Episode 136:
Who’s Watching Your Vendors? Rethinking Compliance Oversight

CJ Wolf: 00:00
We're so excited. Susan has written an article about a really cool topic, and we're we thought we'd give you a little bit of flavor of that, and then we'll make sure that everyone can see uh the article. We'll include links to it. Uh and Susan has been on before, and but we just want to, Susan, if you're okay with it, give you a few uh moments to maybe tell us a little bit more about yourself and kind of refresh our audience's memory about what you do, where you come from, all that kind of good stuff.

Susan Walberg: 00:25
Okay, sure. Um I've been in the healthcare space for about 30 years. I hate to admit that. Um I'm an attorney by background, but I've been doing compliance work, um, fraud investigations, legal work, some flavor of compliance uh my entire career. I have my own company, which is compliance a la carte. And really, I'm a one-man show. Um, a lot of the work I do is working as a fractional compliance or privacy officer. That seems to be where it's at lately. Um, small organizations sometimes don't have the resources, and but they want the expertise. So that's where I find myself, but I do a lot of you know projects and CIA work. Um, in my free time, I'm a writer, so I've written several compliance books and novels. Um, and my novel I'm working on right now is actually related to our topic because it does have to do with um business associates gone bad and cyber criminals.

CJ Wolf: 01:26
So that's where I'm gonna go now. Excellent. Well, thank you. And we'll make sure whether whatever links you'd like included to your uh company and books, sorts of things, we'll we'll include those at your comfort level. Um, so Susan wrote a good article called uh Vendor Compliance, Time for a Refresh. And I and we thought it was a great, great topic because you know, vendors are such an important part of what we do in healthcare, but we don't have direct control over them all the time, right? Like they don't report up necessarily, I could fire you in an in a heartbeat. And so you've got agreements and contracts and all these sorts of things. So um we thought we'd talk a little bit about managing kind of vendor compliance and and the challenges that might be there. And um, Susan, if we could, you you wrote about the importance of compliance being at the table, right? For for new business deals, acquisitions, whatever the the uh exchange that's going on being at the table. Tell us a little bit what you mean by that and why why that's important in this context.

Susan Walberg: 02:31
Well, there's so there's the two two different scenarios. One is the acquisitions, which we could talk about that all day. That's this is more about vendors, but just a side note, acquisitions can be a big issue. I've actually seen in large organizations where the compliance officer didn't even know and found out after there was an incident that they were responsible for this entity, which is a joint venture, they'd never even heard of. And they were supposed to be the compliance officer. So that's that's a whole different topic, but that is uh an important risk. Um, but in speaking about vendors, um, the importance of being at the table, well, first of all, the challenge is that a lot of times the business side of things does not recognize why compliance should be involved, whether it's reviewing agreements or even reviewing the business need or the strategy or the vendor selection process. So, I mean, starting from the very beginning, why is there a vendor needed? Um, and when compliance is not at the table, you know, you have business associates and vendors where there's no due diligence. So, you know, the you have the finance folks and the business folks looking at they provide the services, who's giving us the best deal. Um, hopefully there's no conflict of interest in the selection process, but then they just they pick who they pick. So that's for compliance to be at the table. Part of it is they don't understand that compliance should be. They don't want the excuse me, the built-in delays that compliance might bring. Um, they don't want it to cost more money because compliance is raising concerns. So but there's also a trust issue. And um, actually, someone on LinkedIn did bring this up at my article as a comment that the compliance officer has to have the organization's trust. Because if they're gonna let you have input, they need to have trust. So that's an important piece. Um, and that again, that's a topic we could do a whole thing on. But um the importance of being at the table is to look at all of those issues. You know, you look at the arrangements themselves, who's paying who for what, right? So that's the kickback and start, the arrangements themselves. And if you're not an attorney and you're not confident with those issues, you're the one that'll push to have an attorney look at it. Because it's not just physician referrals, it can also be some arrangement with the EMR vendor. And there's been kickback cases around that. Um, there's a lot of different ways that that can play out. So, what is the arrangement? Um is is one of the first concerns. So, um, how are the vendors being selected? Do we have a conflict of interest? Does the head of the selection committee have the brother-in-law who's in the mix? I mean, those things do come up too. So lots of um issues there. And just one other point is over 60% of breaches are caused by business associates. And I found that, I believe it was on the HHS website somewhere, and that's pretty scary. So, you know, in organize in um informing leaders why you should be at the table, that's a big one because it could cost a lot of money if you have a bad arrangement or they don't have proper practices in place. There's just a lot of things. So getting at the table, you have you know, build trust with your leadership team, but also educate them um, yeah, you know, on some of the risks, because a lot of times they just don't get it. Yeah, getting at the table can be the trickiest part of all this.

CJ Wolf: 06:28
It is, and and I so I remember a really specific example when I was a compliance officer for a medical device company that was international. And um, though I wasn't calling business shots, nor was that my job, it was important to point out that look, you're entering a country or you're entering a state that has these regulations regarding this activity. I'm not the one to say that it's a bad business decision. I'm just saying this will be an added burden. Um, it will be an added requirement, and you might be frustrated getting everything set up. And then after the fact, me coming and telling you, oh, state X, Y, and Z requires this disclosure. Well, I don't want to disclose that. Well, you know, you jumped into the business, um, these are some of the things, right? And so, and I was in specifically thinking of um kind of the whole um Sunshine Act um where any transfer of value you have to report. And yes, and in medical device, where there's a lot of things of value being passed back and forth. And in some countries, it was a requirement to submit that data so they could publicly report it. And in other countries, that wasn't the case. And so it was just good for me to be there and to say, hey, do you know that this is something? Oh, sure. Okay, great. Thanks for bringing it up. That doesn't bother me, but I'm glad we know it. And this is what will have to happen. And so I love your, I love that you brought that up kind of early in the article. Just being at the table can help so much if you know about things ahead of time.

Susan Walberg: 08:06
Yeah, it can. I mean, I've I've been in situations where you know the lawyers look at the agreement and they're fine with it, and then they hand it over to me. Well, lawyers look at it, and well, I'm a lawyer too, but I mean the legal department looks at it differently. So they're checking the boxes, you know, is you know, the jurisdiction issue and this, that, and the other thing. And and we're looking at like, what are you actually doing? You know, who's paying who for what? And are we comfortable with that? Are they using our services inappropriately? Are they positioning themselves to take advantage of our data? Like there's a lot of things there that you have we read through it a different way.

CJ Wolf: 08:46
That's exactly right. Well, and so kind of on that point of agreements, maybe we segue a little bit to that. Um, and I like what you said, you know, attorneys, they have their role. Um, but then compliance has to make sure that that the terms of the agreement are actually occurring. So if you're hiring somebody to be your chief medical officer or, you know, or uh uh somebody to be a department head, and you say they're going to bill ours, you know, quarterly or monthly, and give us an invoice that's detailed. If if that's that's a critical part when it comes to kitbacks and self-referrals. And so if they're not actually doing the terms of the agreement, um they'll ever I've heard people say, oh, but legal cleared this. Yeah, they cleared what was written in the agreement, but you're not doing what's written in the agreement. Go ask legal if they're okay with you doing something different than what's written in the agreement. And so um these provisions in the agreements, tell me a little bit about your thoughts on how why that's such an important uh part to be involved in from a compliance standpoint.

Susan Walberg: 09:49
Well, the provisions, I mean, there's there's some boilerplate, or they should be boilerplate things that help protect your organization. Um, the basic, you know, I agree to adhere to all, you know, laws, rules, and regulations. You also want to get, you know, more down into the weeds around if they're, for instance, if they're doing billing or coding, um, you want to make sure that they're adhering to Medicare regulations, you know, honesty and integrity and documentation and those those sorts of things. But you also want to have the ability to look under the rock, if you are concerned, or even as just a matter of routine follow-up, to look at their processes, to do an audit. Um, if they're not in agreement that you can take a look um, you know, under the rock, so to speak, then that's a red flag is, you know, how are your business practices if you're not comfortable letting somebody take a look at that? Um exactly. Some of the other things, the um exclusion, excluded provider issue. Um, there needs to be a statement, not only that their employees have been screened and are not excluded from participating in government health programs, but also that they will notify if that becomes the case. And that's the piece I've seen missing the most. So if they're fine right now in five years, are they still fine? And then you don't find out until you get a note from the OIG or whoever saying, by the way, did you know you're billing for this or that and they're excluded? So that's exactly that's a really big one. Um they need to put in their agreement that they do have compliance, privacy, and security programs in place and that they're meeting industry and regulatory standards. Um, that's an important one too. So um, but you know, the the problem about this is a lot of these organizations on both sides just sign the contract. And so that language is important, but it's important more as kind of a protection if things go wrong because they're gonna sign the agreement, they're gonna say they got their ducks in a row, you know, unless, except for maybe like the audit piece, they might squawk about that. And that's you know, that's an issue you have to hammer out with them. But most of the time it's just the boilerplate language, but you still want to make sure that you have it on the front end, and that's yeah, that's the piece that you know mostly the lawyers deal with. But as a compliance person, if you review the agreement, you can certainly ask, where is the language around security? You know, where's the privacy and security? And you know, basically an attestation that they're gonna adhere to those standards and and requirements. Because it's it's a big deal. I mean, if if people are handling your protected health information, you know, you need to make sure that they're handling it with as much care as you are, or maybe more.

CJ Wolf: 13:01
That's right. Such a good point. Uh hey, everyone, we're gonna take a quick break. This has been a great conversation so far, but hang with us, uh, we'll be right back. Welcome back, everyone. Uh, we've been talking with Susan about kind of vendor compliance and and kind of what the things compliance officers should be looking at um and be aware of. Um, you mentioned before conducting due diligence, um, and and that's a nice phrase, right? What what does that mean? Like what do complain, how should compliance be involved? What are others like what do you mean by conducting due diligence?

Susan Walberg: 13:42
Um basically looking at not only what is the company doing, but how are they doing it? So even though it's not an acquisition, which is what most people think of for due diligence, you still can research and review a company. Um, so there's a few things, and again, this this front end stuff can help save you on the back end, right? So, you know, you have less problems if you on the front end you take a deeper dive. I'd say the first thing is ask for their compliance program. You know, look at look at their actual document. Do they even have one? Um and Ditto for privacy and security policies, you can ask to look at those. I mean, it's it's up to you, depending on what they're doing and and how much you want to get into that, but you can ask for their security risk assessment, their most recent one. You know, you can ask for that because if they're gonna be in your patient files, don't you want to make sure that they've at least got the basics in place? I mean, security risk assessment is better than the policies, right? Because it kind of goes to your earlier point if they're actually doing it, it's not just on paper. Right. So um, you can ask to talk to their privacy or security or compliance person and just have a short conversation. That can be very revealing too. And if the company's not doing things the right way, that person might give you a clue to that, even if not directly saying it. So, you know, a lot of times good compliance officers are swimming upstream and a quick conversation, you can pick that up pretty quickly. And then you can decide to probe more from there if you want. Um, you can ask you. Yeah, well, and go ahead.

CJ Wolf: 15:32
Yeah, I was gonna say, and if if the response is, what's a uh um, you know, what's a HIPAA security risk assessment? If that's the response, they don't even know the language you're using. Um again, you're not maybe the one who's making the business decision, but you can then alert them to say, hey, I just asked some very simple questions. Most vendors in this space would be able to produce this document within a day or two and um should be able to send it and would not be asking, what do you mean? Um and so that is just a little red flag. You maybe want to be aware, business folks, that uh you know, this entity is going to be having all of our PHI. And um, you know, and and it could turn out not so good sometimes. So anyway.

Susan Walberg: 16:19
Exactly. Exactly. Um, another basic thing that hopefully you do routinely is running them through the exclusion checks, the L E I E list on the OIG website, just to make sure. And then the last thing, and this is actually a thing that I do a lot, is just a basic Google. If you Google a company, um look on the Better Business Bureau site, but just a general Google, they'll you'll see Yelp reviews and all kinds of stuff. And maybe you don't find anything where they've been in trouble with the government, and maybe there's nothing on the Better Business Bureau, but you've got 10 Yelp reviews from employees talking about unethical conduct in the company. There's a lot of ways that you can get these red flags. So that's what I recommend doing is just think about it like you're just making sure that they're on the up and up and their practices are on the up and up, and that they're actually mine at the store.

CJ Wolf: 17:20
Yeah, such a good point. Um, you you know, you've mentioned a lot kind of privacy, security, those sorts of things. Uh, you know, and in your article, you talk about being specific um around those areas. Do you have some thoughts or examples of what should people be specific on when it comes to privacy, security, and data?

Susan Walberg: 17:41
Well, I think, and and there's, you know, there's some degrees of variation depending on, you know, the services in your organization and and all of that. But, you know, it's been weighing on my mind lately that business associate agreements have been around quite a while, and it's a new world. So the thing, one of the things that bothers me is how can they use your data? Um, there's always been one or two sentences about that in the business associate agreements, boilerplate language. I would just think about revisiting that on the template agreements because with a lot of people basically harvesting data for you know, for AI or for there was a case where it showed up on the on the dark web from a business associate getting breached. Um it's important um to really think about, and then maybe the provision says, well, we can sell your information if it's de-identified. Are you okay with that? And if you're selling your information, what are you getting out of it? You know, that's the business side, right? Like you're paying these this company to, you know, run your business office or whatever, but they're using your information and making a profit as a side gig, hopefully a legitimate side gig. Um so how are you being reimbursed for that? So that's not a compliance thing, but it always occurs to me, you know, I've had that conversation, you know, in the finance office about, you know, they say they can use our information. What do we get out of that? And in this day and age, I think that's something to consider. And really just taking a look at the business associate agreement template with fresh eyes. Given the cybercrime that we have now, um, it's evolving every day. So the training and the security that's being provided, you know, either you're letting them use yours or they're having their own. But how robust is that? And is it updated or refreshed regularly? You know, you you read if you follow this cybersecurity crime news, um, there's a new scam every week. And they're constantly evolving, and now they're using AI to be even faster and smarter to get around firewalls and different things. So, you know, you want to make sure that not only is your own office taking care of that in real time, but your business associates are as well.

CJ Wolf: 20:18
Yeah. Well, and you know, even all even parties that are that are doing really good work from a privacy and security standpoint could still get stung. And so um I I wonder I wanted to ask you, what do you think about requiring a certain level of insurance that the that the that the vendor holds, right? Like, look, you can even be doing everything perfectly well to the best that an organization can do to prevent breaches, but sometimes there's just bad actors and they get in, you know, and then we have to deal with aftermath. And so, do you think, you know, requiring a certain level of insurance or you know, they have to pay for some of the, you know, the cleanup and that sort of thing? What are your thoughts on that?

Susan Walberg: 21:02
Absolutely, they should have insurance. And I think um, and that brings up a broader point that is needs to be addressed and isn't always thoroughly addressed, is if there's a breach, how is that handled? What's their responsibility, not just financially, but notifications, you know, corporations, um, you know, all that. And that's something that I've seen agreements that don't really address that very adequately. Right. So if the business associate has a breach and it's not really delineated in the agreement, you can't say a whole lot if you never told them they have to notify you within five days or whatever. Right. They're gonna say it wasn't in the agreement. We're we're still looking at it. And you know, whatever. It's like meanwhile, you're getting complaints and notifications from patients, and it's like, mm mm.

CJ Wolf: 21:58
Exactly. Well, and I was Once at a conference where OCR was speaking, they had a speaker, and we were talking about business associates' uh liability and responsibility, and they gave this hypothetical. And OCR said, Well, yeah, legally, we can only go after the business associate if it's their breach. Um, and then others started talking about, yeah, so then we need to be protecting ourselves in those initial agreements because OCR, and the other thing is fine, because I've heard this a bunch from executives. Yeah, but isn't it their legal responsibility if it's their breach? I say yes, but it's our reputation because it's our PHI. We're the hospital, they're the EMR. Our patients are going to ask, why did you go with an EMR system that wasn't secure? Um, so we might not be on the hook legally for a BA for a business associate's breach, but reputationally, you absolutely are.

Susan Walberg: 22:56
Right, exactly. And, you know, do your patients really want to hear from some vendor they don't know anything about saying we violated your privacy, or would they rather have the providers that they know and hopefully trust say, hey, you know, notify them, do it timely, tell them what happened and what they're doing to, you know, remedy the situation rather than a nameless, faceless organization. So it's it's part of the same thing. It's the trust thing and you know, keeping that relationship intact as much as possible.

CJ Wolf: 23:28
Yeah, such a good point. Well, Susan, we're kind of coming towards the end, but I want to always give you the last word. I don't know if you have any parting thoughts or maybe something that I didn't ask you about that that you think we should talk about in the next minute or two.

Susan Walberg: 23:42
Um, just one more thing, I guess. Um, once the agreement's in place and you want to know how do you monitor them, how do you, you know, this is all going on, and how do you just kick the tires without dedicating too many resources to it. Um, I would say that a really effective way of doing that is to stay in contact with the process owner, with a contract owner, because they will know if there's an issue going on. And sometimes they won't call you, but then if you reach out to them, they'll say, Well, yeah, you know, we're getting a total unreasonable number of denials, or we're having, you know, we're not getting what we asked for on record requests, or whatever it is. They might not come to you about it. But it's good to be able to keep that, you know, dialogue going so that you're getting timely, maybe get in on their quarterly meeting or their monthly meeting, or whatever it is, so that you stay um, stay abreast of that. Um, and then the other thing is you can always send surveys to those folks and ask them for an update about their privacy or compliance program or whatever you want. You know, work with the business owner, of course, but you can always check in. And that way they know you're watching. So it's always good so that they know that you're still there.

CJ Wolf: 25:01
I love it. Yeah, we all tend to perform a little bit better in general when we know that we're gonna have to respond or answer for our actions. And so we're a little bit more conscientious when, like you said, the compliance officers just checking in. And we know that we have a compliance officer over here asking about stuff.

Susan Walberg: 25:19
Yeah, and it and it helps, it helps internally with your process owners, it helps the build the dialogue and the trust, you know, if they know that you're actually care about what's happening with their business vendors. So it's not a bad thing to do either way.

CJ Wolf: 25:36
Great points. Well, Susan, as always, it's it's I've learned a lot. I appreciate your expertise and experience, decades worth of experience. Um, so thank you so much for being on the show. Well, thank you for having me. It's always a pleasure. Excellent. And we'll we'll make sure that we include links to Susan's uh contacts and websites and check out her books too, her novels. Uh, kind of get a little away from the regs and read a little bit of the excitement that she writes into her novels. So um, and for those of you that are listening regularly, we'd love to hear uh your suggestions for topics, number one, and for speakers and guests, number two. Um, and until next time, everyone, take care.