Revenue Cycle Insider

Do your due diligence on vendor trustworthiness before signing any contracts.

Many practices rely on vendors to accomplish certain tasks in their business and know that vendors are held to the same standards for compliance. Performing due diligence before contracting with a vendor is crucial for your practice’s well-being.

Here are some strategies for organizing your vendor selection and screening processes so you can prioritize security, effectiveness, and compliance.

Know Why You’re Pursing the Relationship

Contracting some responsibilities out to third-party vendors may make sense for your practice. Common vendors include billing agencies, clearinghouses, software companies, and auditors or auditing firms. When entering into a contract with a business associate (BA), you’re often authorizing them to handle protected health information (PHI) and make transactions with payers, including Medicare, on behalf of your practice. When contracting with a vendor, it’s your responsibility as a practice to make sure their work is legal, ethical, and compliant before handing over sensitive information or data.

Before you select a vendor, you should identify and define your requirements, know how you’re going to source and screen the options, have a plan for checking compliance within whatever respective regulatory framework is relevant, and have oversight and audit processes in place.

Glean Specific Details

You’ll want to make sure you understand how the prospective vendor is going to protect your practice’s and patients’ data. Medicare Administrative Contractor (MAC) Novitas has some suggestions for information you need to know before hiring a vendor and entering into a business associate agreement (BAA).

First, make sure you know whether the vendor uses subcontractors, and if any of the information they process leaves the United States for any reason. Novitas says that electronic health information that is sent or stored abroad is more vulnerable to unauthorized disclosure or breaches. If they make the assurance that they won’t be processing or storing data abroad, make sure acknowledgement is incorporated into the BAA.

You’re hiring the vendor for their expertise in managing a particular task, and it’s crucial that you know whether they’re knowledgeable and trained on any respective regulations and policies. For example, if your practice sees Medicare beneficiaries, you need to make sure they know and can navigate the Centers for Medicare & Medicaid Services (CMS) and MAC regulations and resources — and can follow any differences in other payers’ policies as well.

With that basic knowledge, you should investigate the nitty-gritty details of how they’ll manage your data. Will you receive proof of their work, like claim submission, as well as any feedback that may come regarding claim denials or rejections or appeals? Will you know whether the vendor is processing claims correctly? If there’s a possibility of a compliance issue, will you be notified and able to correct it?

Look into the business specifics, too, so you know what you’re paying for which service and can have confidence in the legitimacy of the work. Determining the charge structure, especially regarding transactions or inquiries, can help you make sure that the vendor is using resources responsibly. CMS and payers are increasingly watchful of waste, fraud, and abuse, so doing your due diligence before the BAA is signed can help prevent compliance issues down the road.

Focus On These Compliance Specifics

Dotting your i’s and crossing your t’s is crucial when you’re handing over PHI or personally identifiable information (PII). If you can validate certain aspects of third-party vendors’ work, you can feel confident that you’re protecting your patients’ privacy and security — and maintaining compliance as well.

Novitas suggests practices document compliance and performance expectations for vendors, including the standards of conduct and which responsibilities belong to the provider versus the vendor. When writing the BAA, make sure you incorporate specific methods for vendors to report to show they’re maintaining compliance.

Strive for transparency and accuracy by requesting proof of submissions, when applicable, and conducting assessments to make sure work is being done as expected. You can use assessment or audit results — especially by looking at the rates of claim denials, rejections, and claims marked return to provider (RTP) — to evaluate and validate accuracy and timeliness.

Rachel Dorrell, MA, MS, CPC-A, CPPM, Production Editor, AAPC