Baker tells VA vendors they must meet certification requirements

The Veterans Affairs Department is contacting the chief executives of the department’s 22,000 vendors to remind them to certify that they are meeting the VA’s requirements for protecting sensitive medical information, Roger Baker, assistant secretary for information and technology, said today.

Baker said he decided to send the letter because of initial findings of a VA audit that determined that 10 to 25 percent of vendors at some VA facilities are not in compliance with the certification requirement.

“The main intent is that everyone gets the message,” Baker said. “If they are not certifying, we will take action.”

Those certification requirements apply only to VA vendors that have access to personal medical data, which Baker estimated was the case for approximately one-third of the 22,000 vendors.

The audit is not yet complete, and the letter is intended to help vendors meet those requirements as quickly as possible, Baker said in a conference call with reporters.

So far, the audit has found that many VA facilities are fully in compliance, and for those that are not, the noncompliance rate is 10 to 25 percent, he said.

“A lot of this is education about which companies have to have" the certification, Baker said. “Guidance has gone out a number of times, and yet we still have facilities that have not fully addressed it.”