I just attended my first HCCA Compliance Institute and, wow, what an eye opener. The energy was palpable, and the diversity of attendees in terms of roles, responsibilities and organizational size was more than I had expected.
I decided to attend because of the breadth of breakout sessions on topics related to vendor management. Our firm is experiencing a growing interest in vendor management from health plans and health care organizations. The Compliance Institute provided an excellent opportunity to hear perspectives on a variety of topics that are unique to the industry.
As I reflected on what practical insights to share about my experience, I identified two themes that stood out to me and that I think are applicable to all health care organizations.
1. Vendor Management is an Evolving Discipline in Health Care
Vendors were an important topic across several sessions I attended, including those on HRSA audits, Business Associate Agreements and First-Tier, Downstream and Related Entity (FDR) Vendors. It is clear that vendors permeate the ecosystem of every health care organization.
So it’s only natural, then, that vendor management is evolving from a pure “compliance issue” to an actual “business discipline” that focuses on cost control, risk mitigation, performance management and, of course, compliance. Health care organizations are rethinking how vendor management is approached, and where it should live on the org chart. They are also discussing how to bring all of the stakeholders together to tackle vendors in a more holistic way.
2. Cybersecurity is Driving the Current Conversation.
Cyber is a growing area of risk in every health care organization, and vendors are an integral part of the risk discussion. As I learned in the breakout session “Study of 1000 Vendor Practices,” a 2016 Data Security Incident Response Report showed that roughly 15% of all data incidents were caused by third party vendors. And with cybercrime on the rise, it’s reasonable to think this number will only increase over time.
Covered Entities can’t pass the buck when problems happen. HIPAA requires organizations to assess the risk to a breach of PHI wherever it is created, received, maintained or transmitted, and to put measures in place to safeguard the information. Integrating vendor oversight into this process was a theme across many conversations.
Informative sessions. New learnings. And a well-organized conference. Thanks to HCCA for a great first experience!
Tom is Founder & CEO of Vendor Centric, a consulting firm that helps organizations adopt a risk-based approach to vendor management. Connect with Tom on LinkedIn or drop him a note at firstname.lastname@example.org.