Why Hospitals Need to Strengthen Third-Party Due Diligence and Take Control of Compliance Efforts

By Jackson Wood, Director of Industry Strategy, Global Trade Intelligence, Descartes

The United States government enforces stringent regulations and compliance requirements across all industries that operate with international partners—and the healthcare industry is no exception. Without proactive compliance screening, staff training, and proper due diligence policies to prevent dealings with blacklisted or risky businesses or countries, hospitals can face serious consequences. In addition to the possibility of substantial fines, damaged reputation, lengthy litigation, and the loss of international privileges, conducting business with sanctioned entities can ultimately impact patient care, safety, and the bottom line.  

To comply with government regulations, hospitals must navigate the complex web of government agencies, sanctions programs, and exclusion lists. Examples include exclusions screening as set out by the Office of the Inspector General (OIG), the General Services Administration (GSA), the Office of Foreign Assets Control (OFAC), the Bureau of Industry and Security (BIS), the Drug Enforcement Agency (DEA), and State Medicaid. Additional requirements include controls placed on sharing technologies with foreign parties and shipping products and samples overseas.

The Cost of Non-compliance 

While U.S. hospitals may serve their local or statewide communities, their operations often stretch across international borders. Many hospitals hire physicians and medical professionals from other countries and work with foreign distributors to provide their medical services. Adding further complexity to the compliance puzzle, hospitals must also pay close attention to supplies purchased from third-party vendors: conducting business with a sanctioned country or entity through a third-party affiliate is prohibited.

The cost of non-compliance is severe. In addition to potentially compromising the efficacy and safety of patient care by working with risky entities, repercussions may include: 

• Hefty monetary fines
• Civil or criminal litigation
• Obligations to report to the US Securities and Exchange Commission
• Damaged reputation with clients and partners

Third-Party Compliance Risks for Hospitals

Since many U.S. hospitals work with third parties, and collaborate with international entities, due diligence becomes a complicated endeavor, rife with hidden risks and the potential for compliance violations. 

Clinical trial risks

With hospitals conducting research on a regular basis, clinical trials can quickly become a source of non-compliance. For instance, the supplies and materials used in clinical trials (e.g., electronic devices, laboratory equipment, encrypted data) are often subject to export regulations. 

International participation in clinical trials involving multiple sites means hospitals must be aware of the unique laws of each participating country; US rules have extra-territorial applicability and extend to cover US persons, goods, technology, and companies, wherever located. For example, a hospital running a clinical trial using labs in the U.S. and Germany must ensure compliance with both U.S. and EU export controls for the same transaction.

In addition, if hospitals wish to outsource some parts of their clinical trials to third parties, they must ensure beforehand that the prospective service providers are not a denied party and that they hold strong legal compliance postures.

Export controls & Related sanctions 

Hospitals are responsible for ensuring they don’t do business with embargoed countries or excluded parties on any U.S. government exclusion list—either through direct transactions or indirect transactions. In other words, healthcare organizations are directly impacted by the compliance activities—or lack thereof—of any third parties or intermediates, such as distributors or sales agents.  

Without monitoring policies, robust due diligence (e.g., exclusion screening), and periodic medical supply chain audits, hospitals risk letting sanctions violations by third parties slip through the compliance net—and the government is paying attention. 

For instance, BIS and OFAC fined medical supplier Alcon more than $9M in 2016 for exporting end-use surgical and pharmaceutical products from their U.S. location to distributors located in Iran, Sudan, and Syria. In rendering its decision, OFAC noted the company’s “demonstrated reckless disregard for U.S. sanctions requirements by having virtually no compliance program.”

Acquisitions

Hospital merger and acquisition (M&A) activity has increased significantly in the past decade as buyers and sellers strive to create operational, strategic, and financial value. While economies of scale and increased patient volumes are top of mind for the acquiring party, they must also be mindful of assuming the legal liabilities of the target business, which may include non-compliance issues. Even if the acquirer is unaware of the violations at the time of acquisition, they are still subject to fines and penalties. 

To minimize the impact, hospitals should perform supplemental due diligence checks after acquiring the target medical organization, address any ongoing violations within the organization, and request changes to its policy to enhance compliance. The U.S. government has been known to reduce penalties for businesses that self-disclose and demonstrate a proactive approach to improving their compliance program. 

Automating Compliance to Minimize Risk

Manual screening programs place hospitals at high risk of non-compliance with government regulations. With the sheer volume of exclusions lists that are updated on a regular (even daily) basis, hospitals need to screen regularly and continually monitor compliance—a time-consuming, resource-intensive, and error-prone task if performed manually. 

Automation is the backbone of a healthy compliance program. By replacing manual screening efforts with an automated solution, hospitals can take advantage of features such as automated and integrated excluded party screening of general and medical-specific sanctions lists (e.g., OFAC, OIG, SAM), along with review, research, and decision support workflows. An automated compliance workflow streamlines due diligence at all steps of a transaction or business relationship, while mitigating the risk of non-compliance and associated penalties across hospital operations. 

Healthcare and medical compliance relies on a holistic approach to governance, risk, and compliance. In today’s volatile geopolitical climate, it is critical that hospitals have a comprehensive and efficient compliance program in place, not only to mitigate risk but to ensure they’re delivering safe, quality patient care to drive growth and strengthen the bottom line. 

Jackson Wood is the Director of Industry Strategy, Global Trade Intelligence at Descartes. Operating across Descartes’ Global Trade Intelligence business, Jackson works collaboratively with Product Management, Global Marketing and Commercial Operations partners to help develop and deliver solutions that address the increasing complexity and volatility of today’s global trade environment. With a keen focus on both the present and emerging needs of Descartes’ customers, Jackson leverages his 15+ years of experience in market research, strategic planning, change management and corporate development to provide meaningful insights that help increase and amplify the value clients realize from Descartes’ solutions. Jackson joined the organization in December 2019 and brings over a decade of trade compliance industry experience to his role.