Steps to Ensure Vendor Compliance

0
842
Steps to Ensure Vendor Compliance
michael rosenBy Michael Rosen, Esq.
ProviderTrust Co-Founder
mrosen@providertrust.com

Can you imagine a world where a single person provides all healthcare? No third-party contractors, suppliers, referring Physicians, reliance upon pharmaceutical companies, suppliers or manufactures? Sounds a little lonely and unlikely.

Healthcare today requires a coordination of many people and organizations working in sync to provide quality and compliant care.

Identify your Vendors/Contractors/Third Parties –

Believe it or not, we find this simple question has a tendency to cause waves of panic for a compliance officer. In most healthcare organizations vendor procurement is a separate department from human resources, compliance or even legal. Most of the software that was developed to onboard, manage and track vendors, is not specific to the needs of healthcare and has not kept up with the complicated nature and regulatory requirements imposed on knowing more about your vendor.

If you ask your procurement department if they have 100% of the vendor’s information; specifically, the Federal Employer Identification Number (FEIN), current address, and the company owners, and you’re likely to hear crickets and find holes in the database.

(This does not imply any malfeasance– it’s just an area that seems to have been under-resourced).

Identify which vendors are qualified –

We recognize knowing who your vendors are and what role they play in the delivery of healthcare is a challenge. Next, let us determine if they are “qualified” to conduct their business. (Please note, this article does not address assessing their competency; rather it does reflect on the foundational elements of a compliant entity-legally speaking).

A vendor is a legal organization recognized and authorized to conduct business by a State Secretary of State. Each state has a Secretary of State responsible for registering and enforcing compliance with required documents and reporting. A company is issued a Certificate of Good Standing if it can demonstrate compliance with certain enumerated required filings, such as Annual Reports, Tax Certificates and registration. Such compliance is required annually. Failing to file or register can result in a company losing its registration, and subject it to fines and penalties.

Identify whose responsible to ensure your vendors are qualified and compliant –

It’s both yours and the vendor’s responsibility. Don’t get too comfortable relying on your vendor to adhere to YOUR compliance requirements; however, ask yourself, will your vendors self-disclose they are excluded by the OIG? Unfortunately, they probably will not, since they are likely to lose your business.

Perhaps even more important to note, the company (you!) that hires or contracts with them, per the OIG’s stance is responsible if it/she/he is excluded. Contracting or otherwise engaging with and excluded third-party vendor can cost your organization in fines and penalties.

Also keep in mind that companies AND company owners can be excluded.

It is also important to note, that relying solely upon a statement by or contractual provision requiring your vendor’s compliance is not, in and of itself, enough. Instead, you should include vendors in YOUR screening and monitoring program. See Effect of Exclusion Guidance from OIG (pages 11-14).

What about the Vendor’s Employees?

You are probably asking yourself, do we need to check our vendors’ employees; particularly those they place in or send to our organization?

Technically, no. You definitely cannot do business with an excluded vendor whether it’s a company or an individual. If a company sends an employee to your organization, it is best practice to include such individual in your monthly OIG exclusion monitoring program.

You should seek to obtain a contractual commitment (i.e. attestation) from your vendors stating they will not send an excluded individual to you. Conducting random audits of their compliance is a best practice step you should include in your compliance program.

What information should you collect from your vendors?

  • Legal name of entity
  • D/B/A , if applicable
  • Federal Employer ID Number (FEIN)
  • Address of company
  • Secretary of State ID number (helpful, when available)
  • Information of owners with 5% or more ownership stake (Name, SSN, Address, DOB)
  • State of incorporation
  • Dunn & Bradstreet Number (helpful when searching SAM.gov)
  • Does the vendor handle personal identifiable information (PII) or personal health information (PHI)?
  • Has the vendor signed a business associate agreement (BAA)?

How often should you monitor your vendors?

Monthly. See Effect of Exclusion Guidance.

Assuming you have conducted your due diligence on the vendor before officially engaging with them, it’s important that you begin to monitor the vendor for exclusions. It’s best practice to monitor, at minimum, at the OIG’s List of Excluded Individuals and Entities (LEIE) each month. It’s also recommended that the GSA’s SAM.gov site is searched monthly as well as all available state Medicaid exclusion lists be monitored since the vendor could also be excluded, debarred or sanctioned, and the record may only be reflected on one of these lists.   (Reference 6501 of the Affordable Care Act).

[clickToTweet tweet=”Steps to Ensure Vendor Compliance @ProviderTrust” quote=”Steps to Ensure Vendor Compliance” theme=”style3″]