye to inconsistent and time-consuming vendor onboarding. Your custom enrollment workflow will ensure all vendors meet your requirements, from Medicare Advantage attestations and risk surveys to W-9s and more.

Ensure vendor compliance

Stay Up-to-Date

Subscribe and get the latest news and advice from industry experts delivered straight to your inbox.

Related Resources

Never miss an update

Get the latest healthcare news, advice from industry experts, and all things related to monitoring solutions delivered straight to your inbox.