Do you remember the major Target breach in 2013? The repercussions of the breach raged on for quite some time after the initial security issue, costing Target a myriad of fines and penalties. A supplier in their supply chain caused the breach and before Target could even react, it was too late, they already lost the data. This is a modern day example that shows the importance of knowing your supplier and their operational practices. Vendor risk management is an increasingly important area of business mitigation just as it is for the healthcare industry.

This blog will address why vendors are your responsibility to both check before contracting as well as monitor for exclusions each month (it will not address data breach related requirements of a business associate/vendor).  

On average, hospitals have about 1.5 times the amount of vendors than employees. Hospitals and organizations use a wide range of vendors from pharmaceutical companies, ambulance service providers, to medical equipment, food services, third-party billing companies and diagnostic labs.

Generally, vendors have a close relationship with your organization, and, like in the case of the Target suppliers, might have access to privileged data. In addition, they might come into direct contact with your patients and staff.  This is why having a vendor risk management plan in place is important for your organization. Having a plan helps reduce the risk associated with vendors.

Why are Vendors your Responsibility?

It is both yours and the vendor’s responsibility; however, don’t get too comfortable relying on your vendor to adhere to your compliance requirements. Unfortunately, your vendors will probably not self-disclose to the OIG if they are excluded because they know they are likely to lose your business.

Keep in mind, according to the May 8, 2013 OIG Exclusion Guidance, the company (you) that hires or contracts with a third party is responsible if it/she/he/ is excluded. As far as the OIG is concerned, the company that hires, contracts with, or employs a third party or person is responsible to the OIG if the vendor is excluded. The OIG will fine you, the company, as the entity contracting with an excluded company. Remember, companies AND company owners can be excluded.

Contracting or otherwise engaging with an excluded third party vendor can cost your organization hefty fines and penalties. Which is why having avendor monitoring plan in place is imperative to the health of organizations. Relying on vendor compliance through contractual provisions is not enough. Instead you need to include vendors in your screening and monthly monitoring process.

Which Vendors do I Monitor?

According to the Fraud Resource Network the most commonly dishonest providers are:

  • Durable Medical Equipment
  • Pharmaceutical Companies
  • Third-Party Billing Companies
  • Ambulance Service Providers
  • Diagnostic Laboratories
  • Pharmacies

According to Association of Certified Fraud Examiners the ten common healthcare provider fraud schemes are:

  • Billing for services not rendered
  • Billing for a non-covered service as a covered service
  • Misrepresenting dates of service
  • Misrepresenting locations of service 
  • Misrepresenting provider of service
  • Waiving of deductibles and/or co-payments
  • Incorrect reporting of diagnoses or procedures (includes unbundling)
  • Overutilization of services
  • Corruption (kickbacks and bribery)
  • False or unnecessary issuance of prescription drugs

A Good Rule of Thumb –

We suggest monitoring all of your vendors as you would any other employee in your organization, regardless of the vendor’s reputation or compliance with healthcare regulations. By limiting the vendors you search, based on the amount of payments made to them, does not reduce your risk. If an organization or individual is excluded, the OIG does not weigh how much your organization paid that vendor or person in the equation of imposing fines and penalties.

According to the Q-4 Compliance Consumer Outlook, vendor risk management programs often involve one or more of the following issues:

  • Over-reliance on third-party vendors: like mentioned above, relying on statements or contractual provisions is not enough to ensure vendor compliance. Your organization must take it into their own hands and monitor third parties yourself on a monthly basis.

  • Failure to train new staff or retain knowledgeable staff: In the healthcare industry, healthcare compliance needs to be a top priority and one good way to implement compliance as top of mind is during the onboarding process. If you integrate compliance into the company culture right off the bat, you’re showing new hires the value you place on it. 
  • Failure to adequately monitor the vendor: In healthcare, many procurement systems are archaic and do not have the means to effectively monitor vendors.
  • Failure to set clear expectations

It is important to remember to monitor all of your vendors.

No one vendor is any more or less risky. It does NOT matter whether the vendor provides direct care or has access to a patient. Instead, it has to do with following the federal reimbursements. IF the vendor is paid, in whole or in part, directly or indirectly, with federal healthcare program reimbursements (Medicare, Medicaid, Tricare, CHIPS, etc.), then the penalties can still apply.


Vendors provide value in the healthcare industry through the expertise and services rendered; however, healthcare organizations must maintain oversight. Ultimately, whenever a vendor performs a service your organization is responsible for their compliance. It is time to lose the archaic systems of Excel spreadsheets and embrace new vendor risk management software/programs. Then your organization will have nothing to worry about when auditors come knocking. Instead, you will welcome audits with open arms and confidence because you are proactive in monitoring of all your vendors.

Michael Rosen, ESQ

Written by Michael Rosen, ESQ
ProviderTrust Co-Founder, mrosen@providertrust.com

Michael brings over 20 years of experience founding and leading risk mitigation businesses, receiving numerous accolades such as: Inc Magazine’s Inc 500 Award and Nashville Chamber of Commerce Small Business of the Year
Connect with Michael on Linkedin