In recent years, hospital leaders have taken a closer look at ways to control access to their facilities for decidedly different security purposes.

To better enforce supply chain protocols, reduce costs and improve patient safety, many organizations began more clearly defining policies about direct vendor access to surgeons in the OR and how to optimize credentialing protocols for vendor sales representatives.

At the same time, many health care organizations started taking a harder look at how to best manage visitor access at all hours in a way that would ensure patient and staff safety while still providing loved ones the ability to visit patients freely.

What hasn't been well-known as these events have unfolded is what specific strategies, policies and technologies hospitals and health systems have put in place to try to deal effectively with these two unrelated, yet often complex, security and policy matters.

So where does the industry stand today?

Tighter control over vendor and visitor access is becoming the standard among hospitals, according to the first-ever survey of Health Facilities Management and Hospitals & Health Networks readers on this topic.

The online survey, completed by 824 respondents across all 50 states (13.1 percent of those polled), revealed that nearly 86 percent of respondents have a formal vendor credentialing program. Of the 14 percent of respondents without a formal program, 35 percent said they would very likely or somewhat likely be implementing one in the next 12 months. Only 30 organizations said they had no plans to implement such policies.

"When looking at vendor access, it is a cost-control issue and a quality issue," says Dale Montgomery, vice president of support services for Hays (Kan.) Medical Center and a survey respondent.

Compliance was the biggest driver in setting formal policies around vendor access, according to respondents. Sixty-three percent of those with a vendor credentialing policy cited compliance with Joint Commission and/or Centers for Disease Control and Prevention as primary drivers. And nearly 56 percent said compliance with laws and regulations was a primary driver.

The Joint Commission requires hospitals to identify individuals entering facilities and their purpose (under EC.02.01.01, Element of Performance No. 7). However, the Joint Commission leaves it up to hospitals to determine the details of identification. The standards-setting organization has additional expectations for nonlicensed, nonemployees who have a direct impact on patient care, such as health care industry representatives. These expectations include making sure infection control and informed consent protocols are followed and that patient safety and patient privacy are protected.

"Like many Joint Commission standards, you have to have a plan in place and follow that plan," says Tim Adams, FASHE, CHFM, CHC, director of leadership development at the American Society for Healthcare Engineering, which participated in the survey research along with the Association for Healthcare Resource & Materials Management (AHRMM). IntelliCentrics, Flower Mound, Texas, sponsored the survey.

Tighter supply management

Supply chain management was also a big driver in setting formal policies on vendor access, according to the survey. Half of respondents with vendor credentialing policies — more than 400 organizations — cited supply chain management as a primary motivation in setting vendor credentialing policies.

In comments, some respondents said formal policies mean that vendors have more limited access to physicians to sell products not first vetted by materials management. Others said that the policies meant fewer products brought into operating rooms without prior approval. Another respondent cited a more effective product recall process as a benefit.

Hays Medical Center requires vendors to call ahead to the materials management department before entering the facility. The medical center uses a vendor management software program to track preapproved vendor check-ins and check-outs and obtain temporary ID badges. Vendors who are at the facility frequently must be credentialed, which includes training on patient privacy laws and regulations. If vendors don't comply with the rules, that information can be entered into the vendor access management database and vendors can be denied access.

The policies "give us the ability to negotiate prices through the supply chain," says Montgomery. "We can do evidence-based research on products and then make purchasing decisions based on cost and quality."

These discussions happen at monthly continuous quality improvement committee meetings. "It allows everyone to have input before making a purchasing decision," Montgomery says. That is a big change from the days when vendors could walk into the facility unannounced and cut deals with individual physicians. "In the distant past, they could go to a physician and that physician would order something for one procedure," he adds. "The item would then come into the loading dock and we would have no idea where it was supposed to go."

For many other hospitals, supply chain management seems to go hand-in-hand with patient safety when it comes to crafting policies on vendor access. More than half of respondents with vendor policies in place cited patient safety and privacy and a safer environment as primary motivations in instituting formal policies on vendor access.

There's a careful balancing act when it comes to hospital access, says Florence Doyle, vice president of strategic sourcing at CHE Trinity Health, an 82-hospital Catholic health system based in Livonia, Mich., with a divisional office in Newtown Square, Pa. Doyle is also an AHRMM board member.

"One of the challenges of a hospital environment is you have to control your access, but it is a public place, in essence, and there are a lot of people coming in and out," Doyle says.

She adds that "vendors need to be managed, recognizing that we live in a world where there are many vendors, and business relationships are key."

Administering policies

Catholic Health East and Trinity Health merged on May 1, 2013. The new organization, CHE Trinity Health, operates across 21 states. Between the two legacy organizations, access is an area that will have to be reviewed.

In contrast, Intermountain Healthcare, a 22-hospital system based in Salt Lake City, has standardized vendor and visitor access policies, says Brent Johnson, vice president of supply chain and support services. Johnson is also an AHRMM board member. A centralized system works for Intermountain, because it allows for clear communication with staff and vendors about policies throughout the organization, he adds.

Policies around vendor and visitor facility access were almost evenly split between the corporate/system level and individual level, according to the survey. While 45 percent of respondents said these policies are created and enforced at the corporate/system level, 44 percent said they were created and enforced at the individual hospital level. Vendor credentialing policy development was split slightly less evenly (44 percent at the corporate/system level compared with 32 percent at the individual hospital level).

Popular components of vendor credentialing included: HIPAA training; immunizations; competency; liability insurance; and national criminal background checks. More than half of respondents (53 percent) used a third-party credentialing company, while just 14 percent of respondents said they created their own credentialing program. Half of respondents said they relied on other hospitals when crafting their policies.

Larry Higgens, regional director of supply chain for the Premier health care alliance, represents eight hospitals in Eastern states. He says that the contracting credentialing service ensures that vendors have the proper requirements to enter individual facilities, such as annual flu shots and HIPAA training. The credentialing service is integrated with vendor access software programs so hospital staff can see right away if a particular vendor is up-to-date on his or her credentials.

"You've got to control who is coming into your house," Higgens says of vendor access. "It protects the hospital."

Having an assigned point of contact for vendors is a key component for nearly all hospitals in the survey, with 91 percent saying they have this policy. Other common policies included formal check-in and check-out procedures; written standards and policies; internal compliance programs; and staff training on enforcement.

But nearly 250 hospitals reported no formal check-in process for nonvendor visitors (35 percent of respondents). A little more than a quarter of respondents required check-in at all hours for nonvendor visitors and another one in five required check-in but only at certain times. Meanwhile, the process for nonvendor visitors also varied widely. While 39 percent of respondents issued a temporary pass or badge, another 35 percent required sign-in at registration and 16 percent required visitors to show photo IDs, according to the survey.

It's not surprising to see such variation across systems and facilities, says Adams of ASHE. "All organizations need to be mindful of security and risk," he says. "But there are differences depending on location, geography and size of the organization."

A small hospital in a tightly knit rural community would naturally have different policies around visitors than a large urban center, he says. "I've seen facilities where anyone from the outside community sticks out," he adds.

Policy matters

The type of organization also matters when crafting policies and procedures, some interviewed said. For instance, Jack Hughston Memorial Hospital in Phenix City, Ala., is a physician-owned hospital. Dave Welch, director of materials management, says physicians have close and long-standing relationships with vendors, and its vendor access policy was revised about two years ago with more enforcement mechanisms.

Most vendors require an appointment to gain access to the facility and must check in with the front lobby as well as check in and out with the vendor management kiosk, Welch says. However, a select few vendors have a special photo ID badge similar to staff badges and are not required to have appointments or check in at the front lobby. There are 12 individuals with this elite status and they are typically at the facilities on a daily basis and require 24-hour access. They have gone through vendor credentialing and have signed contracts with the hospital and primarily require access to the operating room, Welch says.

Enforcement of vendor policies is a hot topic, according to those interviewed for this article. More than 200 organizations in the survey described implementation and enforcement of vendor credentialing policies as a "major challenge." And 72 percent of respondents said vendors "usually" comply with policies, while just 10 percent checked "always" for compliance. Another 14 percent said compliance happens "half the time."

Johnson says the Intermountain system has a 95 percent compliance rate from its 2,100 vendors registered, largely due to formal check-in policies, staff training and communication. "Our own employees will question people walking around without badges," Johnson says. "They are our best enforcers."

Montgomery of Hays Medical Center says the facility has a two-strike policy banning vendors who don't comply with check-in and credentialing policies more than once. Higgens of Premier says his hospitals have a "donation" policy where unapproved medical devices and other equipment used at facilities won't be reimbursed. "You only have to do that once or twice for people to get the message," Higgens says.

Enforcement depends on everyone being on the same page, those interviewed say. "You've got to make sure all stakeholders understand the 'why' of it," says Doyle.

Rebecca Vesely is a freelance health care writer based in San Francisco and Suzanna Hoppszallern is senior editor of data and research for Health Facilities Management's sister publication, Hospitals & Health Networks.

Sidebar - About this survey

Health Facilities Management (HFM) and Hospitals & Health Networks (H&HN) magazines, in conjunction with the American Society for Healthcare Engineering and the Association for Healthcare Resource & Materials Management, surveyed a random sample of 6,278 hospital supply chain directors, materials managers, facility managers, security directors and others to learn about trends in vendor and visitor access. The response rate to the survey was
13 percent, or 824 completed surveys.

HFM and H&HN thank the sponsor of this survey, IntelliCentrics, Flower Mound, Texas.
Sidebar - Technology facilitates change in managing access

Technology is a game changer in managing vendor and visitor access to health care facilities. The question is how far organizations will take it to track the movements of people inside their doors, experts say.

Nearly three-fourths of respondents to the 2013 Health Facilities Management/Association for Healthcare Resource & Materials Management/American Society for Healthcare Engineering Vendor and Visitor Access Control Survey, or more than 500 organizations, said they use a vendor management system to screen, badge and track every vendor. And 38 percent of respondents said they use a visitor management system to screen, badge and track every visitor.

Sixty-nine percent said they have an integrated security system such as video surveillance, access control, alarms and intrusion detection. And 12 percent said they capture video of visitors at check-in.

While vendor management systems have been around for about eight years, only in the past few years have they been widely adopted at health facilities, says Lisa Pryse, president of the International Association for Healthcare Security and Safety and president and chief of company police at ODS Healthcare Security Solutions in Richmond, Va.

Typically, vendors check into a facility at a kiosk, which verifies that the individual is prescreened and authorized to visit the facility. The kiosk also issues a temporary photo ID badge for the day. The systems usually are available to health care facilities at no cost and are funded via fees for vendors to have their credentials stored in the software systems.

"These systems have just widely started to come online," says Pryse.

The reason is partially due to word of mouth. Indeed, 52 percent of respondents to the Vendor and Visitor Access Control Survey said they consulted other hospitals when crafting their vendor credentialing policies.

Greg Goyne, vice president of marketing at IntelliCentrics, Flower Mound, Texas, which offers a vendor management system solution and underwrote funding for the survey, says in the near future, such products will be more and more integrated. The company recently released a mobile app that allows vendor representatives to do secure facility check-in directly from their smartphones instead of requiring them to use a kiosk.

"Hospitals have a duty to provide a safe environment, not only for their patients, but also for their employees and the communities they serve," Goyne says. "Moving forward, we're going to see more integrated credentialing systems that not only help verify who people are, but also provide real-time monitoring to ensure compliance with facility requirements in real time."

Examples of hardware integration include security cameras, biometrics and fingerprint readers.

Integration is the name of the game today, agrees Joseph Bellino, system executive of security and law enforcement services at Memorial Hermann Health System, a 13-hospital system based in Houston with about 5 million visitors each year.

Memorial Hermann is considering integrating its vendor credentialing and access system with check-in processes for other people coming through its doors, such as construction workers and patient visitors.

"That would allow us to have a database that is more robust," Bellino says. So, for instance, if a hurricane or tornado struck one of its facilities, officials could know exactly who was on-site at the time of the disaster, he says. ID management programs can be added that connect with electronic health records so as soon as a patient is discharged from a facility, any visitors for that patient would be notified and could be denied access.

Other technologies include systems that read bar codes on drivers' licenses. So, a visitor would swipe his or her driver's license when checking in to visit a patient.

"This gives us authentication from another reliable source," Bellino says.

Video surveillance and video capture also are becoming more commonplace in health care facilities, Bellino and Pryse say. Memorial Hermann facilities post signs in areas with video monitoring to let people know the cameras are there.

"Generally, it acts as a deterrent," Bellino says. "And most people these days understand wherever you go, you are being monitored."

These systems can help to identify suspects if an incident or attack occurs. And video management systems with analytics can alert security teams to concerning behavior, like a package or briefcase left unattended for too long, Bellino says.

Pryse says she would like to see more use of video capture and surveillance, especially in areas that tend to have less foot traffic.

"From a safety standpoint, there are a lot of materials that are hazardous or dangerous at loading docks," she says. "It is often the least monitored and the most accessible area."

At most health facilities, gone are the days when a paper log of visitors was sufficient. With all this new technology comes an even trickier balancing act between safety and access.

"We need security to keep people safe, but also [to] retain a high degree of customer service and patient satisfaction," Bellino says.