Improved Vendor Onboarding Process
A large (13,000+ employee) healthcare organization’s third-party onboarding process is improved.
Onboarding: The process which collects documentation, agreements and information from individuals necessary to associate them with accounts and appropriate access.
Managers initiating onboarding of third-parties, for consultant and vendor support, struggled to identify the partners under the existing process’ definitions of “vendor” and “contractor”.
Under the existing process, “contractors” were onboarded with documentation requirements similar to those of employees, while “vendors” required less documentation.
Although distinction between “contractors” and “vendors” should have been clear, the differing documentation requirements, including the requirement for Business Associate Agreements (BAAs) for “contractors” caused the requesting managers and operations staff to classify some “vendors” under the more stringent “contractor” requirements to leverage the greater security protections.
As a result, managers were unable to determine which entity classification was appropriate for each third-party, creating process confusion and frustration.
A cross-functional team (Figure 1) redesigned the process.
Figure 1: Cross-functional team
Figure 2: Onboarding flow by entity comparison
Identity & Access Management (IAM) established a new vendor onboarding process with more rigorous documentation requirements. This removed the incentive for misclassification and ensured that both “vendor” and “contractor” onboarding included appropriate document requirements.
Two subset entity classifications were created in the “vendor” class to even more clearly establish boundaries for entities.
Individuals receiving this classification may be authorized for a network account.
Individuals that may require access to sensitive data, including Personally Identifiable Information (PII) and Protected Health Information (PHI) must have BAAs on file.
With the new classifications, IAM operations staff can readily determine appropriateness of access requests with assurance that necessary documentation is on file.
The existing vendor onboarding portal did not enable automated nightly extraction of vendor data, therefore a new vendor portal was identified through an eight function point analysis of seventeen cloud, SharePoint and custom development candidate systems.
Manager claims/creates vendor organizations
Vendor onboards vendor employees
IAM manages portal requirement templates
Vendor employees upload required documents
Manager reviews list of applicants
Manager validates requirements have been met
Identity data exported nightly
Vendor flags departing employees for account termination
4: All features, good usability
3: Some features, good usability
2: Some features, non-ideal usability
1: Possibly workable, non-ideal
0: Feature absent
The finalist selected was CENTRL’s Vendor360 (https://www.oncentrl.com).
Figure 3: Identification reference for managers
A manager training PowerPoint was developed, including a slide to assist in the identification of “vendors” (Figure 3).
Operational procedures were developed, including a step-by-step procedure with an accompanying procedure for the completion of sanction evaluations (refer to “Process improvements”).
Figure 4: Process overview (new)
Streamlined and simplified onboarding process.
Improved overall process security.
Creation of “IT2” and “IT3” vendor entity classes to clearly communicate the bounds of individual vendor accounts in accordance with the documentation (e.g. BAA) on file.
Developed function-point metrics that identified best-fit cloud portal vendor.
Disengaged the immunization requirements from the network account request and attached them to the badge request process. The previous process required discussion and exceptions for vendors that were 100% remote to bypass the immunization requirements. Attaching these to the badge request process instead was ideal since badges are required for on-site vendors.
Improved Sanctions evaluations
The Department of Health & Human Services’ (DHHS) Office of Inspector General (OIG) prohibits any organization that submits claims to the Federal Government (e.g. Medicare & Medicaid) from contracts with sanctioned entities. Accounts Payable must evaluate each third-party against the sanction databases prior to payment. As shown in Figure 4, the new process also performs a sanction check prior to establishing a third-party’s network account. Sanctioned individuals do not receive accounts.