In this episode, Monica Chmielewski, vice chair of Foley’s Health Care Practice Group and Shannon Sumner, Chief Compliance Officer and Nashville’s Office Managing Principal of PYA explore how supply chain compliance is affecting the health care industry and share the risks and penalties associated with not being in compliance.

Please note that the interview copy below is not verbatim. We do our best to provide you with a summary of what is covered during the show. Thank you for your consideration, and enjoy the show!

Angie Caldwell

Hello and welcome to the Let’s Talk Compliance podcast series of Health Care Law Today presented by Foley & Lardner and PYA. I’m your co-host, Angie Caldwell, consulting principal of PYA.

Jana Kolarik

And I’m your other co-host, Jana Kolarik, a partner in Foley’s Health Care Practice Group. We’re excited to have you join us today. Before we begin our show, we want to remind you to subscribe to Health Care Law Today, either on iTunes or your preferred podcast app. Please visit healthcarelawtoday.com or pyapc.com. For today’s show, Monica Chmielewski, vice chair of Foley’s Health Care Practice Group, and Shannon Sumner, chief compliance officer in Nashville’s office managing principal of PYA explore how supply chain compliance is affecting the health care industry and share the risks and penalties associated with not being in compliance. I’m going to turn it over to Monica and Shannon to introduce themselves.

Monica Chmielewski

Thank you Angie and Jana again for that warm welcome introduction. As mentioned, my name’s Monica Chmielewski, and I am a partner with Foley & Lardner in our Chicago office and vice chair of the health care practice group. Shannon, I’m excited to be here today to speak with you regarding supply chain compliance, specifically in relation to the health care industry from both the provider and really the manufacturer vendor side. I think as most people are painfully aware, the health care industry is one of the most regulated industries out there, and there’s numerous laws, regulations and compliance considerations that affect hospital health system supply chain operations that a lot of, in my experience, vendors and manufacturers unaccustomed to conducting business and transactions with health care entities really aren’t aware of, and the risks of noncompliance with the health care laws carry with them certain penalties. And because of that, we see health care entities implementing, or they should be implementing various compliance and risk-based systems to help identify issues and address compliance. And I’m really excited to hear your thoughts on what you’re seeing, how you’re advising clients in this area.

But I thought before we jump specifically into that, I might provide a real quick overview of some of the laws and regulations that may be a bit more unique to the health care industry so that we can then understand, okay, what do you do in terms of a compliance program, mitigation risk assessment? How do entities address that and implement it?

To start with, as a real high-level overview, the health care industry is subject to numerous laws including the federal Anti-Kickback Statute. And individual states often have their own individual state kickback statutes, or all payers. There’s the Stark law, there’s numerous privacy laws and including HIPAA and individual state laws addressing privacy, cybersecurity, there’s laws addressing transparency and reporting as well. And each of those laws need to be complied with by health systems when they are entering into transactions with vendors, and manufacturers.

The Anti-Kickback Statute is probably the most known of the laws, and significantly it is a criminal law that essentially prevents kickbacks just like it sounds. It prevents a knowing or willful payment to induce or reward patient referrals through the generation of business. Now, there’s numerous safe harbors or exceptions that health systems will often require vendors to fit transactions within, including exceptions addressing discounts, rebates, the provision of warranties, there’s laws, and regulations.

There’s the Stark Law, which is similar in a vein to the Anti-Kickback Statute in that the Stark Law essentially prohibits again, improper transactions and arrangements for the referral of certain business, including the receipt of products between entities that are owned in part by physicians and health care providers. And then there’s various data and privacy considerations as well. And we’re seeing those impact supply chain arrangements and agreements in many ways, including in relation to the products that are bought and acquired. Many products these days have, whether it’s equipment or even medical devices, have the ability to collect and transmit protected health information, data, other information. And so because of all of these laws, we really see health systems trying to implement various compliance programs and require vendors to really adhere to protocols regarding risk assessments and implementation of the risk assessment protocols. But I’m going to pause there and ask Shannon, say, what are you seeing in terms of common compliance issues? How are you advising your clients to help put in place compliance programs, risk mitigation strategies in relation to data supply chain compliance, and really best practices right now?

Shannon Sumner

Well, Monica, it certainly is a pleasure to speak with you on this subject. As you’ve mentioned, certainly all the laws that you have discussed historically have been that main catalyst for supply chain or third-party risk mitigation through strong compliance programs. But really the health care industry, as you mentioned, is no stranger to third-party data breaches recently, supply disruptions, COVID, and increased scrutiny surrounding access to and disclosure of protected health information. So it’s really that perfect storm. And in our experience when we ask our clients the top risks that keep them up at night, making the top three, I would say certainly cybersecurity and breaches, but when we do a deeper dive, it’s really that third-party risk management and all the things that you’ve talked about related to supply chain.

So historically over the years, we’ve really thought about supply chain as really kind of procurement of goods and services. But really when you look at the broad spectrum of entities and relationships that health systems have, it’s more than just getting in those drugs and those other types of medical supplies. It’s really those individuals and groups and companies that you’re doing some type of partnership with. And really keep in mind really this enhanced emphasis on not just data security, but also supply chain risks really is coming on the heels of COVID where we all experience those supply chain shortages, whether it’s ventilators, protected health equipment, even saline. I think that exposed those vulnerabilities when we rely on third-parties.

So as it relates to a really strong risk mitigation function, compliance function, we are starting to see that evolution of what’s called third-party risk management programs within an organization. So it’s very, very closely tied to enterprise risk management (ERM), but it’s not the same. It’s a component of ERM, but it’s a very strong impactful component now that we are starting to see more and more of these relationships.

So as we think about really what does a third-party risk management program, it does extend beyond that traditional procurement and vendor assessments, but it is starting to compass the more holistic approach that incorporates governance, risk management and compliance and legal across that entire life cycle of third-party relationships. So if you think about onboarding a new provider, a new service, a new company, ongoing monitoring and offboarding, but really why is, when we think about all the things that you mentioned, not just from the legal perspective, the laws and the new regulations that are coming onboard, but really what are some of those other key drivers where risk related to third-parties is escalating?

You can kind of pinpoint, and these are some of the things that we hear when we talk to our clients when we do the compliance assessments is really during the recession, we think more organizations are starting to push those businesses out to third-parties for cost reduction purposes. The price of health care data is rising in the open market or on the dark web. If you think about all the things that are out there, I don’t even want to go there today, but how many health care organizations don’t have those internal resources to address, and they really need some trusted partners to help certify, host, maintain and support those health IT systems with really that modern cybersecurity capabilities, especially the rural providers. We’re not going to get into cybersecurity 101, but that’s really one of the big drivers for some of these risks escalating.

And then really the U.S. Department of Justice (DOJ) has actually come out with additional guidance on evaluation of corporate compliance programs on third-party risk management. And certainly with that combined with all the laws and regulations you just mentioned, I think it’s just ripe. It’s ripe for really thinking through do you have those proper channels, those proper risk mitigation strategies related to mitigation of vendor supply chain and third-party risk. But I’d really like to hear a little bit more about maybe some of the things that you’re seeing and how you’re advising your clients in terms of mitigating some of that risk.

Monica Chmielewski

Yeah, absolutely. And I think you’ve really identified some of the key issues that health system providers are facing in relation to this. And before I go into some things I’ve seen, I think one thing that you’ve said really struck me and resonated with me as a best practice in terms of these third-party risk management programs is the interaction of the governance, the risk management, compliance and legal. I think all of those are key components where if you leave out one component, if you don’t have a good process and communication chain, that leaves I think a system, a health care provider vulnerable for these compliance issues. And I think one of the things that we’re seeing and a lot of what we’re advising our clients as they are implementing or revamping their third-party risk management programs is, what is the scope of the program?

So when you are trying to address the supply chain challenges, and Shannon as you mentioned COVID, there’s product shortages. How are we going to be able to acquire products? We, right or wrong, saw a number of entities acquiring products from different channels, including from overseas vendors that maybe they had not, well, not, maybe they had not fully vetted to see, is this an entity that is able to comply with U.S. regulations? Do they have proper cybersecurity policies in place? Are they going through the proper IT reviews? Is the product that we’re acquiring, does it have all of the regulatory approvals that you need to actually market and sell a product within the United States? Have they received the appropriate U.S. Food and Drug Administration (FDA) clearances or approvals depending on the type of drug or if it’s a device, where are they getting it from?

And then even taking a further step, say you’re going through the process where you are vetting the vendors that you’re going to be working with, what about their subcontractors? Are they outsourcing? Is the vendor that you’re contracting with outsourcing to a company that is ex-U.S. that’s going to be handling data? Unfortunately, we saw a few cases where the vendor that had been contracted with, they then had a subcontractor who performed remote maintenance services on various medical devices and equipment within hospitals. Well, the equipment and devices that they performed from a remote maintenance on, of course housed protected health information (PHI). Not having that third-party subcontractor, having them vetted, they didn’t go through their IT reviews and the resulting data breaches. And so that leads to compliance issues.

So we’ve been advising clients to really take a look at their current third-party risk management programs, if they have one, if they don’t, to really implement one and to ensure that while understanding that there’s time pressures, it really should encompass legal compliance risk and have a solid governance structure. Because I think a hurdle of compliance is speed. There’s needs behind acquiring the products, getting the services in quickly. There’s patient need and patient demand. And so you have to have a program where you should be able to do these risk assessments and vetting quickly and efficiently because otherwise the potential penalties of non-compliance, not only from a potential criminal standpoint, from monetary penalties, but there’s also potential patient harm and reputational issues as well that these systems are facing.

Shannon Sumner

Yeah, Some of the things that you just mentioned related to speed, certainly the speed of getting in a supplier or even the fact that we’ve seen today just as early as late as today, some organizations, some health systems are actually having to stop some of their surgeries because they do not have the physicians, the anesthesiologist actually to provide those services. So when we think about the supply chain and speed of services, it’s also those providers that we work with every single day. They’re also challenged with maybe some staffing shortages so that will have a ripple effect on your organization.

And so as you think through what that third-party risk management program looks like, it’s really thinking about who’s involved, making sure you do have the right individuals involved in that program. And so certainly just from a legal and compliance perspective, yes, you do have to still operate as an organization, but if you bypass certain elements of a successful and internal control processes on reviewing the contracts, making sure those terms that you just mentioned about certain providers, particularly offshoring, and that’s one area I do want to talk a little bit about. It’s pretty clear that you have a relationship with an individual or a group or services or a company that’s outsourced, but sometimes you don’t and that’s where having a really strong third-party risk management program can help you really identify those elements and those processes that may not necessarily be so clear that they’re offshored.

And so when we think about what are some of those commonly offshored services, well, certainly audit can be, we see internal audit, external audit, billing, coding, payment posting, call centers. I mean, how many of us have actually called maybe personally to an organization and it truly is offshoring, data storage, utilization review, transcription. So a lot of those areas can certainly be hidden in some of those master services agreements that you might have.

But thinking about really the first step in having that comprehensive third-party risk management program is thinking about, what’s our inventory? So who are we actually utilizing from a third-party service? And some of those examples that we have, worked with clients, it relates to what you said earlier, medical device manufacturers, IT service providers, telehealth platforms, electronic health records, cloud service providers, third-party administrators. I mean, the list can go on and on. Even your marketing and your website service providers, lab services, supply chain, the list goes on and on.

And so when you think about having that multi-disciplinary approached to third-party risk management, you really want to think about who is going to be on a committee, those individuals that really should be part of that committee structure. So what we’ve seen, it’s internal audit, compliance, legal, quality, risk management, supply chain, it’s really looking at those processes that are very significant to your operations and thinking about some of those subject matter experts. Also, if you’re outsourcing management of a service line, for example, do you have the right individuals involved in evaluating that processes.

So when we think about what that committee’s roles and responsibilities would be, it’s really overseeing what we call a third-party risk management life cycle. And Monica, you had touched about on this earlier, but it really starts with that onboarding, initiating that relationship with the vendor, including the appropriate legal and due diligence review of establishing that contract. It’s that risk assessment. It’s evaluating potential risks such as compliance, financial, operational. So when we talked earlier about enterprise risk management, it’s ensuring that that component is also factored into that roles and responsibilities of that committee.

We also talk about the next phase of monitoring, which is that ongoing oversight of that relationship. And before I came back to PYA, one of my career points was serving internal audit. And we did a great job of having some amazing contracts, but sometimes, quite frankly, they would fail upon execution and so that’s where I think having this really strong internal audit component to ongoing monitoring and auditing of those specific contract and those contractual requirements. And that does include that performance evaluation, so really looking at those vendor deliverables, those service levels against those expectations.

And then unfortunately, sometimes you have to think about off-boarding. What happens when you terminate that relationship or it just comes to its natural conclusion. Where do a lot of those risks lie once you have off-boarded that particular vendor?

So one area that we work very closely with Monica, with legal counsel is really looking at from a due diligence perspective. So when we think about, okay, we know we have this service, we know we need to possibly outsource this service or partner with a third-party, these are some of the elements that we work with law firms specifically, but wanted to get your perspective, but we look at have they had any particular data privacy breaches in the past? Are they under a corporate integrity agreement? Are they on the watch list? Have they had any type of settlement arrangements, any cybersecurity incidents, or now there’s security ratings that actually are real-time related to an organization’s infrastructure for managing and maintaining information security. We look at conflicts of interests. We look at the compliance program for an organization. If you’re partnering with an organization, do they have a strong compliance program? When was the last time it was audited? And do you have any information regarding that?

And then finally, a couple of other elements related to financial and operational stability as well as a basic block and tackling one, are they an excluded provider for participation in government programs?

But Monica would love to get your perspective in terms of when you all get involved with your clients, what are some of the things that you’re helping them in terms of vetting third-party risk?

Monica Chmielewski

Absolutely. And you’ve absolutely touched on the key things. And one, before I go into what we’re helping them vet, what you said regarding a contract failing upon execution. I want to highlight that, that is critical. You can have, and we’ve seen clients have phenomenal contracts with wonderful terms and conditions that address third-party vendor compliance with most of the applicable laws. The Anti-Kickback Statute, it will fit within the discount safe harbor. It will address HIPAA, it will address individual state laws. For example, California has their own very strict privacy law (CCPA (California Consumer Privacy Act)), which is not too dissimilar to GDPR (General Data Protection Regulation), will it address cybersecurity? You can have that wonderful seemingly airtight contract, but if an entity has not done the proper diligence on the vendor prior to entering into that contract, the contract is going to potentially be breached the moment it is executed by the vendor.

Because if a vendor will sign a contract but doesn’t actually have the ability to comply, potentially you have an argument for breach. But what’s that going to get to you? Because the damage has been done. Because Shannon, to your point, what we really help clients with and what we see as a main focus in terms of performing diligence on vendors are exactly the things that you highlighted in terms of non-exclusion. Has the vendor ever been excluded? Do they have a process in place where they perform exclusion checks for their employees? Are they party to a corporate integrity agreement, that relates to auditing. These types of things are important, especially with respect to health care entities, because if a health care entity actually contracts with a vendor that’s been excluded from participation in any health care program, the health care system itself could face penalties for contracting with an excluded entity.

HIPAA privacy cybersecurity is an extremely important part of the due diligence, making sure that the vendor goes through a health system standard, IT review for security purposes, again, a vendor and their subcontractor, because again, we could have wonderful terms and conditions in the contract that address compliance, require compliance with national, international privacy laws, if a vendor doesn’t have those capabilities and there’s been a breach and leak of data, again, there’s damages there. You can potentially have breach of contract claims, but the damage has been done. So having this robust risk management program is really important. And the due diligence stage is I think one of the most critical.

And I think one of the ways, and in a way, one thing that we’ve advised clients when we’re helping put these programs together is to engage and involve key stakeholders who are going to help promote the value and the necessity of these programs. We often see, and we’ll use in example, a system where you’ll have physicians, key opinion leaders who want a certain medical device manufacturer to be on contract, they want items that are brought into the operating room (OR), they’re trying to push the items through because they may be, I don’t know, a physician preface items, something like that.

But if the vendor itself has not been vetted and gone through the standard supply chain process, which really should be encompassed, Shannon, as you pointed out, in this overall third-party vendor risk program where it goes across different disciplines, that vendor, use of that equipment that’s been brought in or use of those services could potential liabilities for the health system. And if a entity is able to involve some of these key opinion leaders, these physicians as key stakeholders in this risk program, risk assessment program, those individuals really help in promoting the program and are really supportive in helping their colleagues and the other employees, contractors within the health system embrace and understand the importance of this risk management program.

And in addition to that, it’s also providing education on what the program is intended to do and why it’s important and how it actually helps the entire health system. And because we’re talking about health systems, how it’s really designed to further help patients and ensure patient safety, whether it’s safety in terms of use of a product that you’re acquiring or protection against data breaches, protection against your personal information being disseminated, having a way to introduce or socialize or re-educate individuals within an organization as to the function, the purpose, and the importance of this third-party vendor risk mitigation program really goes a long way to, from what we’ve seen, ensuring compliance and ensuring that individuals, when they want to engage in bringing in a third-party service provider, are you going to outsource operation of billing? Do you want to engage a new telehealth platform? When you’re thinking about the IT components associated with that.

It really makes people pause and say, “Has this been vetted? Has it gone through our program to make sure that the vendor meets our standards? Not only the vendor meets our standards, but do we know who this vendor is?” Meaning is it just the vendor? Do they use subcontractors? Where are they located? Is their offshoring of data, what technologies do they use? What does their compliance program look like?” You really have an understanding of who it is that you are engaging and who you are entrusting your operations with, entrusting your data with and entrusting your technology with. I think that it’s really important, and it’s something that we’re seeing a lot of clients really embrace, including to the point where if they already have a third-party risk vendor evaluation system, they’re going back and they’re re-evaluating it and they’re looking for ways to make it stronger.

And that’s where Shannon, I would bet you’re seeing this, but do tell me, we’re seeing clients engage you and then they’d like you to perform audits, to perform reviews and assessments to say, “Is our third-party vendor risk management system program sufficient?” With everything that’s going on today and the climate that we’re living in, because technology is changing so quickly, including with the introduction of a lot of Artifical Intelligence (AI), how are you helping clients evaluate their systems, what they have in place right now? What are you telling them to consider?

Shannon Sumner

That’s a great question because we are starting to see more and more health systems, primarily academic medical centers that have created what’s called innovation centers. So it’s where certainly some providers and others, they’re really bringing into the table some of those maybe new medical devices, maybe new ways of providing patient care. It’s new systems and tools and unique ways of partnering with other types of organizations downstream and certainly AI has been a catalyst as well. As we think through all of those nuances of health care that weren’t in place years ago, new parties of doing business with, where we have helped organizations is thinking through this through their risk management, their risk assessment processes.

So really taking a look at, do we have an inventory? Do we know where all our data is? Do we know who we are connected with? And that’s probably one of the most eye-opening exercises because when you think about all the dependencies that an organization has, and I really think that came to light with some of the issues with the change health care, the cyber breaches, the ransomware. I think it brought to light how many parties that we partner with and how if you have all of your eggs in one basket, it can really cause major, major disruptions to business. So it’s really that multi-pronged approach, whether you think of a compliance program or if you think about disaster recovery desktop exercises. We think sometimes it had been, “Well, if something happens within the four walls of our facility or within our organization,” and now we really have to think broadly, well what about if a significant business associate had a breach that we count on, whether it’s a data center, whether it’s a third-party administrator.

Those are the areas that we’re really starting to see greater emphasis on that education, as you mentioned, making sure we know who we’re in business with. And for our purposes of helping clients it’s, are we aware, do we include those in our either internal audit compliance, ERM risk mitigation exercises, whether it’s auditing and monitoring and then are we taking advantage of some of the additional guidance and research that’s out there?

And for example, one of the things that I mentioned earlier is certainly the DOJ is involved in wanting to ensure that certainly the prosecutors is part of their evaluation of corporate compliance program guidance back in March of 2023, had a section on third-party management expectations. And so when we advise our clients, we advise them to make sure internally they’re asking, “have we integrated our risk-based processes with procurement and vendor management processes? Are we ensuring that we have the appropriate business rationale for entering into those relationships with third-parties? So that goes back to Monica to your doing your due diligence. And do those contract terms specify and identify those services to be performed? Yes. I mean, most of our agreements specify that, but how are we monitoring that? How are we auditing that?”

And then finally, the areas that we are emphasizing is that governance oversight and that governance structure that you mentioned. And so we provide a list of some of the questions that either board members should be asking about the organization’s third-party risk management program, and also including that as part of the ongoing questions to be answered if you serve on a committee internally related to third-party risk management. And so a lot of these questions circulate, for example, “has that committee been created? Who is involved? How are third-parties selected? Are conflict of interest evaluated? How are they audited, monitored, by whom? Has the organization considered and analyzed those compensation structures for third-parties against those compliance risks? So do you know how those entities are compensated or incentivize and could they be doing something that could directly or indirectly impact you from a risk perspective?” Back to some of those laws that you mentioned earlier about Stark and Anti-Kickback false claims.

And then finally a big area is how are those due diligence red flags identified and mitigated? So for example, we identified a red flag with a vendor. We feel like we’ve got some mitigation strategies in place, we bring them on, and then that due diligence, just kind of hate to say, sits on a shelf because not anything is on a shelf anymore, but have we done anything with it? We know it, we knew it, we engaged with this third-party, and now if there is an issue, guess what? The government’s going to know that and they’re going to identify that as a problematic for you in terms of litigation, in terms of settlement obligations, because you should have known, because you did know. So those are the things that we’re helping our clients to really put that structure related to mitigation of those risks that have been identified.

Monica Chmielewski

I think that’s so important, what you just said in terms of if you’re going to conduct the due diligence, if you’re going to have the information, which you should, you need to act on it when there’s issues because regulators, the DOJ, Office of Inspector General (OIG), whoever it is that’s coming in, they want to understand and they want to see our entities in compliance. There is a major focus on health care in terms of fraud and abuse, and really some of these supply chain relationships can be seen as almost low-hanging fruit for these governmental regulators. If you have an arrangement that is not in compliance with the Anti-Kickback Statute or with the Stark Law, you can be facing criminal penalties, civil monetary penalties, false claims. I mean, the damages can go up in the hundreds of millions.

We had unfortunately an instance where an entity, and rightfully so, they would collect information on vendors as part of their risk management assessment, as to is there any physician ownership in the vendor?

Are there any relations between any of our physicians and the vendor for conflicts of interest purposes? Well, as part of the due-diligence process information was obtained that the vendor, not only did it have some substantial physician ownership, but there was also relations between that and some of the entities employed physicians. And what that showed was the arrangement needed to be structured so that it fit within one of these safe harbors or one of the exceptions to the Stark Law. Unfortunately, there was a breakdown in the process where that information then sat on the shelf, as Shannon mentioned, even though there aren’t shelves anymore, but the process fell down and that information didn’t get to legal and it didn’t get to compliance and because of that, you had an arrangement that was going on for over a year that was not structured in a compliant manner, and it could have been. Penalties were imposed, there ended up having to be self disclosures that were put in place to the government. All of that could been avoided had the established risk evaluation process been followed.

There’s ways to mitigate this. There’s ways to identify and to mitigate the risk, as Shannon was pointing out, but it’s just to me as important to, if you’re going to do this and you should do this, you need to act on the information. You can’t have footfalls in the process because that’s going to lead to additional liabilities. So it’s really important to follow through with the process, to monitor it, to ensure that there’s audited for compliance purposes, because otherwise you could both sides the vendors and the health system provider be subject to various penalties and sanctions, including corporate integrity agreements all the way up to exclusion.

Shannon Sumner

So Monica, as we come to a close on this podcast, where would you say an organization should start? What would be, “Okay, we haven’t done this. We know we have an enterprise risk management program, we have a compliance program, we have internal audit program, but we don’t know where to start.” What would you recommend the first steps?

Monica Chmielewski

The first steps that we recommend is to one, identify, as you just said, they identify that they need this type of program in place, whether it’s specific to supply chain or enterprise-wide. Then to identify who are going to be the champions of this program, of getting this in place and involve key stakeholders from the different areas. We always see it’s important to have a level of vice president of materials management, supply chain or president, depending on what the titles are, somebody from IT, somebody from legal, somebody from compliance, but then also if it’s going to include other areas, perhaps the chief of the medical staff, because you also want the physician buy-in.

So you start with identifying who are going to be the key stakeholders, who are going to be the champions of this program. Then it’s working to understand, where are you? Do you have a program in place that needs to be expanded or are you starting from scratch? At which point you then need to identify, you do a review, do a gap assessment, see what type of compliance program you have, can that be built off of, and then you engage, you, Shannon, somebody like you in conjunction with legal to help build out the program, provide education and training on it, and then implementation and rollout. I mean, that’s really at a high level what we’ve seen in terms of how you start it and what you do with it. Do you see the same thing? Is that what you would recommend as well?

Shannon Sumner

Absolutely, and I would say the next layer to that would be governance. So if we have any listeners that are on a governance committee of the board or even a governance committee within their organization, just to think through, do we have this? And I think the first step is always the hardest, and it’s always the hardest to recognize how many organizations that you may be contracted with and may not necessarily know. But I would say that would be really the first step is having the conversation, understanding what the risks are and how are they being mitigated. And I think we can never predict all the risks and we can never manage all the risks.

But I think an organization that has a strong desire to serve their communities, to serve patients, and to serve their employees and just be good stewards of resources, I think this is obviously the best step to ensure that that does take place. And so, Monica, it’s been a pleasure talking to you about third-party risk, and we really have enjoyed spending time with our listeners today, and I hope everyone has a great day.

Monica Chmielewski

Yes, agreed. And Shannon, thank you. Likewise. It’s been a pleasure and I hope everybody found this interesting and informative and helpful.

Shannon Sumner

All right, thank you.

Monica Chmielewski

Thank you.

Angie Caldwell

Thank you Monica and Shannon for a great discussion. We appreciate you taking the time to join us today. We want to thank our listeners for joining our Let’s Talk Compliance podcast series with Health Care Law Today, your connection to timely legal updates in the healthcare and life sciences industry. We encourage you to subscribe to this podcast, visit Foley’s Health Care Law Today, blog at healthcarelawtoday.com and at pyapc.com. If you like this show, don’t forget to subscribe and be sure to rate us five stars. Until next time, I’m Angie Caldwell at PYA.

Jana Kolarik

And I’m Jana Kolarik at Foley & Lardner, thanks so much for listening.