Does Vendor Credentialing at Hospitals Vary by State?

Every catheter, every technology, every service a hospital uses is likely influenced or touched by a vendor or supplier. Healthcare organizations use third-party vendors to handle hundreds of functions—from introducing lifesaving technology and providing capital equipment service, to delivering devices for surgeries.

All of this activity occurs so that a facility’s healthcare operations run smoothly and providers and staff can deliver quality care to patients. However, before third-party businesses can provide supplies or services, their vendor representatives must go through the organization’s vendor credentialing process. 

Does vendor credentialing at hospitals and care facilities vary by state?  

The answer, broadly speaking, is no. States don’t have their own regulatory requirements for vendor credentialing. However, even though states don’t set vendor credentialing policies, those policies can still vary depending on what state(s) the vendor works in. 

Why is healthcare vendor credentialing important? 

Often, vendors provide goods and/or services across multiple departments and areas within a hospital or healthcare organization. Some vendors’ products are used in patient treatments, while others are used to protect staff and providers. In other words, the potential impact a vendor can have on a facility’s operations and safety is enormous. Those effects extend beyond patients to include workforce safety as well. 

Vendor credentialing also affects a healthcare organization’s financial health. Improperly vetted or credentialed vendors can prevent organizations from receiving reimbursements from Medicare, Medicaid, and some private insurers. Ultimately, vendor credentialing non-compliance can lead to significant monetary challenges and penalties for healthcare organizations already impacted by shrinking hospital margins. 

To lower costs yet effectively and compliantly manage vendor credentialing, an increasing number of health systems have begun implementing vendor credentialing software


How do states influence vendor credentialing policies? 

The responsibility for vendor credentialing rests with individual healthcare organizations—which, of course, are subject to federal and state regulatory requirements. So, while states aren’t directly involved with vendor credentialing, the hospitals and healthcare organizations that set those policies are bound by state-mandated compliance and regulatory requirements. 

Allowing each hospital and care facility to create their own vendor credentialing and access management policies has benefits and drawbacks for vendors. While a handful of hospital systems have adopted a standardized credentialing process, most organizations have unique vendor credentialing requirements. That means vendors may need to maintain a variety of certifications to meet each hospital’s requirements, and there’s a chance those certifications may not overlap. While standardized requirements can save vendors a little time on the credentialing paperwork, they’re still required to go through the vendor credentialing process of each organization, one by one. 

On the other hand, vendors who work with large health systems that operate in multiple states benefit from not having to certify in each state. Exceptions occur when the system itself has different rules for different sites, or different vendor management policies from one state to the next. Otherwise, the vendor’s credentials typically carry over. 

What does vendor credentialing at hospitals entail? 

Healthcare organizations themselves can perform vendor credentialing, or they can contract with a third-party vendor credentialing company. To lower costs yet effectively and compliantly manage vendor credentialing, an increasing number of health systems have begun implementing vendor credentialing software. 


Typically, a healthcare organization’s vendor credentialing policies align with standards set by The Joint Commission (TJC), the Association of periOperative Registered Nurses (AORN), the American College of Surgeons (ACS), and the Centers for Disease Control and Prevention (CDC).  

Strictly speaking, vendors themselves aren’t bound by these standards, but the healthcare organizations they work with are, prompting the health systems to create strict policies to maintain compliance and avoid penalties. For most of these standards, vendors are credentialed similarly to a healthcare organization’s staff and providers. In other words, from a compliance standpoint, the organization is ultimately held responsible not just for their staff, but also for the businesses and vendors they work with. As a result, vendors must comply with a health system’s set policies if they want to continue working with the organization. 

Here are examples of relevant TJC standards that apply to vendors: 

  • Standard EC.02.01.01 requires an accredited healthcare organization to “implement its process to identify safety and security risks associated with the environment of care that could affect patients, staff, and other people coming to the hospital’s facilities.” 
  • Standard RI.01.01.01 requires healthcare organizations to implement processes to ensure patients’ rights are respected. 
  • Standard IC.02.01.01 requires organizations to take the necessary precautions to ensure infection-prevention protocols are followed in the facility. 

The standards AORN and ACS set are more specific to operating room settings, but depending on the vendor’s business function, this can include vendor representatives as well. Perioperative nurses are expected to “interpret and facilitate staff member and agency compliance with current local, state, and federal regulations and standards,” according to AORN. 

In a similar vein, the CDC standards require hospitals and healthcare organizations to “protect patients; protect healthcare personnel; and promote safety, quality, and value in both national and international healthcare delivery systems.” That includes ensuring that staff and vendors abide by safety and disease-prevention regulations—and it’s why many healthcare organizations faced vendor management challenges during the COVID-19 pandemic. 

Do states control vendor credentialing? 

As noted, states do not directly control the healthcare vendor credentialing process or enforce requirements themselves. However, as with the standards set by TJC, AORN, and other organizations, states’ other requirements for healthcare organizations can indirectly impact how facilities manage their vendor credentialing. 

Vendor credentialing goes beyond managing physical access to hospitals and healthcare facilities. Any organization that bills Medicare or Medicaid is required to confirm and attest that anyone they hire or work with—including vendors—is not on the Department of Health & Human Services’ (HHS) Office of the Inspector General (OIG) List of Excluded Individuals/Entities (LEIE). 

If an organization is found to be working with a vendor on the LEIE, the organization can be subject to a civil monetary penalty of up to $10,000 “for each claimed item or service furnished during the period that the person was excluded.” In addition, there may be state-specific requirements for anyone working in the healthcare industry or for healthcare-related businesses that could apply to vendors (e.g., TB tests conducted at a specified frequency). In most instances, vendor credentialing is managed and carried out by the individual healthcare organization.  

How is vendor compliance achieved? 

Ensuring vendor compliance has become a particular focus for healthcare organizations, especially in the age of COVID-19. Supply chain managers at hospitals and healthcare facilities have taken a more hands-on approach to vendor management and are actively searching for ways to improve vendor compliance. One such strategy is standardizing vendor credentialing across an entire organization—a process that’s made easier by investing in vendor credentialing software. 

Effective vendor management plays a pivotal role in the success of a hospital or healthcare facility—not just from a patient and staff safety perspective, but from a business standpoint as well. A well-organized vendor management system helps to ensure that hospitals and their vendors are working in tandem to reduce the risk of noncompliance and protect against significant monetary penalties or reputational damage. 

The foundation for seamless vendor management is a robust vendor credentialing system aligned with organizational and industry standards. Vendor credentialing processes should be adjustable to meet the specific needs of the facility or organization and—as we learned from the COVID-19 pandemic—flexible enough to adapt to changing disease-prevention, patient safety guidelines, and reporting requirements, if necessary.  

The lack of state-mandated vendor credentialing guidelines and processes could make it challenging for vendors to get set up with a new healthcare organization. But states are not involved with vendor credentialing for a good reason: When it comes to vendors, there is no one-size-fits-all approach. Healthcare organizations must be able to enact and enforce their own credentialing standards to ensure their unique needs are being met through compliant relationships with vendors and suppliers. 

Learn more about symplr’s vendor credentialing software, and how we can help you achieve safety, compliance, and risk reduction across your healthcare organization. 

Learn more

Request a Demo