What is vendor credentialing?
It wasn’t until the mid-2000s that vendor credentialing became common practice. Prior to this, access to hospitals and facilities was fairly lax. Non-employees, such as vendors and their representatives, were able to access buildings, healthcare staff, and at times even sensitive patient information if records were present in communal areas.
Over the years, state and federal regulations have become stricter and regulations designed to protect patient privacy, such as the Health Insurance Portability and Accountability Act (HIPAA), have become commonplace. In light of this, measures such as vendor credentialing have become an important component of patient privacy, safety, and hospital security.
Vendor credentialing is the process which companies use to ensure that any non-employees, such as vendors, have the necessary training and appropriate background required to access their facilities. Individuals who work in healthcare staffing, pharmaceutical, and medical supply companies are typically required to undergo vendor credentialing. Other individuals who frequent facilities such as delivery drivers, construction workers and contract laborers must also adhere to these requirements.
When facilities began to understand the importance of the privacy and security of their people and information, they began to establish their own policies which required credentials for any non-employees who required frequent access. Implementing vendor credentialing requirements allowed healthcare organizations to establish and maintain the same standards through their various locations. There is no official federal standard, and at times these requirements can differ slightly depending on the organization. However, several organizations have influenced vendor credentialing standards and requirements, such as The Joint Commission, Centers for Disease Control and Prevention (CDC), The American College of Surgeons (ACS) and The Consortium for Universal Healthcare Credentialing (C4UHC).
C4UHC is working to establish a national standard. They have collaborated with various healthcare industry leaders to create the American National Standard for Supplier Credentialing in Healthcare (ANSI). The hopes of creating such a standard are that if adopted, standardized requirements will be met while decreasing the amount of duplication and repetitive services.
“The mission of C4UHC is to promote the common business interests of organizations connected with the healthcare industry in order to create and advance American National Standards for a streamlined healthcare credentialing process, which will protect patient safety and confidentiality, eliminate duplicative efforts and costs, and meet the needs of both healthcare providers and suppliers”
Who is involved in vendor credentialing?
Building a successful vendor credentialing program requires participation from multiple teams. Healthcare organizations, vendor credentialing organizations (VCOs), and the vendors themselves all have a role to play.
Healthcare organizations such as hospitals, and long-term care facilities are responsible for instituting and managing compliance standards. Facilities have two options for credentialing processes: enlist the help of a VCO or leave the responsibility in the vendors’ hands.
In order to obtain the appropriate records, a VCO can service and collect records on behalf of vendors and employees. When using a VCO such as Vendormate, SEC3URE Ethos (formerly known as Reptrax), or Symplr, they refer to the individual compliance standards of a facility to determine an appropriate vendor credentialing program. They then implement a process of gathering the necessary data and records for any vendor or representative who requires access to a facility. This typically includes verifying a vendor’s credentials and vaccination status, as well as collecting the results of lab tests, drug screens, and background checks. VCO’s collect this data and make it available to healthcare organizations using secure information technology applications, which can then be used to determine the appropriate access for vendors. After the data is collected, badges are made available either as secure digital badges, or to be made available at locations such as kiosks in the facility.
If a facility forgoes partnering with a VCO, vendors are responsible for the same process. They will have to schedule their own services, conduct record retrieval and provide the appropriate data directly to healthcare organizations for badging.
Typical vendor credentialing process
A. VCO participation
Some facilities choose to have their own employees check the credentials of vendors trying to access their facilities, however the majority partner with a vendor credentialing organization.
B. Check in locations
Convenient locations are set up as access points for vendors to check in such as kiosks.
C. Vendor information verification
Confirmation that vendor information has already been submitted to the VCO. This can typically be done via database or application.
D. Approval
Approval of vendors as properly credentialed.
E. Badge Access
When vendors are approved as properly credentialed, they are given a temporary badge to allow them limited access. There are often three types of access:
No Access to Clinical Areas: These vendors don’t provide technical assistance to healthcare providers, and do not need to consult with the healthcare providers.
Access to Clinical Areas: These vendors may need to consult with the healthcare providers or offer technical assistance.
Access to Patient Care and/or Restricted Areas: These vendors oftentimes support healthcare providers during a patient procedure with specific medical equipment or technology.
F. Compliance monitoring
Vendors' credentials will need to be continually monitored to ensure they remain in compliance.
What are the typical facility requirements for vendors?
While it's not a legal requirement to undergo vendor credentialing, it's practically a necessity for anyone working in the medical industry. According to the American Hospital Association, over 90% of healthcare facilities now require some form of vendor credentialing prior to gaining access. Each healthcare organization may have some variation regarding what is required of their vendors. Some common requirements are:
- Employee Verification (e.g., Employment and Education)
- Supplier Representative / Visitor Data (e.g., Date of Hire, Tier Level, Job Title, Badge Photo)
- Vaccine Records (e.g., MMR - Measles, Mumps, Rubella, Chickenpox - Varicella, Hepatitis B, TDAP, Influenza)
- Titer Testing (e.g., MMR Measles, Mumps, Rubella, Chickenpox - Varicella, Hepatitis B)
- Drug Screening (e.g., 10 Panel Urine Drug Screen)
- Tuberculosis / TB Testing (e.g., PPD Skin Test or Blood Test)
- Background Checks, Refreshed Every 5 Years (e.g., Criminal, Sex Offender and County, Statewide and Federal Level Searches)
- Annual Healthcare Sanction Checks (e.g., Global Sanction Searches and Office of Inspector General Exclusion Lists)
- Liability Insurance
- Various, Specific Medical and Safety Procedure Trainings (e.g., Bloodborne Pathogens, Fire Safety Awareness, HIPAA certifications)
Issues prevalent in vendor credentialing
One of the largest issues that occurs with vendor credentialing is the lack of standardization. Inconsistent requirements can lead to delays if vendors are trying to access new facilities with different credential requirements. Healthcare organizations are growing larger and larger as time goes on. For some, facilities within these networks can be scattered across different states. If each facility has different credentialing requirements, their staff may not be prepared to travel from facility to facility. Obtaining the appropriate set of credentials to access a facility could take weeks. If there is an emergency, this delay could affect patient outcomes.
Additionally, there is no central repository for credentials. If you utilize a particular VCO, not all facilities may have access to your data. Each facility stores credentialing information without a standardized guideline for how this information is secured. In 2021 alone, more than 550 organizations have reported healthcare data breaches. While these data breaches may not have been focused entirely on vendor information alone, it does highlight the vulnerability of not having a secured and singular vendor credentialing database.
What is the importance of vendor credentialing (in a post-COVID era)?
Vendor credentialing and adaptability have been put to the test over the past two years. Vendor credentialing has become an even more dynamic, evolving component of occupational safety during the COVID-19 pandemic. Many interactions had to quickly shift from what was once in person, or one-on-one, to a more digital or automated process. Services such as respiratory fit testing, COVID-19 testing, and vaccinations all had to be performed concurrently to the previously established requirements of many facilities.
The COVID-19 pandemic has proven that for healthcare facilities to safely provide services, everyone associated with the facility must be following the appropriate guidelines. With many hospitals and facilities experiencing an influx of patients at an alarming rate, vendors oftentimes would be in close contact with these individuals. Vendor credentialing is critical in preventing the introduction of further complications for at-risk patients. These requirements ensure that everyone is prepared, able to perform their jobs safely, and maintain the safety of the facilities’ patients.
Healthcare facilities have worked tirelessly to integrate policies issued by the CDC, and local governments into their own. Social distancing, masking, and COVID-19 symptom screening policies have all been introduced to mitigate further infections. While these changes were instituted in light of the pandemic, it is likely that they will remain as a post-pandemic norm.
Best practices of vendor credentialing
Create a compliance culture
Compliance culture requires buy-in from your entire staff. From organization directors, to staff, to vendors- everyone needs to be on the same page. Facility standards and vendor credentialing requirements should be uniform, well documented and communicated often. By doing so, employees and non-employees alike will have a road map to follow and can easily identify non-compliance or issues as they arise.
Be flexible to changing guidelines
If COVID-19 has taught us anything about Vendor Credentialing it is that guidelines can change, and will change, quickly. It is important to be familiar with the regulations. “Health systems, hospitals and PAC providers must comply with 629 discrete regulatory requirements across nine domains. These include 341 hospital-related requirements and 288 PAC-related requirements. The four agencies that promulgated these requirements – the Centers for Medicare & Medicaid Services (CMS), the Office of Inspector General (OIG), the Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) - are the primary drivers of federal regulation impacting these providers.”
Standardize where you can
There is a push for a national standard. Healthcare industry members have come together as The Consortium for Universal Healthcare Credentialing. By following their guidelines as an example, you can then standardize across facilities. Each facility in your organization should follow and enforce the same credentialing requirements. When determining requirements, the scope of each facility should be considered.
Strive to improve… constantly
Compliance is a marathon, not a sprint. Leaders need to commit to continued education, investment in training, and monitoring regulation changes and industry standards. As industry standards and public health circumstances evolve, so must vendor credentialing.
Getting Started
NMS Health's service is designed to make the screening process simple and less time consuming for your hiring teams. With a large network of clinics, labs, and pharmacy partners, we've got coverage in all 50 states!
Learn more about how you can get started today.
Sources:
https://www.aha.org/sites/default/files/regulatory-overload-report.pdf
https://healthitsecurity.com/features/this-years-largest-healthcare-data-breaches