Does Vendor Credentialing Vary by State? Blog Feature

By: symplr on March 31st, 2021

Print/Save as PDF

Does Vendor Credentialing Vary by State?

vendor credentialing | vendor management

Vendors and vendor management play a significant role in the operation of healthcare facilities. Healthcare organizations use third-party vendors to handle a number of functions, from providing service for capital equipment to delivering devices for surgeries, helping to ensure the facility’s day-to-day operations run as planned. By partnering with third-party vendors, staff members and administrators stay focused on providing care to patients. However, before third-party businesses can provide supplies or services, their vendor representatives must go through the organization’s vendor credentialing process.

One question in particular comes up often whenever vendor credentialing is discussed: Does vendor credentialing vary by state? The answer, broadly speaking, is no: States don’t have regulatory requirements for vendor credentialing. That said, even though states don’t set vendor credentialing policies, those policies can still vary depending on what state(s) the vendor is in.

Why is vendor credentialing important?

Often, vendors are businesses that provide goods and/or services across multiple departments and areas within a hospital or healthcare organization. Some vendors’ products are used in patient treatments, while others are used to protect staff and providers. In other words, the potential impact a vendor can have on a facility’s operations and safety is enormous. Those effects extend beyond patients to include workforce safety as well.

Vendor credentialing is also important from an administrative standpoint. Improperly vetted or credentialed vendors can prevent organizations from billing Medicare, Medicaid, and some private insurers. In addition, improper vendor credentialing can lead to significant monetary penalties for the healthcare organization.

Who sets vendor credentialing policies?

The responsibility for vendor credentialing rests with individual healthcare organizations—which, of course, are subject to federal and state regulatory requirements. So while states aren’t directly involved with vendor credentialing, the hospitals and healthcare organizations that set those policies are bound by state-mandated compliance and regulatory requirements.

Allowing healthcare organizations to set their vendor credentialing policies has benefits and drawbacks for vendors. While a handful of hospital systems have adopted a standardized credentialing process, the majority of healthcare organizations each have their own vendor credentialing requirements. That means vendors must maintain a variety of certifications depending on each organization’s requirements, and depending on the organizations, those certifications may not overlap. Organizations that have standardized requirements can save vendors a little time on the credentialing paperwork, but they still must go through the vendor credentialing process with each organization, one by one.

On the other hand, vendors who work with large hospital groups operating in multiple states benefit from not having to certify in each state; unless the healthcare organization itself has different rules for different sites or a completely different vendor management system from one state to the next, the vendor’s credentials typically carry over.

What does vendor credentialing entail?

Vendor credentialing can be performed by a third-party vendor credentialing service that has a formal contract with a healthcare organization, or by the organization itself. An increasing number of healthcare facilities have begun implementing vendor credentialing software, which lowers costs and allows them to effectively manage credentialing for their organization..

A healthcare organization’s vendor credentialing is typically aligned with standards set by The Joint Commission (TJC), the Association of periOperative Registered Nurses (AORN), the American College of Surgeons (ACS), and the Centers for Disease Control and Prevention (CDC). 

Strictly speaking, vendors themselves are not bound by these standards; however, the healthcare organizations they work with are bound by them. With most of these standards, vendors fall under the same general umbrella of a healthcare organization’s staff and providers. In other words, from a compliance standpoint, the organization is ultimately held responsible not just for their staff, but also for the businesses they work with.

The following are just a sample of the relevant TJC standards that apply to vendors:

  • Standard EC.02.01.01 requires an accredited healthcare organization to “implement its process to identify safety and security risks associated with the environment of care that could affect patients, staff, and other people coming to the hospital’s facilities.”
  • Standard RI.01.01.01 requires healthcare organizations to implement processes to ensure patients’ rights are respected.
  • Standard IC.02.01.01 requires organizations to take the necessary precautions to ensure infection-prevention protocols are followed in the facility.


The standards AORN and ACS set are more specific to operating room settings, but depending on the vendor’s business function, this can include vendor representatives as well. Perioperative nurses are expected to “interpret and facilitate staff member and agency compliance with current local, state, and federal regulations and standards.”

By the same token, the CDC standards require hospitals and healthcare organizations to “protect patients; protect healthcare personnel; and promote safety, quality, and value in both national and international healthcare delivery systems.” That includes making sure that staff and vendors abide by safety and disease-prevention regulations, and it’s why many healthcare organizations have faced vendor management challenges during the COVID-19 pandemic.

Do states have any control over vendor credentialing?

States have no direct control over the vendor credentialing process or requirements themselves. However, as with the standards set by TJC, AORN, and other organizations, state requirements for healthcare organizations can indirectly impact how a facility manages its vendor credentialing.

As we have discussed before, vendor credentialing goes beyond managing physical access to hospitals and healthcare facilities. Any organization that bills Medicare or Medicaid is required to confirm and attest that anyone they hire or work with—including vendors—is not on the Department of Health & Human Services’ (HHS) Office of the Inspector General (OIG) List of Excluded Individuals/Entities (LEIE).

If an organization is found to be working with a vendor on the LEIE, the organization can be subject to a civil monetary penalty of up to $10,000 “for each claimed item or service furnished during the period that the person was excluded.” In addition, there may be state-specific requirements for anyone working in the healthcare industry or for healthcare-related businesses that could apply to vendors (e.g., TB tests conducted at a specified frequency). In most instances, vendor credentialing is managed and carried out by the individual healthcare organization.

How is vendor compliance achieved? 

Ensuring vendor compliance has become a particular focus for healthcare organizations, especially in the age of COVID-19. Supply chain managers at hospitals and healthcare facilities have taken a more hands-on approach to vendor management and are actively searching for ways to improve vendor compliance. One such strategy is standardizing vendor credentialing across an entire organization—a process that’s made easier by investing in vendor credentialing software.

It’s becoming increasingly clear to healthcare organizations of all sizes and types that effective vendor management plays a pivotal role in the success of a hospital or healthcare facility—not just from a patient and staff safety perspective, but from a business standpoint as well. A well-organized vendor management system helps to ensure that hospitals and their vendors are on the same page in reducing the risk of noncompliance and therefore protecting against significant monetary penalties.

But effective vendor management does not occur overnight. It’s a process that takes time to build and manage. The foundation for seamless vendor management is a robust vendor credentialing system aligned with organizational and industry standards. Vendor credentialing processes should be adjustable to meet the specific needs of the facility or organization, and—as we’ve learned from the COVID-19 pandemic—flexible enough to adapt to changing disease-prevention and patient safety guidelines, if necessary. 

The lack of state-mandated vendor credentialing guidelines and processes does make it challenging for vendors to get set up with a new healthcare organization. But states are not involved with vendor credentialing for a good reason: When it comes to vendors, there is no one-size-fits-all approach. Healthcare organizations must be able to enact and enforce their own credentialing standards to ensure they get what they need from their vendors.

Click here to learn more about symplr’s vendor credentialing software, and how we can help achieve safety, compliance,  and cost-effectiveness.



Related Posts