How Should I Conduct Due Diligence for Vendors and Business Associates?


In the last blog, you used a Business Associate Decision Tree to find if your vendors are business associates (BAs) under HIPAA. But good vendor management begins before you enter a contract with a third party. Before hiring a vendor, you must exercise due diligence. This blog will explain due diligence and how you can gain peace of mind about your vendors through pre-contract surveys and exclusion searches.

What is Due Diligence?

Due diligence is when you exercise care before entering an agreement or contract with another party. Due diligence is sometimes a legal obligation. However, it often means you voluntarily investigate another party by a survey, audit, or other method. The goal is to make sure the vendor you want to contract with is solvent, legal, and trustworthy.

Due Diligence and HIPAA

According to HIPAA, a signed business associate agreement (BAA) is the only required due diligence. The U.S. Department of Health and Human Services (HHS) established the BAA as a legal document to use in conjunction with a service level agreement or contract (more about contracts in the next blog).

Strictly speaking, a BAA between your organization and a vendor counts as due diligence. However, it may not be enough when the rubber hits the road. In a recent survey, 44% of respondents (250 companies) had experienced a data breach at the hands of a vendor. CVS Pharmacy experienced this last year, when one of their business associates negligently mailed PHI to the wrong individual. This incident breached the data of 41 patients.

Unfortunately, vendor breaches are all too common. Though signing a BAA means a BA has agreed to safeguard PHI, they may not have the policies, procedures, or work environment to back up their agreement. Consequently, BAs are violating their agreements and causing breaches.

Recognizing this danger, most healthcare organizations now extend their due diligence beyond the BAA. So, if you’re relying on your BAAs, you are most likely not doing enough. You must make sure your BAs can and will meet HIPAA security requirements.

Is a Pre-Contract Vendor Survey Part of Due Diligence?

Many organizations ask their vendors to do security audits or surveys before negotiating a contract. These surveys look “under the hood.” They see if the vendor will meet your organization’s needs and security expectations. Though not a due diligence requirement, a pre-contract security survey is a smart precaution and is becoming an industry standard.

Pre-contract survey questions often center around these key issues:

  • Identity: Is the vendor who they claim to be? Or do they misrepresent themselves?
  • Finances: Are they financially sound? Or do they have outstanding debts or weak revenue streams?
  • Reputation: Are they regarded well by other business partners and customers? Or do they have a bad reputation?
  • Geography: Is the vendor located in a potential vulnerable area? Where will they house your data?

Additionally, you should gauge their HIPAA security posture with questions like:

  • When did you last complete a security risk analysis?
  • When was the last time you trained your employees on HIPAA?
  • What security safeguards do you have in place to protect ePHI?
  • Do you have policies and procedures in place, and are employees following them?

Security is not only a HIPAA issue; it’s a business issue. You should understand how your vendor will prevent unauthorized access to your data. Remember, your PHI is your responsibility. Though a pre-contract survey isn’t a rule, it’s a common due diligence practice in the industry. Besides, it’ll give you peace of mind to know your vendor will handle your data with care before you entrust it to them.

What is an Exclusion Search, and Should I Conduct One?

Another smart due diligence practice is to conduct an exclusion search. In an exclusion search, you try to find if the vendor in question has been excluded from participating with federal healthcare organizations. An exclusion is a red flag. It indicates that the vendor has engaged in illegal or fraudulent behavior. Therefore, exclusion searches are a wise measure to take before contracting with a BA.

Here are four exclusion lists to consider:

1. List of Excluded Individuals and Entities (LEIE)

The Office of Inspector General provides the LEIE. Individual providers and entities on this list can’t receive payment from any federal healthcare program for any items or services the individual or entity furnished, ordered, or prescribed. They may be on this list for upwards of five to 10 years.

Individuals or entities get on the LEIE several reasons:

  • Medicare or Medicaid fraud
  • Patient abuse or neglect
  • Felony convictions for healthcare-related fraud, theft, or other financial misconduct
  • Felony convictions for unlawful manufacturing, distribution, prescription, or dispensing of controlled substances

If you enter a contract with an individual or entity on the LEIE, the government will likely issue a civil monetary penalty to your organization.

Additionally, some States maintain their own exclusion lists (pursuant to 42 CFR section 1002.210 or State authority). A State’s list includes individuals or entities the State has barred from participating in State government programs. You should check your State’s exclusion list alongside the LEIE.

2. Centers for Medicare and Medicaid Services (CMS) Preclusion List

This list includes prescribers, individuals, or entities CMS has precluded from receiving payment for Medicare Advantage items or services or Part D drugs furnished or prescribed to Medicare beneficiaries. Prescribers, individuals, or entities are on the list for one to three years. Only Part D Sponsors and Medicare Advantage Plan participants can access the CMS preclusion list.

Prescribers, individuals, or entities fall on the CMS preclusion list because:

  1. their conduct was detrimental to the best interests of the Medicare program, causing CMS to revoke them from Medicare or place them under an active re-enrollment bar, or
  2. their conduct would have been detrimental to the best interests of the Medicare program, and CMS would have revoked them if they had been enrolled in Medicare.

3. System for Award Management (SAM)

The government manages SAM, a website that lists companies registered to do business with the federal government. SAM is a single point for all vendors, allowing you to check if a vendor has been suspended or debarred.

In summary, you should always exercise due diligence before entrusting your PHI to a BA. Good vendor management goes beyond the BAA. It includes a thorough investigation of the vendor. You may want to conduct a pre-contract survey and exclusion search in your investigation. That way, you establish your vendor’s trustworthiness and gain peace of mind.

HIPAAtrek’s NEW Contract Management Module will help ease the burden of vendor management. This module will store all your vendor contracts in one convenient location. Contact us to learn more about this up-and-coming feature, or request a demo of HIPAAtrek today.

Need Guidance? Check out our Business Associate Decision Tree!

Download our decision tree for determining when a BAA is required.

BA Decision Tree

The goal of this five-part series is to show healthcare CEOs and CFOs that effective, HIPAA-compliant vendor management is vital to the finances, performance, and reputation of their organizations. Furthermore, healthcare organizations will see a positive ROI when they foster successful vendor relationships that yield high-quality, secure services.

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like