Betsy Wade (bwade@signaturehealthcarellc.com) is the Chief Compliance and Ethics Officer at Signature Healthcare in Louisville, KY.
As healthcare providers continue to outsource functions such as health information management, information technology, revenue cycle, and others, it is important for compliance officers not only to be involved in the due diligence process but also the ongoing compliance effectiveness assessment of third parties that contract with their healthcare providers.
The Office of Inspector General (OIG), in conjunction with the Health Care Compliance Association (HCCA) recognized the importance of third-party risk management in 2017 when it published Measuring Compliance Program Effectiveness: A Resource Guide.[1] The Department of Justice (DOJ) Criminal Division followed suit three years later with updates to its Evaluation of Corporate Compliance Programs that focused extensively on third-party oversight.[2]
The OIG and HCCA guidance for evaluating compliance effectiveness of third parties includes, but is not limited to, recommendations such as:
-
Ensuring all vendor contracts have consistent compliance language,
-
Determining whether background and sanction checks are conducted in accordance with laws and regulations and prior to contracting,
-
Monitoring the government sanction lists for excluded parties and ensuring the organization does not contract with one,
-
Ensuring due diligence is conducted prior to contracting,
-
Determining whether third parties have documented evidence of compliance training as well as orientation to the code of conduct and compliance policies, and
-
Including in the contract the right to audit the third party to ensure compliance with its obligations.
The June 2020 update to the DOJ guidance specifically called for compliance programs to assess their organizations’ third-party relationships with appropriate due diligence as well as ongoing monitoring through updated due diligence, audits, and/or annual compliance certifications by the third party.
The DOJ guidance prompts compliance officers to review whether:
-
Third-party management is integrated into current processes;
-
Controls are in place to ensure the company has appropriate business rationale to use third parties and that contracts describe services to be performed and payment is commensurate with the services to be rendered;
-
The company weighed compensation against compliance risk, has contractual rights to audit third parties, and educates third parties about compliance risks and how to manage them;
-
The company follows up and addresses red flags identified during due diligence; and
-
The company tracks third parties that do not pass due diligence or are terminated and what steps are taken to ensure they are not rehired in the future.
In its guidance, the DOJ said, “a company’s third-party management practices are a factor that prosecutors should assess to determine whether a compliance program is in fact able to ‘detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.’”