Screening employees and potential hires against federal and state exclusion lists can be relatively straightforward if an organization’s HR department maintains current employee data and utilizes the services offered by screening companies such as Streamline Verify. However, being assured that an organization’s vendors, contractors and suppliers are not excluded or sanctioned can be a much more arduous and convoluted process.
In today’s complex healthcare industry, most organizations contract with third parties for certain services and supplies. Under Sections 1128 and 1156 of the Social Security Act, HHS OIG mandates that healthcare organizations refrain from doing business with “excluded or sanctioned” individuals or entities. Therefore, if a healthcare organization receives federal reimbursement, either directly or indirectly, it is required to screen its staff, providers, contractors and suppliers against the two primary federal exclusion lists, the OIG’s List of Excluded Individuals/Entities (LEIE) as well as the GSA’s SAM.gov database to assure that no excluded individuals or entities are receiving federal funds. Ultimately, the healthcare organization is responsible for assuring that its network of vendors and contractors are not excluded from any state or federal list.
Vendor management is a chronic weak link for many organizations both from an operational perspective as well as for purposes of identifying excluded persons or entities. For this reason, vendor risk management is a high priority for many companies.
There are many points of potential failure related to contracting with third parties that can impact performing a comprehensive monthly screening of third-party contractors and vendors:
- A decentralized contracting process. In a complex organization such as a hospital or health plan, the responsibility for contracting is often shared among many departments. Physician contracting may be under the purview of a medical group or a provider affairs department while temporary or ancillary staffing may be managed by human resources. Contracting for custodial services may occur at the facility level. Medical equipment and supplies may be purchased on a department-specific basis, such as DME being purchased by an orthopedic department. While it seems self-evident that all medication purchases should be managed centrally by an organization’s pharmacy department, there are healthcare organizations where certain types of drugs are managed by the specialty clinics dispensing them. There may be business or historical reasons why an organization permits a highly decentralized contracting model but it can significantly complicate the ability of an organization to comply with federal screening requirements of all contracted vendors.
- Contract oversight and management challenges. Because some degree of contracting decentralization is common in most organizations, the risk of this arrangement can be mitigated by a robust contract repository and tracking system plus a well-defined contracting authority schema. There are many contract management software options available to support contract management processes. However, because a contract management system’s effectiveness is determined by its enterprise-wide adoption, maintenance and use, it is critical that senior leadership mandate its use and enforce restrictions on contracting authority. If contract management processes are not enforced, reliance on a contract repository for current vendor information needed for screening, a partial repository can lead to incomplete screening efforts
- Delegating vendor management to third parties. Some organizations hire other companies to recruit and manage contracted staff and to perform needed background checks. Working with a recruitment firm, temp agency or a facility security firm to find and vet staff prior to hire can be a very cost effective and a smart business strategy. However, unless there is a strong oversight mechanism to assure that the required screening is occurring and that all current contracted staff information is maintained consistently by its delegated vendor, it can result in the hiring or retention of excluded individuals. Ultimately, the healthcare organization is held responsible for any errors in identifying and addressing excluded individuals who may inadvertently perform work on their behalf.
- Internal Exclusion Reporting Disconnects. When exclusion screening responsibilities are shared across multiple departments, information may not flow consistently to the department responsible for documenting the screening and for reporting any exclusion matches. While HR may be responsible for checking potential hires and current employees, Credentialing may take point on provider exclusion checks every two years but not manage the monthly provider screening process. Materials Management may be responsible for facility supplier contractor checks but security staff screening may be done externally by a third-party vendor. Unless there is a clear directive to consistently notify the department responsible for oversight, which is often Compliance, the most diligent organization can still fail to meet its duty to track and report on screening outcomes.
Even when vendor exclusion screening is performed regularly, an organization’s system issues can undermine upload of current vendor data. Incompatible system interfaces can result in newly excluded vendors being granted facility access when HR/vendor data systems and facility access systems are not properly integrated. Stale data may allow excluded persons access to facilities and patient areas that can create significant risk for an organization and its patients.
A healthcare organization that employs or retains an excluded vendor or contractor can rack up significant civil monetary penalties (CMP) for failure to identify a vendor or contractor who have provided and billed for services payable by a federal healthcare program. A healthcare organization that bills for an item provided by an excluded supplier can be subject to CMP which can include:
- Up to $10,000 for each item or service furnished by the excluded individual or entity
- An assessment of up to three times the amount claimed
Screening organizations such as Streamline Verify can significantly reduce the risk of healthcare organizations hiring or retaining excluded individuals or entities as staff or contractors if provided with the information needed to effectively screen and cross-verify matches across all state and federal exclusion and sanction lists. However, it is incumbent upon a healthcare organization to have the systems and processes in place to identify not only their staff and providers but also capture the vendor and supplier information needed for a comprehensive screening outcome. The price for failing to effectively manage vendor relationships and data is not solely monetary – failure can create patient risk, reputational damage and also subject an organization to enhanced scrutiny by federal and state regulators. For these reasons that there is a strong focus in many organizations on improving vendor management practices.