What I Learned at the 2017 HCCA Compliance Institute

I just attended my first HCCA Compliance Institute and, wow, what an eye opener. The energy was palpable, and the diversity of attendees in terms of roles, responsibilities and organizational size was more than I had expected.

I decided to attend because of the breadth of breakout sessions on topics related to vendor management. Our firm is experiencing a growing interest in vendor management from health plans and health care organizations. The Compliance Institute provided an excellent opportunity to hear perspectives on a variety of topics that are unique to the industry.

As I reflected on what practical insights to share about my experience, I identified two themes that stood out to me and that I think are applicable to all health care organizations.

1. Vendor Management is an Evolving Discipline in Health Care
Vendors were an important topic across several sessions I attended, including those on HRSA audits, Business Associate Agreements and First-Tier, Downstream and Related Entity (FDR) Vendors. It is clear that vendors permeate the ecosystem of every health care organization.

So it’s only natural, then, that vendor management is evolving from a pure “compliance issue” to an actual “business discipline” that focuses on cost control, risk mitigation, performance management and, of course, compliance. Health care organizations are rethinking how vendor management is approached, and where it should live on the org chart. They are also discussing how to bring all of the stakeholders together to tackle vendors in a more holistic way.

2. Cybersecurity is Driving the Current Conversation.
Cyber is a growing area of risk in every health care organization, and vendors are an integral part of the risk discussion. As I learned in the breakout session “Study of 1000 Vendor Practices,” a 2016 Data Security Incident Response Report showed that roughly 15% of all data incidents were caused by third party vendors. And with cybercrime on the rise, it’s reasonable to think this number will only increase over time.

Covered Entities can’t pass the buck when problems happen. HIPAA requires organizations to assess the risk to a breach of PHI wherever it is created, received, maintained or transmitted, and to put measures in place to safeguard the information. Integrating vendor oversight into this process was a theme across many conversations.

Informative sessions. New learnings. And a well-organized conference. Thanks to HCCA for a great first experience!

Tom is Founder & CEO of Vendor Centric, a consulting firm that helps organizations adopt a risk-based approach to vendor management. Connect with Tom on or drop him a note at .
Tom Rogers

Job Title: CEO
Organization: Vendor Centric

Tom is a trusted advisor on procurement and third-party management to organizations across the United States. Having worked with over 120 organizations over his 30-year career, he has a unique ability to bring both creativity and discipline to finding solutions for even the most complex challenges his clients face.