.png?width=111&height=42&name=gs-logo-white%202(1).png "gs-logo-white 2(1)"){kind=logo}
Dawn Hall, RN Consultant with Joint Commission Resources and a 30-year veteran of clinical and hospital leadership, took the main stage at Green Security's Trust Summit on June 10th, 2026 to answer a question most healthcare organizations dance around: are you actually prepared for a vendor-related survey finding — or just hoping nothing goes wrong?
The session opened not with frameworks, but with headlines.
In 2024, a nationwide cyber attack disrupted a major U.S. health system when vendor access wasn't properly controlled. The same year, poor actors posing as legitimate providers gained unauthorized access to patient records because identity verification was weak. And in 2025, a New York City hospital's failure to manage contractor compliance with infection control protocols resulted in a Legionnaires' disease outbreak — and deaths.
"The lesson," Hall said of each incident, was the same: vendor access must be tightly controlled, continuously monitored, and documented well enough to prove it during a survey.
The Regulatory Stakes Are Higher Than Most Realize
Hall walked attendees through the Joint Commission and CMS standards governing vendor and contractor management — a set of requirements she acknowledged can feel vague but carry consequences that are not.
At the CMS level, organizations are required to screen every vendor against the OIG and GSA federal exclusion lists, just as they do for their own staff. That screening cannot be a one-time exercise. And if a vendor's contract assigns screening responsibility to the vendor itself, the hospital is still accountable for verifying it was done. "You will not be absolved," Hall said plainly.
The financial exposure is real: failing to meet CMS vendor requirements can trigger loss of Medicare reimbursement, plus fines and penalties that fall on the organization.
From the Joint Commission's perspective, the standard most frequently cited in physical environment findings is NPG 11.01.01.01 — which governs managing security risks and specifically requires a risk-based approach to vendor management. That means risk assessments, ongoing monitoring plans, and documentation that can be produced quickly when surveyors ask for it.
The Gaps Surveyors Find Most Often
Hall shared findings pulled directly from survey reports. The patterns are consistent, and they are avoidable.
-
Expired credentials. Organizations unable to produce documentation that background checks, health screenings, or immunizations were completed before a vendor began working on-site. The credentials existed at some point — they just weren't maintained.
-
Point-in-time verification only. Credentials checked once, never revisited. For exclusion list screening in particular, ongoing monitoring is explicitly required, not optional.
-
Manual systems that can't keep up. Spreadsheets, email threads, and department-owned logs create the worst possible situation during a survey: multiple people scrambling to reconstruct records, with missing pieces and conflicting information. "Surveyors expect to see a cohesive, traceable record of compliance — not scattered evidence."
-
No real-time visibility of vendors on-site. When a physical environment engineer asks "who is in your building right now?" the answer cannot be a handwritten sign-in sheet. Those logs are incomplete, easily bypassed, and often missing checkouts entirely.
-
Disconnected systems. When credentialing data lives in one place and badge access lives in another, vendors can retain building access after contracts end or individuals are terminated. This showed up in survey findings as recently as last year.
-
Inconsistent enforcement across departments. The OR has strict controls. Other departments don't. "This creates uneven enforcement that surveyors interpret as a systemic failure." Hall drew from her own experience as an ICU nurse — someone walking on the unit to fix a bed wouldn't necessarily have been questioned. That's a gap, and it belongs to staff culture as much as policy.
-
Failure to govern who actually owns this. Shadow vendors — brought in outside the formal process — remain one of the most common findings. When no single function owns vendor management end-to-end, pieces fall through.
What Best Looks Like
Hall outlined the practices that distinguish organizations that consistently pass surveys from those that struggle with repeat findings.
Centralize everything.
A single, documented vendor management program with approved policies, defined ownership, and standardized workflows for onboarding, monitoring, and off-boarding. One record per vendor, not records scattered across five departments.
Tier your vendors by risk.
Not every vendor requires the same scrutiny. Classify vendors as high, medium, or low risk based on their access to patients, PHI, and systems. Apply controls accordingly. A vendor who never steps on-site and has no system access is a fundamentally different risk profile than a contractor working in a sterile environment.
Use a standardized credentialing checklist.
Hall's recommended baseline: government ID verification, OIG/GSA exclusion screening, licensure and certification verification, required training (HIPAA, infection control, safety protocols), immunizations for patient-facing vendors, and signed policy acknowledgments. An advanced practice layer adds vendor badges with built-in expiration dates — removing the risk of credentials staying active indefinitely.
Require check-in and check-out.
Every vendor, every visit, through a kiosk or managed system. Visible ID badges. Access limited to approved locations at approved times. A complete log of who went where and why.
Build accountability into contracts.
Scope of services is a minimum requirement. Best practice goes further: HIPAA and CMS compliance requirements written into the contract language, defined KPIs (service quality, response time, safety incidents), reporting timelines, audit rights, and a termination clause for non-compliance. For high-risk vendors, quarterly performance evaluation. For others, annually — and document it.
Train your staff, not just your vendors.
Policies only work if the people enforcing them know the rules. Hall was direct: clinical staff need to know it is their responsibility to question a vendor without a visible badge, to know where to verify credentials, and to know how to report concerns.
A Recognition Worth Pursuing
Hall closed with a note on the Joint Commission's "safest practice" program — a formal designation for organizations that demonstrate leading practices in an area. Vendor and visitor management is one of the domains where that recognition is available.
For healthcare organizations that have done the work to build a real vendor governance infrastructure, Hall's message was clear: make sure surveyors can see it. A safest practice designation is not just a credential — it signals to the broader healthcare community that your organization takes third-party risk seriously before something goes wrong.
Dawn Hall presented at the Green Security Customer Summit '26 in her capacity as an RN Consultant with Joint Commission Resources. This article summarizes key themes from her session for distribution to Green Security customers and partners.