Skip to content
Thought Leadership

What Accreditors Actually Look For: Key Takeaways from Trust Summit '26

What Accreditors Actually Look For: Key Takeaways from Trust Summit '26

Dawn Hall, RN Consultant with Joint Commission Resources and a 30-year veteran of clinical and hospital leadership, took the main stage at Green Security's Trust Summit on June 10th, 2026 to answer a question most healthcare organizations dance around: are you actually prepared for a vendor-related survey finding — or just hoping nothing goes wrong?

The session opened not with frameworks, but with headlines.

In 2024, a nationwide cyber attack disrupted a major U.S. health system when vendor access wasn't properly controlled. The same year, poor actors posing as legitimate providers gained unauthorized access to patient records because identity verification was weak. And in 2025, a New York City hospital's failure to manage contractor compliance with infection control protocols resulted in a Legionnaires' disease outbreak — and deaths.

"The lesson," Hall said of each incident, was the same: "vendor access must be tightly controlled, continuously monitored, and documented well enough to prove it during a survey."

The Regulatory Stakes Are Higher Than Most Realize

Hall walked attendees through the Joint Commission and CMS standards governing vendor and contractor management — a set of requirements she acknowledged can feel vague but carry consequences that are not.

At the CMS level, organizations are required to screen every vendor against the OIG and GSA federal exclusion lists, just as they do for their own staff. That screening cannot be a one-time exercise.

And if a vendor's contract assigns screening responsibility to the vendor itself, the hospital is still accountable for verifying it was done. "You will not be absolved," Hall said plainly.

The financial exposure is real: failing to meet CMS vendor requirements can trigger loss of Medicare reimbursement, plus fines and penalties that fall on the organization.

From the Joint Commission's perspective, the standard most frequently cited in physical environment findings is NPG 11.01.01.01 — which governs managing security risks and specifically requires a risk-based approach to vendor management. That means risk assessments, ongoing monitoring plans, and documentation that can be produced quickly when surveyors ask for it.

The Contractor Blind Spot

One of the most consequential points Hall made — and one that catches organizations off guard during surveys — is that the Joint Commission makes no meaningful distinction between vendors and contractors. Both are non-employees. Both fall under the same HR standards. Both require the same level of credential verification, competency validation, and access control.

"Contractors are held to the same standard as vendors," Hall said.

The implication is one most organizations haven't fully acted on: every tiering framework, every credentialing checklist, every access control policy that applies to a sales rep also applies to the electrician, the HVAC technician, the construction crew, and the equipment servicer working in your building.

The slide Hall pointed to made this concrete. Under HR.11.02.01, the standard is unambiguous: anyone who services or repairs a medical gas system must hold current ASSE certification before they touch the equipment. Not after the fact. Not on the honor system. Before access is granted. That certification must be verified, documented, and maintained — not checked once at onboarding and filed away.

This is where survey findings pile up. Organizations that run a disciplined credentialing program for commercial vendors often have almost no visibility into the contractors moving through their facilities under facilities management or construction contracts. Different department, different process, different standard of proof — or no standard at all.

Hall's framework offers no such carve-out. "A contractor without documented, current credentials who gains access to a restricted area is the same finding as a vendor rep without a background check in the OR. The standard cited is the same. The exposure is the same. The documentation expectation is the same."

For organizations building or auditing their vendor governance programs, the practical implication is a scope question that needs to be answered before the next survey: does your credentialing program cover every non-employee category, or does it stop at the categories your supply chain team thinks of as "vendors"? If facilities contractors, IT service providers, construction subcontractors, and equipment repair technicians sit in a different system — or no system — that gap will surface.

The Gaps Surveyors Find Most Often

Hall shared findings pulled directly from survey reports. The patterns are consistent, and they are avoidable.

  • Expired credentials. Organizations unable to produce documentation that background checks, health screenings, or immunizations were completed before a vendor began working on-site. The credentials existed at some point — they just weren't maintained.

  • Point-in-time verification only. Credentials checked once, never revisited. For exclusion list screening in particular, ongoing monitoring is explicitly required, not optional.

  • Manual systems that can't keep up. Spreadsheets, email threads, and department-owned logs create the worst possible situation during a survey: multiple people scrambling to reconstruct records, with missing pieces and conflicting information. "Surveyors expect to see a cohesive, traceable record of compliance — not scattered evidence."

  • No real-time visibility of vendors on-site. When a physical environment engineer asks "who is in your building right now?" the answer cannot be a handwritten sign-in sheet. Those logs are incomplete, easily bypassed, and often missing checkouts entirely.

  • Disconnected systems. When credentialing data lives in one place and badge access lives in another, vendors can retain building access after contracts end or individuals are terminated. This showed up in survey findings as recently as last year.

  • Inconsistent enforcement across departments. The OR has strict controls. Other departments don't. "This creates uneven enforcement that surveyors interpret as a systemic failure." Hall drew from her own experience as an ICU nurse — someone walking on the unit to fix a bed wouldn't necessarily have been questioned. That's a gap, and it belongs to staff culture as much as policy.

  • Failure to govern who actually owns this. Shadow vendors — brought in outside the formal process — remain one of the most common findings. When no single function owns vendor management end-to-end, pieces fall through.

What Best Looks Like

Hall outlined the practices that distinguish organizations that consistently pass surveys from those that struggle with repeat findings.

Centralize everything.
A single, documented vendor management program with approved policies, defined ownership, and standardized workflows for onboarding, monitoring, and off-boarding. One record per vendor, not records scattered across five departments.

Tier your vendors by risk.
Not every vendor requires the same scrutiny. Classify vendors as high, medium, or low risk based on their access to patients, PHI, and systems. Apply controls accordingly. A vendor who never steps on-site and has no system access is a fundamentally different risk profile than a contractor working in a sterile environment.

Use a standardized credentialing checklist.
Hall's recommended baseline: government ID verification, OIG/GSA exclusion screening, licensure and certification verification, required training (HIPAA, infection control, safety protocols), immunizations for patient-facing vendors, and signed policy acknowledgments. An advanced practice layer adds vendor badges with built-in expiration dates — removing the risk of credentials staying active indefinitely.

Require check-in and check-out.
Every vendor, every visit, through a kiosk or managed system. Visible ID badges. Access limited to approved locations at approved times. A complete log of who went where and why.

Build accountability into contracts.
Scope of services is a minimum requirement. Best practice goes further: HIPAA and CMS compliance requirements written into the contract language, defined KPIs (service quality, response time, safety incidents), reporting timelines, audit rights, and a termination clause for non-compliance. For high-risk vendors, quarterly performance evaluation. For others, annually — and document it.

Train your staff, not just your vendors.
Policies only work if the people enforcing them know the rules. Hall was direct: clinical staff need to know it is their responsibility to question a vendor without a visible badge, to know where to verify credentials, and to know how to report concerns.

Dawn Hall presented at the Green Security Customer Summit '26 in her capacity as an RN Consultant with Joint Commission Resources. This article summarizes key themes from her session for distribution to Green Security customers and partners.