The VC syndicates have a sales pitch to hospitals: complying with federal laws and accreditation organizations is enormously complex, and failure to do so exposes them to significant risk. This is a tough job that only the VC syndicates can handle. What exactly are hospitals required to do?
What we know…
While there is no single federal or state law that explicitly lists a uniform set of credentialing requirements for all vendor representatives, hospitals are effectively required to mandate background checks, drug tests, specific training, and other documentation due to a powerful combination of federal regulations, accreditation standards, and institutional liability.
The requirements are not driven by a single statute but by a framework of rules and standards that hospitals must follow to operate, receive payment, and protect themselves from legal risk.
The Regulatory and Accreditation Framework
The mandate for vendor credentialing stems from several interconnected sources:
- Department of Health & Human Services (HHS) Office of Inspector General (OIG): This is the most direct federal driver. The OIG maintains a List of Excluded Individuals/Entities (LEIE). Any hospital that bills Medicare or Medicaid is prohibited from contracting with or paying any vendor (company or individual) on this list for services that are ultimately reimbursed by a federal healthcare program.
- The Consequence: A violation can lead to significant Civil Monetary Penalties (CMPs), potentially up to $10,000 for each item or service provided by the excluded vendor, plus an assessment of up to three times the amount claimed. To avoid these penalties, the OIG advises that healthcare providers screen all employees and vendors against the LEIE monthly. This makes exclusion screening a mandatory compliance activity.
- The Joint Commission (TJC): As a primary hospital accreditation organization, TJC’s standards are critical. To receive payment from the Centers for Medicare & Medicaid Services (CMS), hospitals must meet federal Conditions of Participation (CoPs), and TJC accreditation is a key way to demonstrate this compliance. While TJC does not have a specific chapter on “Vendor Credentialing,” its standards effectively require it:
- Environment of Care (EC.02.01.01): Requires hospitals to know who is in their facility, why they are there, and what they are doing.
- Human Resources (HR.01.0.01, HR.01.06.01, HR.01.07.01): Requires hospitals to address the qualifications, competency, and performance of any non-employees who have a direct impact on patient care.
- Infection Control (IC.02.01.01): Mandates that infection control precautions are implemented, which extends to vendors who may be in patient care areas.
- State Laws and Regulations: While states do not have uniform vendor credentialing laws, they do have regulations that influence hospital policies. These can include professional licensure requirements, public health codes regarding immunizations, and specific rules for providers participating in state Medicaid programs. For example, Florida has been expanding its background screening requirements for all licensed health care practitioners. The responsibility for setting specific vendor policies, however, remains with the individual healthcare organization.
Common Credentialing Requirements for Vendors
Driven by the need to comply with the framework above and to mitigate risks to patient safety and data privacy, hospitals have established a fairly standard set of credentialing requirements for vendors, especially those providing clinical support. These typically include:
- Background Checks: Comprehensive criminal background checks are standard to ensure patient and staff safety. These often include searches of felony and misdemeanor convictions and sex offender registries.
- Drug Screening: A 10-panel drug test is a common requirement for vendors who will be in clinical areas.
- Compliance and Safety Training: Vendors must provide proof of training on key regulatory and safety topics.
- HIPAA: Annual training is required to protect patient privacy and data security.
- OSHA: Training on workplace safety, including bloodborne pathogens, is essential.
- Infection Control: Vendors must be knowledgeable about facility-specific protocols to prevent the spread of illness.
- Health and Immunization Records: To protect vulnerable patients, vendors must provide proof of immunity or vaccination for diseases such as MMR (measles, mumps, rubella), hepatitis B, varicella (chickenpox), Tdap, and influenza. A current tuberculosis (PPD) test is also standard.
- Insurance and Legal Documentation: Vendors must carry adequate insurance, including professional and general liability coverage, and provide documentation like valid business licenses and signed confidentiality agreements.
In conclusion, while no single law dictates these specific requirements, the combined pressure from federal payment regulations (HHS/OIG), accreditation standards (The Joint Commission), and general liability concerns makes it a necessity for hospitals to enforce a comprehensive credentialing process that includes background checks, drug tests, and extensive documentation for all vendors accessing their facilities.
