In a culture largely focused on consumer protection, the layers of red tape and bureaucracy regulating industry and public services seem a mile thick. Federal and state governments have become increasingly concerned with consumers’ rights in recent years. The continuous introduction of new products and new technologies brings new challenges to this arena every year.

A smorgasbord of state and federal regulatory organizations oversee consumer protection, regulating everything from air travel and financial services to food safety and water quality. Hospitals are a consummate microcosm of this regulatory craze, with state and federal laws and internal protocols designed to keep patients safe, from the care they receive to the people they come into contact with during a hospital stay. It is this second layer – protecting patients from the people that pass through the hospital – that has become a hot button topic in the last few years.

A new beast has been born out of hospitals’ desire to prove that every person a patient comes into contact with is safe and regulated: the vendor credentialing company. These companies help hospitals investigate the vendors that call on their departments, providing official visitor badges and scrutinizing the financials of the hospital’s supply chain.

Hospitals are regulated, accredited, and screened for compliance by a host of organizations, from HIPAA and the Centers for Medicare and Medicaid Services (CMS) to the Commission on Accreditation of Rehabilitation Facilities (CARF), the Healthcare Facilities Accreditation Program (HFAP) and a number of other organizations. Hospitals’ risk and liability concerns become more imminent when a vendor enters a patient care area, because a hospital can’t control which representatives any given equipment or supply vendor sends in for sales or service. But if the hospital requires vendor compliance with a credentialing company, the hospital’s liability is immediately reduced and someone else is responsible for ensuring the safety of those who enter in.

There are myriad questions that fall under the vendor-credentialing umbrella, all of which relate in some way to patient safety and hospital liability. Among them: Are sales representatives qualified to train physicians on new products or equipment? Is a person entering a hospital carrying a communicable illness? Have background checks been performed on vendor representatives? Is a supplier financially viable and able to fulfill all contracts?

These and other questions can be answered for the hospital by a vendor credentialing firm. Those vendors that meet the hospital’s criteria will be awarded a badge by the credentialing firm. The policies enforced by credentialing firms are the hospital’s policies, protocols and standards and not those of the credentialing firm, so they vary from facility to facility. The credentials that get a vendor rep into one hospital won’t necessarily get him or her into another.

The Vendor Perspective

Meanwhile the forums are rife with complaints and banter on the subject. Questions abound: Will an old misdemeanor hinder a vendor’s career? Why don’t patient’s families undergo the same scrutiny? If the hospital requests a site visit from a vendor regarding a potential acquisition, does the vendor need to pay the fee? If a vendor is new to the hospital, will they have to pay the entire annual fee like companies that do business with the hospital? If the vendor is a registered sex offender, is this detected? What if a vendor representative does not have a college degree? Does this matter?

The complaints against vendor credentialing companies generally revolve around the restriction they impose to doing business. The other complaint is that the cost of doing business has been increased substantially, sometimes imposing an undue burden on many vendors, especially when requirements vary from one facility to the next. There are also concerns about the accuracy of historical information or the severity of a past offense that might disproportionately affect a vendors business.

The complaint about cost generally revolves around economies of scale. The fees impact smaller companies more than large corporations, impeding some vendors from providing their services to hospitals. Small business owners point out that the national credentialing firms benefit manufacturers while imposing a prohibitive cost on small businesses.

The president of one biomedical service provider, who preferred not to be identified, explained. “Often times the smaller less profitable companies are local and can provide better more personalized sales and services for less than what they are used to paying,” he said. “The cost is prohibitive because we are required to register every employee and pay for them separately.”

Some vendors say the services were initially presented as free to vendors, with only a questionnaire as a requirement. But since then, additional layers of complexity have been added. For example, some hospitals require that every vendor who visits the OR takes an OR protocol class. The class adds an additional fee of $60 to $130 per person.

And as more health care organizations have added the vendor credentialing requirement, the business has grown, giving hospitals more firms to choose from. But different firms require different credentials and separate fees, adding to the vendors’ cost of entering the hospitals where they once freely conducted business. The time and financial investment for a small firm today is a major burden, vendors say.

Vendors have also pointed out the inconsistencies of the treatment of vendors versus hospital staff or even patients and their visitors. “Why is the vendor required to have an up-to-date flu shot, but staff can often skirt this requirement?” one vendor asked.

The Credentialing Firm Perspective

Two leaders in the vendor credentialing industry are Vendormate and Reptrax. Vendormate, an Atlanta- based company, offers its customers a product called VISION. The product is designed to meet the hospital’s internal protocols, as well as HIPAA and requirements of the Deficit Reduction Act and Sarbanes-Oxley. John Harper, vice president of marketing at Vendormate, was contacted for this article. "Our goal is to create transparency between the hospitals (and their requirements) and the vendors (and their ability to meet the requirements).” “We continually push our hospital customers to define reasonable requirements that reflect the fact that all vendors are not the same," says Harper. The VISION product includes “integrated badging tools” and is designed to aid “risk management, ethics, legal, contract management, executive management, and procurement.” Vendormate classifies vendors into risk categories. The company charges one fee per vendor based on tax ID, according to their website. Vendormate lists several components that require monitoring, including CDC immunization recommendations, Joint Commission tracers, HIPAA education and unauthorized sales and purchases. “You need to know who is in your halls to manage patient safety and control expenses,” the website says.

Vendormate has a vendor support page on its website where vendors can ask questions. Reptrax, which merged with VendorClear in June 2010, describes itself as a web-driven software service.

Reptrax declined an interview for this article. Reptrax says they charge no fees to the hospitals they serve. The cost of the program to a hospital includes “no charge base memberships for 100 percent of your vendor population,” according to the company’s website. The client hospital decides which vendors, based on category, are required to upgrade to their $150 universal membership. The universal membership covers any of the hospitals that contract with Reptrax.

The FAQ page also states that Reptrax has 6,500 vendors in their database and that they do “100 percent of the document management.” That removes the hospital from the process. While much of the emphasis on credentialing company websites is geared towards business development, the Reptrax website also has a page that specifically addresses vendor questions. The page says that all vendors who sign up with Reptrax receive “a no charge, no commitment Base Membership.”

Once a vendor has a Reptrax membership, they don’t have to pay separately for each Reptrax hospital. But the distinction between a base membership and premium membership is an important one. Reptrax allows each client hospital to determine if the vendor is required to submit their credentials to Reptrax. If this is the case, then the vendor is required to pay to upgrade their membership status to a “premium account.”

Reptrax further states that the credentials required are all a product of the hospital’s policies. They include vaccinations, training documents and insurance, along with any custom requirements developed by a hospital as vendor credentials.

A Provider Perspective

Eddie Acosta, a clinical systems engineer for Kaiser Permanente, supports Vendormate’s procedures. “The facilities I support use Vendormate,” he says. “When the vendors are working or presenting their products, they are part of our operations. So to be compliant, they must meet our standards, policies and recommendations. Vendormate presents our policies, tracks each representative’s acknowledgment, communicates our expectations and documents their acceptance of law, disclosures, gifts and entertainment policies. They get full business background checks, review watchlist clearances, State sanctions and also finance reviews.”

Acosta says he appreciates Vendormate’s health and education requirements. “The vendors also create unique exposure, so CDC immunization, Joint Commission recommendations, and HIPAA education are all documented,” he says.

The Healthcare Industry Supply Chain Institute (HISCI) has sponsored studies exploring the issue of vendor credentialing. In a study published in December 2010i, the organization researched the true costs to the vendors. The researchers ran into a couple of problems during the course of their investigation: vendors did not always track costs, and when vendors did track costs, there was little consistency in the methods across vendors.

The study found that while vendors knew the fees they paid to credentialing companies, they did not track all of the ancillary expenses that originated from the credentialing requirement and that often create the bulk of the expense to vendors. Ancillary expenses might include immunizations, training courses or the cost of obtaining background checks, as well as additional burdens placed on the vendors’ HR departments in initial hiring.

Another cost the study discovered was that one vendor may have to deal with several credentialing firms. The firms require redundant information, but not from the same source. This means that fees are paid more than once for the same final product. The study’s sample included interviews with only nine vendors. The total cost of credentialing among the vendors surveyed ranged from $4350 to $6 million, depending on the firm’s size.

The credentialing companies point out why the practice came to fruition in the first place. In an articleii authored by VendorMate’s VP of Marketing, John Harper explains what prompted the need for the new industry. Harper argues that there are two primary drivers that were the impetus for the emerging trend: the need of providers to deliver quality patient care, and the need for “controlling medical costs and improving the return on medical dollars.”

Those organizations that define quality patient care, according to Harper, can range from The Joint Commission to The Association of periOperative Registered Nurses and the American College of Surgeons. He also cites the CDC as another organization concerned about those who may be in a “procedural area.”

The financial players include government “payers” like Medicare and Medicaid. These organizations have a vested interest in the potential for waste or fraud, requiring transparency and the “appropriateness of vendor activities and payments.” In support of this contention, Harper points to the potential liability providers face from the Department of Health and Human Services Office of Inspector General (HHS/OIG). The government agency has rules that prohibit hospitals from making payments to “anyone who employs or contracts with an excluded party.” With substantial monetary penalties, hospitals have to track these excluded parties from a list that can change monthly.

The article also points out problems that can occur in the supply chain if a vendor has to declare bankruptcy. Some might find a cynical irony in the view, but the problem can exist if the provider only checks the vendor’s credit at the time a contract is signed.

The article compares risk management as it is practiced in the financial services industry and in health care. Indeed a comparison can be drawn. Financial services companies practice risk management internally to protect themselves from litigation and damage to their brand. They also practice risk management, in concert with regulatory agencies, to protect the investing public.

In October of 2010, one credentialing firm, VeriREP formed a Vendor Credentialing Task Force to bring the three players in the discussion together in a kind of summit. In the end, they determined that there was agreement in a few areas. Attendees agreed that third-party credentialing was necessary, that some information is imperative and that industry-wide standardization is needed. Meredith Young, Executive Director of HISCI, says the task force will meet every other month this year and that the next summit is tentatively planned for this summer.

The Joint Commission does not take a position on vendor credentialing but does have standards that relate to patient care. Their website refers visitors to the AdvaMed (Advanced Medical Technology Association) website for more details.

Some parallels can be drawn between the client of a financial service organization and a patient in a hospital. The client of a national brokerage firm or credit union trusts the institution to protect their interests and provide them with competent advice. A patient in a hospital does not go there thinking that their health will be further compromised or that their personal health information will fall into the wrong hands. Regulatory agencies and government agencies protect both patients and investors in the public interest. They do this through the enforcement of laws such as HIPAA, which addresses the security of private health data, or the Securities Act of 1933, the first major federal legislation to regulate the sale of securities, passed after the stock market crash of 1929.

Though both vendors and hospitals agree that patient safety is a top priority, the debate over vendor credentialing will not end soon. Smaller vendors will continue to see the credentialing firms as an impediment to doing business, especially as more companies are entering the vendor-credentialing arena and the industry grows. This type of service is unlikely to fade away, however, as hospitals generally welcome their offerings in favor of reduced liability and regulatory compliance. For the independent service organizations, the costs will continue to be a burden.