Did you know that 50% of hospitals indicate that they have faced at least one data breach caused by third-party vendors in the past two years? A recent report from the Ponemon Institute - IBM Security shows that the average cost of a healthcare data breach in the United States is $15 million - the equivalent of $429 per record.
The healthcare industry has the highest breach costs and these costs increase every year -- indicating the gaps in the vendor management process. Indeed, Ponemon researchers state that “controls and processes are often only partially deployed or not deployed at all,” having a negative impact on their effectiveness to reduce the exposure to vendor-related data breaches.
In addition to this type of risk, there are physical safety risks involving people and property, including physical assaults and the theft of medical supplies, among others. Think about how many people enter your facility on a day-to-day basis, including:
It is imperative to keep track of these people’s in and out privileges and whereabouts as a risk reduction measure, beyond just meeting reporting compliance requirements.
Healthcare executives and directors of supply chain, materials management, and compliance face a major challenge: to develop a better, more cost-effective approach for vendor management. Are you up to this challenge? Are you ready to execute vendor management best practices in your organization?
So, what is vendor management?
Are you eager to make a significant impact on your organization with a robust vendor management program? Let’s start with defining what vendor management entails. Holistic vendor management includes:
- Supplier research
- Pricing and TCO (total cost of ownership) evaluation
- Performance evaluation
- Conflict or issues resolution
A solid vendor management process in place leads to better results and greater value: working with a pool of highly qualified vendors, whose performance you are managing and monitoring successfully. The outcomes? Cost control and cost reduction, proper risk management, and excellent service.
There are some challenges to achieving a robust and functional vendor management program such as:
- Vendor compliance risk
- Vendor quality risk
- Lack of visibility, which prevents you from taking immediate actions
- Vendor data storage
- On-time payments
Credentialing is a fundamental piece within vendor management to address these challenges, in particular compliance and lack of visibility. You probably have a software system, but is it the right one for you and your organization? Let’s take a look at the typical requirements for vendors.
Typical facility requirements for vendors/visitors
According to the American Hospital Association, over 90% of healthcare facilities have some type of vendor credentialing requirements for access. These requirements have become tighter in recent years.
The motive behind this lies in compliance and supply chain protocols. Precisely, many organizations looking for cost reduction and patient safety improvement have written policies that cover direct vendor access to surgeons in the OR and the optimization of credentialing for vendor reps.
Gone are the days that sales reps request to see a physician without having a scheduled appointment. Many facilities request that their products need to be approved by Purchasing or Materials. Most healthcare facilities have a vendor management program that allows for tracking of pre-approved vendor check-ins and check-out and to print temporary badges and day-passes.
Some typical facility requirements are as follows:
- Sign-in and sign-out of all vendors that call the hospital
- Identification badge with photo to wear at all times in the facility
- Vaccination history – including annual tuberculosis skin test and flu vaccination
- Product or service training and competency; employer’s liability (insurance) and/ or background checks. These requirements apply for vendors that access the OR and/ or invasive labs.
- Criminal background checks for vendors who have access to patient care areas such as OR, Cath Labs, and medical floor
- Required appointments
- Designated parking instructions
- HIPAA Privacy Rule
- Vendors are not allowed to bring trial equipment or supplies into patient care areas without prior approval
Many organizations have several specific requirements, which increases complexity. In this context, credentialing software becomes vital in vendor management. There are multiple solutions in the market. If you face these complexities, a key aspect to consider is the ability for customization to meet your needs that the solution has.
A typical vendor process or lifecycle
Hospitals rely on vendors for supplies or goods, routine maintenance, specialized services, and one-time and emergency repairs. Considering the number of vendors and what could go wrong – vendors arriving unexpectedly without appointment or at a different time, needing other parts to perform a repair, delivering items that cannot be unloaded, among many possibilities - vendor processes are a critical undertaking.
The lifecycle approach is an end-to-end process with the following phases:
1. Identification of Need
The vendor process starts with the identification of a need for purchase. The need can be for goods or services.
2. Go-to-Market/ Sourcing Process
You may issue an RFI (Request for Information) as an initial way to go to market. In this early stage of the sourcing process, you may want to explore the different business models and options available. You may want to better understand the goods or services that you are considering acquiring.
Even though you may not release any volumes or specific data from your facility at this phase, you need to ensure that the vendors invited to participate sign an NDA (non-disclosure agreement). At the same time, it is important to include security and safety questions that help you to gauge vendor’s compliance with your requirements.
3. Qualification or Evaluation
In a second phase, when you conduct a Request for Proposal (RFP), you build clearly defined business requirements – including those of security and compliance. If any of the vendors do not meet them, they become disqualified.
Other phases in the sourcing process are vendor presentations, vendor demonstrations, and customer reference checks. You perform due diligence to qualify, evaluate and rank the vendors.
4. Vendor Selection
Based on the agreed criteria, you select one or more vendors, as a result of the different phases of qualification and evaluation.
5. Legal Contract
The business requirements become part of the legal contract and thus those pertaining to security, safety, and compliance are included. In general, contracts also have provisions on notifications about material changes in vendor’s business models, additional subcontractors and compliance requests for protected health information by regulatory organizations. Specific security requirements can be included in the contract body or in a separate agreement part of the contract as well.
There is a contract in place with the vendor. You set them up in your system. Now you are ready to write POs (purchase orders) to execute such a contract. These POs are acknowledged by the vendor.
To have a successful delivery, you and your vendor need to collaborate. The expectations are laid out in the SOW (scope of work) included in the contract but the vendor needs your help to perform the work.
At the time scheduled, the vendor needs to sign up at the facility and meet the security requirements. You need to make sure that the work area is available for when the vendor arrives. This may involve selecting times that minimize the impact and ensure access to the work area or escorts, if required.
Best practices also include to verify safety conditions and if the work was performed in accordance to the SOW.
8. Receiving and Payment
If the work performed indeed matches the SOW and the documentation submitted is complete, you do the “receiving” against the PO. If the PO, receipt, and invoice match, you proceed to pay the vendor. This is known as “the three-way match.”
You’ll want to monitor performance and compliance, based on the risk. From the security standpoint, the requirements are different. As an example, the risk involved, and the corresponding requirements differ for vendors who have access to protected health information only when they are onsite than for vendors who are hosting confidential data.
Monitoring extends from requesting from vendors their security policies, proof of training, proof of background investigation; thorough proof of back-ups, proof of destruction certificates until onsite visits and security assessments by third parties.
There are solutions in the market to assist with registering all vendors and identifying business associates. There are also solutions to help managing vendor access to corporate assets.
10. Closure or Termination
The lifecycle comes to an end point when the project closes or when the contract ends. There are also cases of contract termination for cause or for convenience. The contract needs to include clauses with the requirements – including security and safety– for when this happens. For instance, the contract needs to specify how to eliminate and document access to patient information and to the facilities. Bear in mind that termination also extends to subcontractors.
symplr’s Best Practices for Vendor Management
When adopting a lifecycle approach, how can you implement actionable best practices for vendor management? Let’s take a look at symplr’s answers to your questions.
1. Official Vendor Policy
A policy is a win-win for you and your vendors. It is a framework that sets consistent standards across the organization and provides guidance on how to act in certain situations. It needs to have a practical approach with real-life examples. It’s incredibly important that you enforce the policy so every department in your organization can be aligned with the same goals and objectives.
For the policy to be enforced, your staff and vendors need to know it. A suggested practice is to include the vendor policy on your website. You may also share it with potential vendors during the sourcing process so they can be clear on the expectations and requirements right from the beginning. A policy helps to build and strengthen relationships.
2. Internal Stakeholder Engagement
You also need buy-in from your organization to enforce the vendor policy. Supply chain owns the vendor policy, but all departments should be involved and engaged when creating it. This means that their voices are captured in the policy. An example lies in credentialing requirements: some organizations have very specific requirements in this relevant area that the policy needs to capture.
If there are updates, you need to make sure that your stakeholders and vendors are aware of those changes and understand their impact. Continuous training becomes pivotal for reinforcing the policy.
Both healthcare facility employees and vendors are accountable for policy compliance. By adhering to the policy, you, employees, and vendors keep patients, staff, and visitors secure and safe.
3. Vendor Flow and Activity
Flow starts with the physical check-in at the entry points at each facility. You need to find a delicate balance between minimizing the number of entrances with allowing vendors to circulate smoothly and get to the areas they need to be in your facility. Assigning a limited number of entrances and exits for vendors to check-in and out of is an important part of vendor management best practices. You want to avoid long lines of vendor reps in your hallways waiting to get a day pass.
Once at the facility, it is important that the flow is clear so vendors can work effectively and at the same time, you ensure that security and safety are covered. When possible, pre-scheduled appointments are a good option to avoid or minimize disruptions.
Leading solutions can help you to have visibility of vendors in real-time and take the appropriate actions immediately. Technology can also help you with your cost reduction efforts and to streamline the flow. Check-in and day-pass printing kiosks reduce the administrative work and make the flow run smoother within facilities.
4. After-Hours Appointments and Pass Overrides
Emergencies happen. But not everything is an emergency. When emergencies do occur, you need to have a plan that considers speed as well as security and safety.
In special circumstances when there is no appointment, you need to have an override procedure in place that addresses when an override is valid and who has the authority to do so. After you have gone through an emergency situation, you need to take a step back to analyze the need of the override and make the necessary changes to prevent it from happening again.
5. Your Program Value
At the end of the day, your performance is measured by the value you bring to the organization. To demonstrate such value, you need metrics. There are four important areas in credentialing:
- Facility-specific custom policies
Having a vendor management policy is of utmost importance. It drives compliance and with it, security, safety, quality, and cost containment. The healthcare industry poses unique challenges for execution. There are many requirements to comply with and many vendors to manage. Technology can help, but the solution you choose needs to be tailored to your needs. Learn more about symplr’s vendor management software solutions and how we can help you and your organization succeed.