Hospitals and healthcare systems rely on hundreds of vendors every day to provide reliable services. These services can range from hospitality, transportation, security, IT, transcription, linen, laundry, patient, medical, clinical, and waste removal, to name a few. The reliance on outsourcing various business operations to business associates, vendors, contractors and suppliers is big business. However, in a highly regulated market such as healthcare, there can be big risk too. That’s why regularly vendor risk assessments through monitoring and analyzing vendor performance at various stages of the supply chain should not be left to chance.
The reliance to outsource business associate (BA), vendor, contractor and supplier assessment is not a fool-proof approach as typically these assessments are only performed annually at the time of the contract signing. So, what happens when a vendor or business associate lands themselves on a federal or state exclusions or sanctions list at some point after the initial background assessment and validation?
Today, 30-50 percent of all hospital data breaches are attributed to business associates and vendors. The impact of these breaches adversely impacts hospitals on both a business and personal level. Hospitals can be fined up to $11,000 USD for each claim filed with an excluded or sanctioned vendor—and it’s the hospitals’ responsibility to always know the vendor status and position across multiple exclusion and sanction lists. Depending on the level of breach, hospital personnel can also be liable – facing both fines and jail time. When breaches involve excluded or sanctioned vendors, Centers for Medicare and Medicaid Services (CMS) can revoke the hospital’s right to bill for services rendered. Not to be overlooked, conducting business with third-party vendors is a series issue that can pose a real threat.
Healthcare organizations cannot do business with excluded or sanctioned individuals or entities. The Office of the Inspector General (OIG) has the authority to enforce exclusions against individuals or entities across all States under the Affordable Care Act. An individual or entity excluded in one State is not permitted to participate in federal healthcare funds in all other States. Covered Entities (CE) share the responsibility and liability for the actions of all Business Associates (BAs) and vendors. The CE is liable for their actions and omissions. It’s the law, and penalties for lax oversight are steep. For a BA or a vendor working with a healthcare CE, their liability also extends to the actions and omissions of their vendors and subcontractors.
According to a study published by the Ponemon Institute called Data Risk in the Third-Party Ecosystem, it uncovered the security risk companies face when sharing sensitive information with third parties. Among the findings: 56 percent of businesses have had a third-party data breach; 84 percent lack a complete inventory of third parties; 63 percent don’t know when a third-party shares data with a fourth party. The survey also found that 42 percent of companies experienced cyber-attacks against third parties that resulted in the misuse of their company’s sensitive or confidential information. The survey found that the effectiveness in managing third-party risks remained low. Fewer than one in-five companies (17 percent) felt their organizations effectively managed third-party risk. Less than half of all respondents agreed that managing outsourced relationship risks is a priority in their organization. A key deficiency identified in the study was that “companies lacked visibility into their third-party relationships.” More than half of the respondents said they do not keep a comprehensive inventory of all third parties with whom they share sensitive information. Only 18 percent of respondents know how external parties access and process data.
It’s the hospitals or healthcare systems’ responsibility to ensure all vendors remain in good standing and that those with signed business associate agreements meet the eligibility requirements. Does your organization have visibility into the standing of all your third-party relationships? Does your organization have a policy and procedure in place for real-time vendor, contractor and supplier exclusion screening? How do you manage reputational risk? What is your organizations’ risk tolerance?
The need to automatically and continuously monitor and manage vendors is not an option—it’s a business imperative. Here are six screening best practices:
- Establish vendor screening policies and procedures to prevent staff from entering a relationship with a business associate, vendor, contractor or supplier that is listed on any of the federal and/or state exclusion and sanction lists. The policy should outline all the enforcement responsibilities and actions to be taken by staff performing the screening.
- Continuous monitoring of vendors to ensure they are not on an exclusion or sanctions list. Technology solutions available in the market today can be deployed to help you conduct real-time screening of business associates and vendors long after the initial contract signing.
- Set up threat level ranking to indicate where to focus your attention to ensure vendor compliance.
- Validate compliance via a complete audit trail of your management efforts and compliance conformity.
- Mitigate risk to ensure you keep your good standing and avoid costly fines penalties from CMS, OCR, OIG, and other governing bodies.
- Conduct routine audits to identify potential vulnerabilities before a breach occurs.
Real-time healthcare vendor risk assessments are vital. Start today by putting together a vendor risk assessment program that includes good governance practices and proven technology. Download 10 Things to Know When Choosing a Vendor Risk Management Solution today.