Healthcare organizations rely heavily on third parties to fulfill their missions. Third parties may be represented as suppliers, vendors, contractors, or other individuals or organizations who provide a service or product to a healthcare entity. Working with these parties offers numerous strategic and financial advantages for healthcare entities allowing them to enlist external resources and expertise that would otherwise be significantly more costly for a healthcare entity to provide themselves. The use of third parties is increasing considerably in the healthcare industry, and compliance professionals need to apply appropriate risk management principles to this area. Recent world events have demonstrated the fragility of relying on third parties and the impact they can have on a healthcare entity.
Healthcare entities are required to comply with all federal, state, and local laws, even if a third party conducts the underlying processes. Third parties are typically not owned or operated by the healthcare entity. This separation of ownership and control limits the healthcare entity’s ability to ensure compliance with all laws and regulations. If not managed effectively, this could create increased compliance risk to the organization.
The compliance risk of using third parties
Enlisting the assistance of third parties creates a host of potential compliance risks. Generally, third parties are not part of the healthcare entity. They are hired from the outside with minimal awareness of the healthcare entity’s policies, culture, norms, and values. Some third-party relations are with individuals in foreign countries who may create language or cultural disparities or operate under different local and national laws. There may also be a question of loyalty to the healthcare entity and its goals. Third-party relations are often focused on short-term opportunities, which means they may not be invested in the long-term good of the healthcare entity. Third parties are generally for-profit entities, which means they may be motivated to increase revenues and cut costs. Such a business philosophy may reduce or eliminate key controls and place compliance as a lower priority.
Compliance risk created by third parties comes in many forms, including compliance with federal and state laws and regulations, privacy laws including business associate arrangements, security laws governing confidential data exchange between parties, Stark and anti-kickback laws related to financial relations with physicians, billing laws governing the processing of claims, licensure and accreditation laws governing appropriate credentialing of clinical and nonclinical licensed professionals, and business relations with foreign countries. If third parties are not compliant with the host of laws a healthcare organization must comply with, the third-party relationship, directly or indirectly, extends that compliance risk to the healthcare entity. In many cases, third parties are enlisted as an extension of the healthcare entity itself and are likely required to abide by the same compliance obligations. Examples of potential risk areas might include temporary workers who are not properly trained on compliance requirements, IT software that creates unintended billing errors, or confusion around which entity is required to notify affected patients if their protected health information is breached.[1] Such risks create direct compliance liability for an organization.
The following are some suggested approaches to managing compliance risk within a healthcare entity. This process may benefit from the assistance of other areas of the healthcare entity as compliance risk may manifest itself in various functional areas such as information security, recruitment, business development, or physician contracting.
