Navigating the Gates: A Legal Analysis of Vendor Access and Competitive Practices in U.S. Public Hospitals

Executive Summary

This report provides a comprehensive legal analysis of the frameworks governing vendor access to public hospitals in the United States, with a specific focus on the role of third-party Vendor Credentialing Organizations (VCOs) and the potential for anticompetitive practices that restrict market access for new medical technologies. The analysis concludes that while hospitals operate under a stringent and legitimate mandate from federal regulators and accreditation bodies to ensure patient safety and data security through vendor credentialing, the delegation of this function to a highly consolidated, private equity-driven market of VCOs has created significant legal risks.

The healthcare vendor credentialing market is dominated by a few major players, primarily Symplr and GHX (Vendormate), who act as gatekeepers to a vast majority of U.S. hospitals. Their business model, which requires vendors to pay substantial fees for access, combined with exclusive contractual arrangements with hospitals, raises profound questions under federal and state law. This report examines these practices through three primary legal lenses: antitrust law, the federal Anti-Kickback Statute (AKS), and public procurement regulations.

Under antitrust law, the mandatory pairing of hospital access (a product for which a hospital may have significant market power) with the services of a single, designated VCO creates a strong prima facie case for an illegal tying arrangement. Furthermore, exclusive contracts between dominant hospital systems and VCOs can foreclose competition in the credentialing services market, constituting unlawful exclusive dealing. These practices mirror anticompetitive schemes that are currently being litigated in other areas of the healthcare industry, suggesting a viable pathway for legal challenges.

The financial arrangements underpinning the VCO market are also suspect. The “vendor-pays” model, particularly when coupled with revenue-sharing agreements or other financial incentives flowing from the VCO back to the hospital, creates a “pay-to-play” dynamic that implicates the federal Anti-Kickback Statute. These arrangements risk transforming a necessary safety protocol into a revenue-generating scheme that may unlawfully induce hospitals to maintain exclusive relationships and steer vendors, thereby tainting the subsequent purchase of medical products reimbursed by federal healthcare programs.

Finally, public hospitals, as governmental or quasi-governmental entities, are subject to an additional layer of legal scrutiny. Public procurement laws typically mandate open and competitive bidding for service contracts, a requirement that is often bypassed in the establishment of exclusive, long-term VCO agreements. The failure to follow these statutory procedures provides a direct and potent legal basis for challenging these exclusive contracts at the state level.

Ultimately, this report finds that while the need for vendor credentialing is undisputed, its current implementation through a concentrated and exclusive market structure is legally precarious. Medical technology companies facing access barriers have several viable, albeit complex, legal and regulatory avenues to challenge these anticompetitive and potentially unlawful arrangements, thereby seeking to restore a competitive marketplace where access is determined by clinical merit and innovation rather than the payment of an access fee to a dominant intermediary.

Section 1: The Impetus for Control: Regulatory and Accreditation Frameworks for Hospital Vendor Access

Hospitals in the United States do not implement stringent vendor access controls in a vacuum. They are compelled by a dense and overlapping web of federal regulations, state laws, and accreditation standards designed to protect patient safety, secure sensitive health information, and prevent fraud and abuse. Understanding this regulatory landscape is the foundational step in analyzing the legality of how these controls are implemented. This framework establishes the legitimate, and legally defensible, justification for hospitals to have a robust vendor credentialing program, a justification that serves as a primary defense against claims of anticompetitive conduct.

The Regulatory Mandate for Vendor Oversight

Federal agencies, most notably the Department of Health & Human Services (HHS), impose powerful mandates that necessitate the careful vetting of any individual or entity that interacts with a healthcare facility, its staff, or its patients.

HHS-OIG Exclusion Monitoring

A primary driver of vendor credentialing is the mandate from the HHS Office of Inspector General (OIG) regarding excluded individuals and entities. Any organization that bills federal healthcare programs like Medicare or Medicaid is required to ensure it does not employ or contract with any person or company on the OIG’s List of Excluded Individuals/Entities (LEIE). The LEIE includes those barred from federal programs due to offenses like Medicare fraud, patient abuse, or felony convictions related to healthcare fraud or controlled substances.¹

This obligation extends beyond clinical staff to encompass all vendors and contractors. The penalties for non-compliance are severe, including Civil Monetary Penalties (CMPs) of up to $10,000 for each item or service furnished by an excluded party, plus an assessment of up to three times the amount claimed. Given that a single surgical procedure can involve dozens of billable items, the potential financial liability is enormous. The OIG recommends that healthcare providers screen all employees and contractors against the LEIE monthly to minimize this risk. This creates a continuous, high-stakes compliance burden that necessitates a systematic tracking and verification process for every vendor representative entering a facility.

CMS Requirements

The Centers for Medicare & Medicaid Services (CMS) establishes the Conditions of Participation (CoPs) that hospitals must meet to receive payment from Medicare and Medicaid programs. While CMS does not explicitly mandate a specific third-party vendor credentialing system, its CoPs require hospitals to maintain a safe and effective environment of care. This broad mandate implicitly includes managing the risks posed by non-employees.

Furthermore, CMS directly regulates providers and suppliers through its own enrollment and screening processes, such as the Provider Enrollment, Chain, and Ownership System (PECOS). This system reinforces the federal government’s role in vetting all participants within its healthcare programs and underscores the principle that access to federally-funded healthcare environments is a privilege contingent on compliance, not a right.

HIPAA and Data Security

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) imposes strict national standards to protect sensitive patient health information (PHI) from being disclosed without the patient’s consent or knowledge. Vendors who may come into contact with PHI, either directly or incidentally—such as IT contractors, medical device representatives in an operating room, or even document shredding services—must be HIPAA compliant. Hospitals are responsible for ensuring that their business associates, including vendors, have appropriate safeguards in place to protect PHI. This necessitates that hospitals verify vendors have received HIPAA training and have signed confidentiality or business associate agreements, adding another critical layer to the credentialing process.

Accreditation Standards as De Facto Law

For most U.S. hospitals, accreditation by an independent body is a prerequisite for participation in Medicare and Medicaid programs. Consequently, the standards set by these accrediting organizations function with the force of law. Failure to comply can jeopardize a hospital’s primary revenue streams.

The Joint Commission (TJC)

The Joint Commission is the nation’s oldest and largest standards-setting and accrediting body in healthcare. TJC accreditation is a symbol of quality that many hospitals rely on to meet CMS certification requirements. TJC standards are comprehensive and directly address the management of non-employees within a facility. Key standards relevant to vendor credentialing include:

• Standard EC.02.01.01: Requires the organization to manage safety and security risks within the environment of care, which includes being aware of who is entering the facility, why they are there, and what they are doing, down to the individual representative level.
• Standard RI.01.01.01: Mandates that patient rights, including privacy and dignity, are respected, which applies to interactions with both staff and vendors.
• Standard IC.02.01.01: Requires the implementation of infection prevention and control protocols, a critical consideration for any vendor entering clinical areas.
• Standards HR.01.06.01 and HR.01.07.01: Obligate the hospital to address the qualifications, competency, and performance of any non-employees who have a direct impact on patient care.

During unannounced surveys, TJC surveyors may question any individual in the facility, including vendor representatives, and will expect the hospital to produce documentation validating their presence and credentials. This high-stakes environment makes a verifiable and readily accessible credentialing system an operational necessity for accredited hospitals.

DNV Healthcare

DNV Healthcare offers a competing hospital accreditation program that is also approved by CMS. DNV’s accreditation program, NIAHO® (National Integrated Accreditation of Healthcare Organizations), integrates ISO 9001 quality management principles with CMS CoPs. A core component of this approach is proactive risk management and ensuring the general safety of the physical environment for all workers, patients, and visitors, which inherently includes the management and control of vendor access.

State-Level Requirements

While states do not typically legislate “vendor credentialing” as a distinct category, they impose a variety of laws that hospitals must incorporate into their access policies. These include state-specific licensure requirements for certain professions, public health mandates for immunizations, and, increasingly, background check laws. For instance, states like Florida and New Jersey have passed legislation expanding mandatory background screening to a broader range of healthcare practitioners, reflecting a growing trend toward heightened security and verification at the state level. In Texas, the state has gone so far as to create a standardized credentialing application for physicians, indicating a governmental interest in regulating and streamlining these verification processes. Public hospitals, in particular, must also adhere to state-level procurement and contracting laws, a subject explored in detail in Section 5 of this report.

The confluence of these federal, accreditation, and state-level mandates creates an environment where a comprehensive vendor credentialing program is not merely a best practice but a fundamental requirement for legal and financial viability. This compulsory need for a credentialing solution has given rise to the market for third-party VCOs. The nature of this demand is highly inelastic; hospitals cannot simply opt out of credentialing. This dynamic has concentrated significant power in the hands of the few large companies that provide these services, setting the stage for the potential antitrust concerns that are central to this analysis. Furthermore, the absence of a single, national standard for vendor credentials—with requirements varying significantly between hospital systems—has created a fragmented and inefficient landscape.³ This fragmentation paradoxically strengthens the market position of dominant VCOs that operate across vast networks of hospitals, as they offer a seemingly simple solution to the complex problem of managing hundreds of disparate requirements.⁵

Section 2: The Gatekeepers: An Examination of the Vendor Credentialing Market

The regulatory and accreditation pressures detailed in the previous section have created a fertile ground for a specialized industry of third-party Vendor Credentialing Organizations (VCOs). These companies have positioned themselves as indispensable intermediaries, managing the complex process of vendor access on behalf of healthcare facilities. However, this market is not a diverse landscape of competing firms. It is a highly concentrated industry, dominated by a few major players and shaped by an aggressive, private equity-fueled strategy of consolidation. This section profiles the key market leaders, analyzes their business models, and examines the impact of market concentration on both hospitals and the vendors seeking access.

Market Leaders and Corporate Profiles

The U.S. vendor credentialing market is largely controlled by a duopoly, with a few smaller firms competing for the remaining market share.

• Symplr: Symplr stands as a titan in the healthcare operations software space, with its solutions used in an estimated 9 out of 10 U.S. hospitals.⁶ Founded in 2006, the company has pursued a relentless growth-through-acquisition strategy, transforming from a focused credentialing service into a comprehensive “Healthcare Operations Platform”.⁸ This strategy has been heavily financed by private equity firms Clearlake Capital Group and SkyKnight Capital, which acquired the company in 2018.⁸ Key acquisitions that have cemented its market dominance include:
  • IntelliCentrics (formerly Reptrax): A major competitor with its SEC³URE platform, which was used in over 10,000 locations of care. Its acquisition significantly consolidated the vendor access management market.¹²
  • TractManager, API Healthcare, and ComplyTrack: These acquisitions expanded Symplr’s portfolio into contract management, workforce management, and risk and compliance software, allowing it to offer an integrated, end-to-end solution to hospitals.¹⁰
  • Smart Square: Acquired from AMN Healthcare in 2025, this addition bolstered Symplr’s AI-driven workforce scheduling capabilities.¹⁶

With estimated annual revenues around $107 million, Symplr’s scale and integrated offerings make it a formidable gatekeeper.17

• GHX (Global Healthcare Exchange): Founded in 2000 as a consortium of major medical product manufacturers, including Johnson & Johnson and GE Healthcare, GHX operates one of the largest cloud-based supply chain networks in healthcare.²⁰ GHX entered the vendor credentialing market in 2014 with its strategic acquisition of

Vendormate, a leading vendor relationship management software company. This move allowed GHX to integrate credentialing data directly into the procure-to-pay process. Like Symplr, GHX’s growth has been fueled by private equity, first by Thoma Bravo in 2014 and later by a majority stake sale to Temasek, Singapore’s sovereign wealth fund, in 2017.²⁰ GHX’s network is vast, with access to over 9,300 healthcare locations, and its estimated annual revenue exceeds $190 million.²³

• Green Security: Founded in 2014, Green Security presents itself as a more agile and customer-focused alternative to the industry giants.²⁷ While significantly smaller, with an estimated annual revenue of around $1.2 million, it has been gaining traction, as evidenced by NewYork-Presbyterian Hospital’s decision to switch from Symplr to Green Security as its exclusive credentialing platform in 2024. The company was acquired by private equity firms Spire Capital and Strattam Capital in April 2024, signaling a potential new phase of investment and growth to challenge the dominant players.²⁹

The “Vendor-Pays” Business Model and Financial Arrangements

The prevailing business model for VCOs is the “vendor-pays” system. Under this model, the hospital—the entity mandating the service—typically pays little or nothing for the core credentialing platform. Instead, the cost is shifted entirely to the vendors and their individual representatives who are required to purchase annual subscriptions to gain and maintain access.³⁰

The fee structures are often tiered, increasing with the level of access required (e.g., non-clinical vs. clinical areas) and the number of hospital systems a vendor needs to access. For example, GHX Vendormate offers “Access Tiers” with annual per-representative fees ranging from $305 for access to up to 5 health systems to $580 for access to 100 or more systems.³⁵ Green Security charges annual fees of $125 for non-clinical contractors and $275 for clinical vendors.³⁷ These fees represent a significant and recurring cost of doing business for medical technology companies, particularly for those with large sales forces covering national territories.

A more concerning aspect of this model is the existence of financial arrangements that flow from the VCO back to the hospital. These can take the form of direct revenue sharing or other in-kind benefits. The most explicit example found in the available information is IntelliCentrics’ (now part of Symplr) “SAFE and SEC³URE Program,” which offers to pay hospitals up to $3 for every credentialed vendor representative who visits their facility, in addition to a 3% rebate on other credentialing and enrollment services the hospital might purchase.³⁸ This arrangement creates a direct financial incentive for the hospital to mandate the use of a specific VCO and to maximize the number of paid vendor check-ins, raising significant legal questions under anti-kickback statutes. This financial relationship risks creating a conflict of interest, where a hospital’s choice of a credentialing partner may be influenced more by the potential for revenue generation than by the efficiency, cost-effectiveness, or security of the platform.

Market Consolidation and Private Equity Influence

The vendor credentialing market did not consolidate by accident. It is a direct result of a strategy common in private equity (PE), known as a “roll-up,” where a PE-backed platform company acquires multiple smaller competitors to rapidly gain market share.⁴⁰ Symplr’s history of at least ten acquisitions in six years, backed by Clearlake Capital, is a textbook example of this strategy.¹⁰

The influence of private equity is a critical factor in understanding the market’s behavior. The PE business model typically involves acquiring a company with the goal of increasing its profitability over a relatively short hold period (e.g., four to seven years) before exiting through a sale to another firm or an IPO. This focus on short-term profit maximization can incentivize practices such as aggressive price increases and cost-cutting that may come at the expense of innovation and customer service. Research on PE acquisitions in other healthcare sectors has shown a clear pattern of price increases post-acquisition, and there is evidence to suggest the same is occurring in the VCO market.

This consolidation creates a powerful network effect that serves as a formidable barrier to entry for new competitors. As a VCO like Symplr or GHX signs exclusive contracts with more hospitals, it becomes indispensable for vendors who need access to those hospitals. This forces more vendors onto the platform, which in turn makes the platform even more valuable to other hospitals, creating a virtuous cycle for the dominant firm and a significant hurdle for any potential challenger. The result is a market structure where a few powerful, PE-backed gatekeepers control access to the majority of the U.S. healthcare system, imposing what amounts to a “credentialing tax” on any company, large or small, that wishes to introduce its products or technologies to clinicians and patients.

The following table provides a comparative overview of the major VCOs, illustrating the concentrated and PE-driven nature of the market.

VCO Name	Ownership/Backing	Estimated Market Reach	Key Acquisitions	Business Model & Pricing	Documented Hospital Incentives
Symplr	Clearlake Capital, Charlesbank Capital Partners 8	9 out of 10 U.S. hospitals 6	IntelliCentrics, TractManager, API Healthcare, ComplyTrack, Smart Square 16	Vendor-pays annual subscription model.	IntelliCentrics’ “SAFE and SEC³URE Program” offers up to $3/visit and 3% back on other services.38
GHX (Vendormate)	Temasek (majority), Thoma Bravo (past) 20	9,300+ healthcare locations; >4,100 hospitals 24	Vendormate, Lumere, Explorer Surgical, Syft, Prodigo Solutions 20	Vendor-pays tiered annual subscription model (e.g., $305 to $580+ per rep).35	Not explicitly documented in research.
Green Security	Spire Capital, Strattam Capital 29	Not specified, but growing (e.g., NYP contract)	None specified in research.	Vendor-pays annual subscription model (e.g., $125 – $275 per rep).37	Not documented in research.

Section 3: Antitrust Law as a Lever: Challenging Exclusive and Restrictive Access Arrangements

The structure of the vendor credentialing market, characterized by dominant intermediaries, exclusive contracts, and mandatory participation, raises significant concerns under federal antitrust laws. The Sherman Act and the Clayton Act are designed to prohibit business practices that unreasonably restrain trade, create monopolies, or otherwise harm competition. Medical technology companies facing access barriers may find these laws provide a powerful, albeit complex, legal framework for challenging the status quo.

Tying Arrangements

A tying arrangement is an agreement where a seller conditions the sale of a desired product (the “tying” product) on the buyer’s agreement to also purchase a separate, “tied” product.⁴⁴ Such arrangements can be deemed

per se illegal under Section 1 of the Sherman Act if certain conditions are met, meaning they are presumed to be anticompetitive without an elaborate inquiry into their actual market effects.

Legal Framework

To establish a per se illegal tying claim, a plaintiff must prove five elements:

1. Two Separate Products: The tying and tied items must be distinct products or services with separate consumer demand.⁵⁰
2. Coercion: The seller must force or coerce the buyer into purchasing the tied product to obtain the tying product.⁵⁰
3. Appreciable Economic Power: The seller must possess sufficient economic power in the market for the tying product to impose the tie on consumers.⁵⁰ This is a lower standard than monopoly power.
4. Substantial Commerce Affected: The arrangement must affect a “not insubstantial” amount of interstate commerce in the market for the tied product.⁵⁰
5. Seller’s Economic Interest: The seller must have an economic interest in the sale of both products.⁵⁰

Application to Vendor Credentialing

The exclusive relationship between a hospital and a VCO can be framed as a classic tying arrangement:

• Tying Product: The “product” is the right of access to the hospital’s facilities to conduct business. For a medical device manufacturer, access to surgeons and operating rooms within a specific hospital or health system is a unique and essential commodity. The hospital, particularly if it is a major academic center or the only provider in a geographic area, holds significant economic power over this “product.”
• Tied Product: The “tied product” is the credentialing service offered by the hospital’s chosen VCO (e.g., Symplr or GHX).
• Coercion and Market Effect: The hospital coerces the vendor into this arrangement by establishing a policy of “no credential, no access.” A vendor who wishes to sell its products to that hospital has no choice but to purchase the tied credentialing service from the mandated VCO. Given that dominant VCOs like Symplr and GHX manage access to thousands of hospitals, these arrangements collectively affect billions of dollars in commerce for medical devices and services, easily satisfying the “not insubstantial” requirement.

This structure mirrors the “all or nothing” tying allegations in recent healthcare antitrust lawsuits, such as the case against HCA/Mission Health, where health plans were allegedly forced to include all of a system’s facilities in their network to gain access to a single “must-have” hospital.⁵¹ The legal theory is directly analogous: leveraging power in one market (essential hospital access) to force a purchase in a separate, competitive market (credentialing services).

Exclusive Dealing

Exclusive dealing arrangements are agreements that require a buyer to purchase products or services exclusively from one seller for a defined period.⁵² Unlike tying, these are not

per se illegal but are evaluated under the “rule of reason.”

Legal Framework

The rule of reason analysis balances the procompetitive justifications for an arrangement against its anticompetitive effects.⁴⁵ An exclusive contract violates antitrust law if its effect is to substantially lessen competition by foreclosing rivals from a significant share of the market.

• Procompetitive Justifications: Hospitals and VCOs might argue that an exclusive contract streamlines administration, ensures uniform safety standards, and reduces costs for the hospital.⁵²
• Anticompetitive Effects: The primary harm is market foreclosure. When a dominant hospital system or a large GPO enters into an exclusive contract with a single VCO, it effectively locks out competing VCOs from that entire segment of the market. This can stifle innovation, reduce quality, and lead to higher prices in the credentialing services market by shielding the incumbent VCO from competitive pressure.

Application and Relevant Case Law

The exclusive contracts between hospital systems and dominant VCOs are ripe for challenge under this doctrine. If Symplr, which is in 90% of U.S. hospitals, has exclusive contracts with a significant portion of them, it becomes exceedingly difficult for a smaller competitor like Green Security to gain a foothold, even if it offers a better or more cost-effective service.²⁸

This scenario is highly similar to past antitrust enforcement actions. In Masimo Corp. v. Tyco Health Care Group, L.P., a medical device manufacturer successfully argued that a competitor used exclusive agreements with GPOs to foreclose it from the market for pulse oximetry products.⁵³ Similarly, the FTC settled charges with Invibio, Inc., a supplier of a high-tech polymer, alleging it used exclusive contracts to unlawfully maintain a 90% market share and prevent rivals from becoming effective competitors.⁵⁴ These cases establish a clear precedent for challenging exclusive contracts that lock up essential distribution or access channels—in this case, the hospital itself.

A critical vulnerability in the hospital’s defense is the availability of less restrictive alternatives. A plaintiff could argue that a hospital can achieve all its legitimate safety and compliance goals without an exclusive contract. For example, a hospital could adopt a policy of accepting credentials from any VCO that adheres to a recognized national standard, such as the one developed by the American National Standards Institute (ANSI).⁵ Because less restrictive means are available to achieve the same procompetitive ends, an exclusive arrangement that forecloses all competition becomes much harder to justify under the rule of reason.

Monopolization and the Essential Facilities Doctrine

Section 2 of the Sherman Act prohibits monopolization or attempts to monopolize a market. A potential, though more challenging, claim under Section 2 involves the “essential facilities” doctrine.

Legal Framework

This doctrine holds that a firm controlling a facility that is essential to competition and cannot be practically or reasonably duplicated has a duty to share that facility with competitors on non-discriminatory terms.⁵⁵ The U.S. Supreme Court has never fully recognized the doctrine and has signaled that it represents the “outer boundary” of Section 2 liability, making it a high-risk claim for plaintiffs.⁵⁷ The four elements of a claim are: (1) a monopolist’s control of an essential facility; (2) a competitor’s inability to duplicate it; (3) the denial of use to a competitor; and (4) the feasibility of providing the facility.⁵⁵

Application to Vendor Credentialing

A plaintiff could argue that a specific public hospital, especially one that is the sole provider in a rural area or a renowned center of excellence for a particular specialty, constitutes an “essential facility” for a medical device company to compete in the market for that specialty. Denial of access, based on the refusal to use a mandated VCO, could be framed as an anticompetitive act designed to protect the hospital’s or the VCO’s monopoly. However, courts have been historically reluctant to apply this doctrine to hospitals, particularly in the context of physician staff privileges, often stating that hospitals are not public utilities required to grant access to all comers.⁵⁵

Group Boycotts

A group boycott, or a concerted refusal to deal, is an agreement among competitors to not do business with another firm.⁵⁸

Legal Framework and Application

This doctrine could be implicated if a Group Purchasing Organization (GPO), which is a horizontal collaboration of competing hospitals, collectively agrees to mandate a single, exclusive VCO for all its members. This collective decision by competing buyers (the hospitals) effectively boycotts any medical device vendor that is unwilling or unable to register with the chosen VCO. It also constitutes a boycott of all other competing VCOs. The Federal Trade Commission (FTC) has successfully challenged similar arrangements where groups of competing physicians have refused to deal with insurers except on jointly agreed-upon terms, providing a strong parallel for a potential challenge against a GPO-mandated exclusive VCO contract.⁶⁰

The legal frameworks for these antitrust challenges are well-established and have been successfully applied in analogous healthcare market contexts. The structure of the VCO industry, with its exclusive contracts and mandatory participation, presents a clear set of facts that align with the elements of tying, exclusive dealing, and potentially group boycott claims. The viability of these claims is further strengthened by recent antitrust litigation, such as the MultiPlan case, which targets a similar “hub-and-spoke” model where a central entity facilitates a horizontal agreement among competitors.⁶¹ In the VCO market, the credentialing company acts as the hub, and the hospitals or GPO members act as the spokes, with the agreement being the exclusive use of the VCO’s platform. This structural similarity suggests that the legal reasoning applied in the

MultiPlan case could be readily adapted to a challenge against the vendor credentialing industry.

Section 4: Scrutinizing Financial Flows: The Anti-Kickback Statute and Vendor Credentialing

Beyond the competitive implications analyzed under antitrust law, the financial relationships between VCOs, vendors, and hospitals raise serious concerns under the federal Anti-Kickback Statute (AKS). This criminal law is a powerful tool for policing conflicts of interest in federal healthcare programs. The “vendor-pays” model, especially when combined with financial incentives flowing back to the hospital, creates a structure that is highly suspect and may constitute an illegal “pay-to-play” scheme.

The Federal Anti-Kickback Statute (AKS) Framework

The AKS makes it a criminal offense to knowingly and willfully offer, pay, solicit, or receive any remuneration—in cash or in kind—to induce or reward referrals for items or services payable by a federal healthcare program, such as Medicare or Medicaid.⁶³ The statute’s scope is exceptionally broad. “Remuneration” has been interpreted to include anything of value, from direct payments to discounts, free services, or other business opportunities.⁶⁶

Crucially, a violation can occur even if inducing referrals is not the sole purpose of a payment; if “one purpose” of the remuneration is to generate business, the statute may be implicated.⁶⁷ Violations are felonies and can result in severe penalties, including up to five years in prison, criminal fines up to $25,000, civil monetary penalties, and exclusion from participation in all federal healthcare programs.⁶⁷ Furthermore, a violation of the AKS automatically constitutes a violation of the civil False Claims Act, which can lead to treble damages and additional penalties.⁶⁶

To protect legitimate business arrangements, the HHS-OIG has established statutory exceptions and regulatory “safe harbors.” An arrangement must fit squarely within every element of a safe harbor to be protected; partial compliance is no defense.⁶⁴ If an arrangement does not meet a safe harbor, it is not automatically illegal but is subject to a facts-and-circumstances analysis of the parties’ intent.

Application of the AKS to the VCO “Vendor-Pays” Model

The standard VCO business model creates a triangular flow of payments and services that is problematic under the AKS. The arrangement can be broken down as follows:

1. A medical device vendor, seeking to sell products that will ultimately be used in procedures reimbursed by Medicare/Medicaid, pays a mandatory fee to a VCO.
2. The VCO, in turn, provides a credentialing service to the hospital. In some cases, the VCO also provides direct or indirect remuneration to the hospital. This can be in the form of explicit cash payments, such as the revenue-sharing model offered by IntelliCentrics where hospitals earn up to $3 per vendor visit, or in-kind benefits like free software modules, valuable data analytics, or the absorption of administrative costs the hospital would otherwise have to bear.³⁸
3. The hospital, by mandating the use of this specific VCO, effectively refers the vendor to the VCO and, by granting access, arranges for the potential purchase of the vendor’s federally reimbursable items.

This structure can be interpreted as an illegal kickback scheme. The fees paid by the vendor to the VCO can be seen as the source of funds for the remuneration that the VCO provides to the hospital. This remuneration from the VCO to the hospital could be construed as an illegal inducement to the hospital to maintain its exclusive contractual relationship with the VCO. By maintaining this exclusive arrangement, the hospital ensures a steady stream of vendor-paid fees to the VCO and, in some cases, a return stream of revenue for itself. This pay-to-play system risks tainting the hospital’s decision-making process, steering it toward the VCO that offers the best financial return rather than the one that provides the best value, security, or efficiency.

This interpretation is strongly supported by a recent OIG advisory opinion, No. 25-08. In this opinion, the OIG reviewed a proposed arrangement where a medical device company would be required by hospitals to use and pay for a specific third-party billing software to facilitate sales. The OIG concluded that this arrangement presented significant AKS risk, noting that it “could inappropriately steer health care facilities to the Requestor over the Requestor’s competitors that do not pay for access” and that it raised “pay-to-play concerns”.⁶⁸ The parallels to the VCO model are direct and striking: in both scenarios, a vendor is required to pay a third-party intermediary for the opportunity to sell its products to a healthcare facility.

The Inapplicability of the GPO Safe Harbor

Some might argue that the financial arrangements between VCOs and vendors are analogous to those protected by the GPO safe harbor. This safe harbor permits GPOs to receive administrative fees from vendors, provided certain conditions are met, including that the fee does not exceed 3% of the purchase price of the goods or is otherwise fully disclosed in writing to the GPO’s hospital members.⁶³

However, this safe harbor is inapplicable to VCOs for several fundamental reasons. A GPO is statutorily defined as an entity authorized to act as a purchasing agent for a group of healthcare providers.⁶⁹ Its primary function is to aggregate purchasing volume to negotiate lower prices. In contrast, a VCO is not a purchasing agent. It is a compliance and access management service provider

contracted by the hospital. The fees paid to VCOs are not tied to the volume or price of goods purchased; they are flat subscription fees paid by vendors for the privilege of market access. Because VCOs do not fit the definition of a GPO, the safe harbor designed to protect GPO administrative fees does not apply to the fees collected by VCOs.

The structural differences are significant. The GPO safe harbor was created with an emphasis on transparency, requiring GPOs to annually disclose to their members the fees they receive from each vendor.⁶³ This allows hospitals to monitor the financial arrangements and ensure they are not being unduly influenced. There is no evidence of similar transparency in the VCO industry. The terms of revenue-sharing agreements and other financial benefits provided by VCOs to hospitals are not publicly disclosed, creating an opaque system that is ripe for the kind of conflicts of interest the AKS was designed to prevent. This lack of transparency, combined with the pay-to-play structure and the direct parallel to the arrangement condemned in OIG Advisory Opinion 25-08, makes the vendor-pays model a significant source of legal risk for all parties involved: the vendor paying the fee, the VCO receiving it, and the hospital benefiting from it.

Section 5: The Public Trust Doctrine: Special Legal Obligations of Public Hospitals

While private hospitals have considerable latitude in their business operations, public hospitals—as entities owned, funded, and operated by government bodies—are subject to a distinct and more stringent set of legal obligations. These obligations, rooted in principles of public trust, transparency, and fairness, provide unique legal avenues for challenging restrictive vendor access policies that may not be available against private institutions. For medical technology companies, identifying whether a target hospital is public or private is a critical first step in formulating a legal strategy, as it can unlock powerful arguments based on public procurement laws and constitutional doctrines.

The Public vs. Private Hospital Distinction

The fundamental difference between public and private hospitals lies in their ownership and funding source. Public hospitals are government-owned and are primarily funded by taxpayer money at the local, state, or federal level.⁷⁰ They often function as “safety-net” providers, with a legal or mission-driven mandate to provide care to all individuals, regardless of their ability to pay.⁷⁰ This governmental status means they are not private businesses but rather extensions of the state itself. Consequently, their actions, particularly in areas like contracting and procurement, are governed by laws designed to ensure the responsible use of public funds and prevent favoritism, corruption, and self-dealing.

Public Procurement Laws and Competitive Bidding

Nearly all government entities in the United States are bound by public procurement laws that mandate a process of open and competitive bidding for contracts for goods and services above a certain monetary threshold. The core purpose of these laws is to ensure that public funds are spent efficiently and that all qualified businesses have a fair opportunity to compete for government contracts.⁷³

State-Level Framework (Example: North Carolina)

The procurement laws of North Carolina serve as a representative example of the requirements public hospitals must follow. North Carolina General Statute § 143-129 establishes the procedure for letting public contracts. It mandates formal competitive bidding for any purchase of apparatus, supplies, materials, or equipment requiring an expenditure of $90,000 or more, and for construction or repair work of $500,000 or more.⁷⁴ The process requires public advertisement of the contract opportunity, a public opening of sealed bids, and an award to the “lowest responsible bidder or bidders”.⁷⁴

Furthermore, G.S. § 143-132 generally requires that at least three competitive bids be received before a contract can be awarded, though it provides a procedure for re-advertising if this minimum is not met.⁷⁶ These statutes create a strong presumption in favor of open competition.

Application to VCO Contracts and the “Sole-Source” Exception

An exclusive, multi-year contract between a public hospital and a single VCO for credentialing services is a procurement of services that is subject to these competitive bidding laws. If the total value of the contract exceeds the statutory threshold, the hospital is legally obligated to have awarded it through a competitive process.

The primary exception to competitive bidding is a “sole-source” procurement, which is permitted only under very narrow circumstances. State law and procurement best practices require a formal, written justification demonstrating that the desired product or service is genuinely available from only one source.⁷⁷ For vendor credentialing services, such a justification would be exceedingly difficult to make. The existence of multiple national competitors—including Symplr, GHX, and Green Security—proves that there is a competitive market for these services. A public hospital’s claim that only one specific VCO could meet its needs would likely fail to withstand legal scrutiny, especially if the decision was not supported by extensive market research and a documented, objective analysis.⁷³

This provides a powerful and relatively straightforward legal challenge. Unlike a complex antitrust lawsuit, a challenge based on procurement law is procedural. A medical device company, or any other interested party, could use public records laws to request a copy of the hospital’s contract with its VCO and all related procurement documentation. If these documents reveal that a high-value, exclusive contract was awarded without competitive bidding and without a legally sufficient sole-source justification, a lawsuit could be filed to have the contract declared void as a matter of state law.⁷⁹ Such a challenge attacks the very foundation of the exclusive arrangement, potentially reopening the market at that hospital to all qualified VCOs.

The Public Forum Doctrine and Access Rights

As government property, public hospitals are also subject to First Amendment scrutiny under the public forum doctrine. This legal doctrine governs the ability of the government to regulate speech and expressive activities on its property.⁸⁰ Government property is typically categorized into three types: traditional public forums (like parks and sidewalks), designated or limited public forums (property the government has opened for expressive activity), and nonpublic forums.⁸⁰

While the interior of a hospital, particularly sensitive patient care areas, would almost certainly be classified as a nonpublic forum where the government has broad authority to restrict access, the policies governing that access must still be “reasonable” and not based on discriminating against a particular viewpoint.⁸¹

An argument could be constructed that a public hospital’s policy of granting access only to vendors who pay a fee to a specific, private third-party company is an unreasonable restriction on commercial speech. It conditions access not on legitimate safety or security concerns—which could be met by any qualified credentialing service—but on acquiescence to an exclusive commercial arrangement. While this is a more novel and less tested legal theory than a procurement challenge, it underscores the unique constitutional constraints placed on public hospitals. Their power to control access, while substantial, is not absolute and must be exercised in a manner consistent with their role as a state actor.

The distinction between public and private hospitals is therefore a crucial strategic consideration. A legal strategy that relies solely on federal antitrust or anti-kickback law applies to all hospitals equally. However, for the significant portion of U.S. hospitals that are public entities, an entirely separate and potent set of legal tools becomes available. By leveraging the stringent requirements of state procurement law, a medical technology company can challenge the procedural legitimacy of an exclusive VCO contract, potentially invalidating the agreement and prying open a market that was previously locked by a dominant gatekeeper.

Section 6: Strategic Pathways and Recommendations for Market Access

The preceding analysis demonstrates that the consolidated vendor credentialing market, with its exclusive contracts and vendor-pays model, rests on a legally precarious foundation. For medical technology companies facing access barriers that stifle innovation and competition, this legal landscape presents several strategic pathways. An effective market access strategy should not rely on a single approach but should instead be multi-pronged, combining the targeted use of litigation with broader regulatory and legislative advocacy to address both immediate barriers and the underlying systemic issues.

Litigation Pathways: Assessing Potential Claims

Direct legal challenges can be a powerful tool to dismantle anticompetitive structures. The viability and risks of the primary legal claims are as follows:

• Antitrust Claims (Tying and Exclusive Dealing):
  • Viability: High. The factual predicate for both tying and exclusive dealing claims is strong. The structure of the hospital-VCO relationship, where access to a “must-have” hospital is conditioned on the purchase of a specific VCO’s services, fits the classic tying model. The long-term, exclusive nature of these contracts can demonstrably foreclose competition in the credentialing market. The legal theories are well-established and are being actively and successfully litigated in analogous healthcare contexts, such as the lawsuits against MultiPlan and major hospital systems like HCA/Mission Health.⁶¹
  • Risks and Costs: Very high. Antitrust litigation is notoriously complex, lengthy, and expensive. It requires extensive discovery to obtain contracts and internal communications, as well as sophisticated economic expert analysis to define relevant markets, prove market power, and quantify anticompetitive harm. Such a lawsuit is a significant undertaking best suited for a well-capitalized company, a consortium of affected vendors, or a class action lawsuit.
• Anti-Kickback Statute (AKS) Challenge:
  • Viability: Moderate to High. This is a novel but potent legal theory. The key to success would be uncovering evidence of remuneration flowing from the VCO back to the hospital, whether as direct revenue sharing (as in the IntelliCentrics model) or significant in-kind benefits.³⁸ The argument that vendor fees fund these kickbacks to induce the hospital’s exclusive mandate is compelling, especially in light of the OIG’s unfavorable view of similar “pay-to-play” arrangements.⁶⁸
  • Risks and Costs: This claim is most effectively brought as a qui tam (whistleblower) lawsuit under the False Claims Act. This provides a mechanism for a private party (the “relator”) to sue on behalf of the government and receive a portion of any recovery. This can mitigate legal costs, but it carries significant risks, including potential retaliation and the possibility that the government declines to intervene in the case.
• Public Procurement Protest:
  • Viability: High (against public hospitals only). This is arguably the most direct and cost-effective litigation strategy. The claim is not about complex market effects but about procedural compliance. The central question is simple: Did the public hospital follow state law when it awarded a high-value, exclusive contract for credentialing services?.⁷³
  • Risks and Costs: Significantly lower than antitrust litigation. The process begins with public records requests to obtain the contract and procurement file. If the file shows a failure to competitively bid without a valid sole-source justification, the legal case is strong. The remedy—voiding the contract—directly achieves the goal of opening the market to competition. This is a highly targeted and efficient legal tool.

Non-Litigation and Regulatory Strategies

Litigation is not the only path forward. Proactive engagement with regulatory bodies and legislative advocacy can address the systemic problems that enable the current market structure.

• Petitioning Federal Agencies: The Federal Trade Commission (FTC) and the Department of Justice (DOJ) have shown increased interest in scrutinizing anticompetitive practices in healthcare, particularly those involving private equity and restrictive contracting.⁴⁰ Medical technology companies and their trade associations should proactively engage with these agencies. This involves submitting detailed complaints and white papers that provide evidence of how VCO market consolidation and exclusive dealing practices are:
  1. Foreclosing competition in the credentialing services market.
  2. Creating barriers to entry for innovative medical device companies.
  3. Ultimately harming patient care by slowing the adoption of new technologies.

This can prompt a federal investigation, which carries more weight and resources than a private lawsuit.

• Advocacy for Standardization: The lack of a uniform, portable credentialing standard is a root cause of the VCOs’ market power. Supporting industry groups like the Consortium for Universal Healthcare Credentialing (C4UHC) in their efforts to promote the adoption of American National Standards Institute (ANSI) standards for vendor credentialing is a critical long-term strategy.⁵ If hospitals were encouraged or required to accept any credential verified by a service that meets a national standard, the network-effect monopolies of the dominant VCOs would be broken. Vendors could choose from multiple competing credentialing services, fostering price competition and innovation.
• State-Level Legislative Action: State legislatures can be a powerful venue for reform. Lobbying efforts could focus on two key objectives:

• Mandating Open Access for Public Hospitals: Propose legislation that explicitly prohibits public hospitals from entering into exclusive contracts for vendor credentialing services and requires them to accept credentials from any VCO that meets baseline state or national standards.
• Regulating VCO Business Practices: Advocate for laws that regulate the vendor credentialing industry directly. This could include placing caps on the fees VCOs can charge, prohibiting revenue-sharing agreements with hospitals, and mandating transparency in their financial arrangements. The “Preserving Competition in Healthcare Act” proposed in North Carolina, which seeks to give the Attorney General oversight of hospital mergers, serves as a model for how states can legislate to protect healthcare competition.⁸⁵

Contractual Negotiation and Risk Mitigation

While pursuing broader changes, vendors must also manage their current reality. This includes:

• Scrutinizing VCO Agreements: Before signing, legal counsel should carefully review all terms and conditions, paying close attention to liability waivers, data privacy clauses, and any provisions that waive the right to participate in class-action lawsuits.⁸⁸
• Documenting Harm: Meticulously document every instance of denied or delayed access, the fees paid to each VCO, and the associated costs and lost business opportunities. This record is invaluable for building a damages model in any future litigation.
• Direct Engagement with Hospitals: Approach hospital supply chain and clinical leadership directly. Frame the issue not as a complaint about fees, but as a barrier to patient care. Present a clear case that their exclusive VCO arrangement is preventing them from evaluating and adopting a superior or more cost-effective technology that could improve patient outcomes or reduce overall costs.

In conclusion, a multi-pronged strategy is essential. No single approach will dismantle the entrenched market structure of vendor credentialing overnight. The most effective path forward involves using the immediate and targeted threat of litigation—particularly procurement challenges against public hospitals—as leverage to open specific doors, while simultaneously engaging in long-term regulatory and legislative advocacy to reform the underlying market dynamics. By pursuing these parallel paths, medical technology companies can work to ensure that market access is driven not by the ability to pay tolls to powerful gatekeepers, but by the innovation and clinical value they bring to patients.