June 20 2017 | 0 Comments | 141 reads Average Rating: 3

7 Tips For Effective Vendor Management

by Taryn Bevilacqua in Compliance

You can lead a horse to water but you can’t make it drink. If you’re an organization working with protected health information (PHI), however, and your business associates are the proverbial horses, you better try to make them drink the HIPAA privacy rules. Why? If a business associate violates HIPAA requirements, your organization will be held liable as well. For example, according to an article in Security Intelligence, the covered entity was liable for part of a $550,000 total settlement when its business associated violated privacy rules.

At SCIO Health Analytics, we do everything possible to ensure that our business associates stay in compliance with the HIPAA rules. All covered entities – provider and payer organizations – should do the same. More specifically, you should implement a vendor management program that includes:

1 - Assessing the level of potential PHI exposure.

Before working with business associates, it’s essential to not only identify the companies that will be directly working with PHI -- but to also identify vendors that could have incidental access to PHI. For example, an IT consultant is most likely to access PHI frequently. A paper shredding company, on the other hand, is not likely to work directly with PHI – but staff members could come across PHI in the course of carrying out their duties. So, protections still need to be in place.

2 - Educating vendors.

Some business associates might not realize that they are required to comply with HIPAA regulations. As such, you need to explain the in-and-outs of the privacy rules and ensure that the vendors understand that they will be held liable for any violations of the PHI requirements.

3 - Ensuring business associates are taking adequate precautions.

For example, when working with a data vendor, it’s a good idea to require that they possess advanced security certifications such as SSAE 16. While it wouldn’t be necessary to require a paper shredding company to have such certification, it would behoove a covered entity to require that the paper shredding company provide employee background checks and drug screening.

4 - Conducting annual assessments.

Compliance work is not a once-and-done endeavor. As such, it’s essential to survey vendors at least annually to ensure continued compliance.

5 - Encouraging non-responsive vendors to respond.

Vendors sometimes don’t respond to compliance surveys. So, continual follow-up is required. It’s important to use multiple communication channels when attempting to get a response. For example, if a vendor doesn’t reply to an e-mail, a follow up call might be necessary.

6 - Offering remediation assistance.

When business associates complete the assessment and non-compliance red flags surface, as a covered entity, you need to work closely with the vendor to resolve these issues.

7 - Terminating relationships with non-compliant business associates.

If the compliance issues cannot be resolved, then it is time to terminate the business arrangement and seek another vendor.

These are some of the best practices that we’ve discovered while implementing vendor compliance management programs. Do you know of any others?

Rate this Article:

Rating: 
Average: 3 (2 votes)

Author
Taryn Bevilacqua
Compliance Director

Taryn Bevilacqua serves as Compliance Director for SCIOinspire. In this role, she is responsible for leading the internal processes for promoting and ensuring SCIO’s compliance with laws, regulations, company policies and contracts.

Read full profile and other posts |

Log in to post comments

SEARCH BLOG

OUR THOUGHT LEADERS

Arun Rangamani
SVP, Care Optimization and SCIOXpert Services


Ben Steverman
Chief Technology Officer


Bob Abrahamson
Vice President, Product Management


David Hom
Chief Evangelist


Dr. Kevin Keck
Chief Medical Officer


Jen Cressman
Vice President, Professional Services


John Pagliuca
Vice President, Life Sciences


Jonathan Niloff, MD (Guest Author)
President, Niloff Healthcare Strategies, LLC


Lalithya Yerramilli
Vice President, Analytics


Lesli Adams, MPA (Guest Author)
Director of Population Health Strategy, Oracle Corporation


Leslie Strader
Project Manager


Linda Pantovic (Guest Author)
Director of Compliance & Risk Adjustment, Scripps Health Plan Services


Mark Feeney
Life Sciences Consultant


Monique Pierce
Vice President, Business Optimization


Nayfe Faillace
Chief Compliance & Privacy Officer


Nicole Cormier
Senior Manager, Home Health


Priyanka Rajkumar
VP - SCIOXpert and Solutions, Analytics


Rachel Hall
Senior Business Analyst


Rena Bielinski
SVP, Strategic Accounts


Rodger Smith
SVP, Payment Integrity


Rose Higgins
President, North America


Subha Vaidyanathan
VP, Technology and Data Management


Taryn Bevilacqua
Compliance Director


Tom Peterson
SVP, Risk Adjustment


ARCHIVES

Sign up to receive the latest SCIO news & insights, industry updates, event updates and more, right in your inbox.