June 20 2017 | 0 Comments | 225 reads Average Rating: 3

7 Tips For Effective Vendor Management

by Taryn Bevilacqua in Compliance

You can lead a horse to water but you can’t make it drink. If you’re an organization working with protected health information (PHI), however, and your business associates are the proverbial horses, you better try to make them drink the HIPAA privacy rules. Why? If a business associate violates HIPAA requirements, your organization will be held liable as well. For example, according to an article in Security Intelligence, the covered entity was liable for part of a $550,000 total settlement when its business associated violated privacy rules.

At SCIO Health Analytics, we do everything possible to ensure that our business associates stay in compliance with the HIPAA rules. All covered entities – provider and payer organizations – should do the same. More specifically, you should implement a vendor management program that includes:

1 - Assessing the level of potential PHI exposure.

Before working with business associates, it’s essential to not only identify the companies that will be directly working with PHI -- but to also identify vendors that could have incidental access to PHI. For example, an IT consultant is most likely to access PHI frequently. A paper shredding company, on the other hand, is not likely to work directly with PHI – but staff members could come across PHI in the course of carrying out their duties. So, protections still need to be in place.

2 - Educating vendors.

Some business associates might not realize that they are required to comply with HIPAA regulations. As such, you need to explain the in-and-outs of the privacy rules and ensure that the vendors understand that they will be held liable for any violations of the PHI requirements.

3 - Ensuring business associates are taking adequate precautions.

For example, when working with a data vendor, it’s a good idea to require that they possess advanced security certifications such as SSAE 16. While it wouldn’t be necessary to require a paper shredding company to have such certification, it would behoove a covered entity to require that the paper shredding company provide employee background checks and drug screening.

4 - Conducting annual assessments.

Compliance work is not a once-and-done endeavor. As such, it’s essential to survey vendors at least annually to ensure continued compliance.

5 - Encouraging non-responsive vendors to respond.

Vendors sometimes don’t respond to compliance surveys. So, continual follow-up is required. It’s important to use multiple communication channels when attempting to get a response. For example, if a vendor doesn’t reply to an e-mail, a follow up call might be necessary.

6 - Offering remediation assistance.

When business associates complete the assessment and non-compliance red flags surface, as a covered entity, you need to work closely with the vendor to resolve these issues.

7 - Terminating relationships with non-compliant business associates.

If the compliance issues cannot be resolved, then it is time to terminate the business arrangement and seek another vendor.

These are some of the best practices that we’ve discovered while implementing vendor compliance management programs. Do you know of any others?

Rate this Article:

Average: 3 (2 votes)

Taryn Bevilacqua
Compliance Director

Taryn Bevilacqua serves as Compliance Director for SCIOinspire. In this role, she is responsible for leading the internal processes for promoting and ensuring SCIO’s compliance with laws, regulations, company policies and contracts.

Read full profile and other posts |

Log in to post comments



Arun Rangamani
VP, Payment Services Delivery Leader

Ben Steverman
Chief Technology Officer

David Hom
Chief Evangelist

Jodi Siegel, MSHI, BSN, RN (Guest Author)
Director, wellness and care management

John Pagliuca
Vice President, Life Sciences

Lalithya Yerramilli
VP, Healthcare Solutions

Lesli Adams, MPA (Guest Author)
Director of Population Health Strategy, Oracle Corporation

Linda Pantovic (Guest Author)
Director of Compliance & Risk Adjustment, Scripps Health Plan Services

Mark Feeney
Life Sciences Consultant

Monique Pierce
Vice President, Business Optimization

Nayfe Faillace
Chief Compliance & Privacy Officer

Nicole Stec (Guest Author)
Senior Well-Being Manager, Banner Health

Priyanka Rajkumar
VP - SCIOXpert and Solutions, Analytics

Rena Bielinski
SVP, Strategic Accounts

Rodger Smith
SVP, Payment Integrity

Rose Higgins
SVP & GM, Data and Analytics

Subha Vaidyanathan
VP, Technology and Data Management

Taryn Bevilacqua
Compliance Director


Sign up to receive the latest SCIO news & insights, industry updates, event updates and more, right in your inbox.