Hospitals and health systems today face an unprecedented number of challenges to ensure vendor compliance and protect their employees and patients. Healthcare worker burnout, siloed technology solutions, and gaps in the credentialing infrastructure are among the factors which can lead to noncompliance. Unfortunately, even one instance of noncompliance can cause severe financial penalties and years of reputational damage. Here are six key strategies that help healthcare organizations maintain compliance:
1. Solidify policies and procedures
Without a consistent policy, your organizations and patients are put at increased risk for security and HIPAA compliance risks, disrupted workflows, and more. Maintaining strong policies and procedures form the foundation of any successful access management and compliance program. Policy formation and review should have executive buy-in, be informed by government regulations, be a collaborative effort between departments, and be informed by vendor activity patterns, and organizational priorities.
In addition to creating strong policies and keeping them up to date, making them easily accessible to vendors who play a role in compliance is critical. To reduce confusion for all parties, your organizational policies should be maintained in the same online credentialing compliance platform. Similarly, vendors should sign all required policies within that same system for streamlined operations. When it's time for vendors to review updated policies, instant vendor alerts can make it easy for them to stay in compliance by reviewing and acknowledging a health system’s updated policies.
A complete guide on forming a strong vendor policy is found here.
2. Track meaningful data
The complexity of today’s compliance landscape requires a new level of visibility across your vendor activity beyond just who’s on-site. It’s essential to have instant access to vendor activity data for audit preparedness, but enacting policies that keep everyone aligned requires an understanding of patterns and trends. Health systems need to look for trends within data to strategically inform policies. For instance, if you notice an increase of non-compliance in your operating room, looking to the data to identify the root cause and inform the course of action could be key, such as:
- Has there been a change in staff?
- Is there an influx of new vendors?
- Is there clear signage in that area?
- Are vendors checking in and checking out?
- For what reason have the vendors entered the facility?
- How often do they request appointments for specific reasons?
Having crucial visibility into this data allows you to manage vendor access to your facility and staff while collecting the critical data necessary to implement data-driven policies, protect physicians’ billable time, and prevent instances of noncompliance before they happen. A key principle of compliance is consistency and standardization across all processes and channels.
3. Bridge the in-person and virtual divide
Today, thoughts around compliance are still limited to in-person interactions. It becomes challenging for hospitals to ensure that their compliance, credentialing, and product standards are enforced in virtual scenarios, which represent an ever-increasing proportion of interactions. What happens when your vendors are engaging online with physicians and are introduced to new product demos and value analysis? Most hospitals lack visibility into whether or not that vendor is compliant with their policies or if the product is compliant with their clinical and financial standards. Compliance is not limited to in-person exchanges. It should be considered across vendors and products, both at the virtual and physical front door to prevent further infractions.
4. Create a culture of compliance and training
If a rep was walking around without a badge, the OR director would likely know what to do to enforce compliance. But would anyone else? Employees are the first line of defense when it comes to compliance whether it’s protecting patients or interacting with vendors. All team members are integral to ensuring compliance programs are working smoothly. Building a culture of compliance supports organizational standards and is essential to patient and staff safety. Creating and sustaining a culture of compliance comes down to education and incentives.
Both vendor and staff education should be ongoing endeavors rather than a “one and done” approach. Health systems should consider implementing required compliance courses and educational programs on key topics such as general expectations and hospital safety, code of ethics, bloodborne pathogens training, HIPAA compliance, protocols, and joint commission patient safety goals and protocols.
Here are some signs your team is a supporter, not a detractor of compliance. Your team:
- Knows the facility’s compliance protocol
- Helps new vendors understand how to register with your vendor credentialing platform
- Knows the credentialing workflow from vendor registration to vendor check-out
- Is aware of your department-specific requirements (appointments required, specific credentials, vendor point of contact, etc.)
- Knows what to look for to quickly tell if vendors comply
- Knows how to distinguish different access levels
- Feels comfortable enforcing compliance and reporting instance of non-compliance
Training doesn’t have to be complex given the limited bandwidth of hospital stakeholders. Training for internal staff should be focused on key points:
- What is our policy and where can I find it?
- What is the organization’s vendor check-in process?
- How to point vendors in the right direction?
- What are the organization’s expectations for staff in enforcing compliance?
- What should employees look for? (I.e., badge information, etc.)
- What are the different access levels?
- What is the action plan if someone notices a noncompliant situation?
- How to report instances of noncompliance in the compliance software?
5. Close credentialing infrastructure gaps
The comprehensive nature of both vendor credentialing and ongoing access management should extend beyond basic compliance measures such as a compliant badge and vaccination status to encompass background checks, OIG exclusion checks, identity verification, and more to reduce liability risk. When foundational credentials are “a la cart” rather than inclusive, the door for a compliance breach is automatically opened – and the organization may face consequences if a noncompliant vendor makes it into their facility.
When it comes to closing the gap in compliant access management, reliability and support are equally important. When the internet goes or there are issues with an organization’s kiosks, how do you prevent reps from accessing the facility without checking in? Internet-free check-ins are critical to ensuring reliability and preventing a compliance breach.
Read more here about the importance of identity verification and background checks.
6. Make enforcement consistent and clear
Having strong policies is foundational to maintain compliance, but when instances of noncompliance arise, enforcement becomes equally critical. According to the Department of Justice (DOJ), a strong corporate compliance program includes several facets, including a compliance officer, written policies and procedures, auditing and monitoring, and systems in place for communication, education, and discipline. Leadership should make repercussions and escalation processes for non-compliance clear.
Specify who:
- Verifies non-compliance
- Arranges case coverage
- Shares details with impacted physicians/staff
- Completes documentation
- Communicates to vendor representatives
- Reviews vendor contracts and assesses consequence options
The consequences for non-compliance should be strict to encourage vendors to self-manage and remove the burden from caregivers. There should be first violation consequences and second violation consequences.
When noncompliance is reported, incident management comes into play via a workflow based on predetermined configurations set up by the hospital. In this workflow, all instances of non-compliance should be logged in one centralized platform and be assigned predetermined infraction levels based on the nature and severity of the violation, so that incidents are routed appropriately. For example, a simple parking violation might be assigned a Level 1 infraction and be routed to the supply chain department without needing the bother the compliance department, while a high-level instance such as a HIPAA violation might be assigned a Level 3 and automatically route to the compliance department for attention.
It’s important for health systems to have a centralized system for reporting, documenting, and tracking instances of vendor noncompliance. When noncompliance is documented and resolved with this model, vendor credentialing and compliance is possible. Not only are health systems more likely to resolve instances of noncompliance efficiently and with less risk, but organizations are also able to use data to identify patterns of vendor behavior, such as repeat offenders. This equips the supply chain team to quickly pull vendor compliance reports and take actionable steps with leaders within the organization.
Hospitals are juggling many challenges to protect their employees and patients in healthcare today. Compliance, vendor access, and new product introduction are inextricably linked when considering the reality of the current and future state of the healthcare supply chain. It’s no longer enough to simply have a vendor access policy. With the right strategies and solutions in place, healthcare organizations can regulate access to their facilities, ensure patient and staff safety, and prevent costly and reputation-damaging violations. By implementing a centralized access management solution, organizations can set rules and regulations on how individuals access their facilities and reduce the risk of noncompliance.
Learn more about vendor compliance.
