Key Business and Legal Considerations for Credentialing Organizations During the COVID-19 Pandemic

By Mark C. Franco, Esq., Whiteford, Taylor & Preston, LLP

The COVID-19 pandemic has had a wide-ranging impact on all types of organizations, including those in the credentialing industry. Credentialing organizations, nonprofit organizations, associations and many other types of businesses are facing problems created either directly or indirectly by the pandemic. However, credentialing organizations have very specific issues that are key to surviving the current COVID-19 pandemic and its aftermath. Failure to properly plan for and address the following three areas could result in even more problems for an organization that may already be facing a number of other significant challenges. By thinking about these three critical considerations now, credentialing organizations may be able to mitigate some of the negative impacts from the COVID-19 pandemic.

Business Continuity

Even with the current efforts to prevent the spread of COVID-19 by federal, state and local governments, the risk of widespread infection remains a significant possibility. Every day new restrictions and recommendations are being proposed to keep individuals and communities safe. Credentialing organizations must face the stark reality that in some situations, key employees, consultants, or stakeholders may not, as a result of illness or potential exposure, be able to participate in planned activities or rejoin the organization.

Credentialing organizations are not generally known to be heavily staffed, and in many cases, the vast majority of a credentialing organization’s institutional knowledge exists with only a few or even one individual. Credentialing organizations and programs should review their policies and procedures to identify and fill key information gaps related to credentialing activities so that the activities can continue into the future even if there is an entirely new team or most work is conducted virtually. As a unique field, the credentialing industry may not have the same deep level of industry and professional expertise found in many other industries.  And, since no one knows to what extent the COVID-19 pandemic is going to eventually affect access to that expertise, credentialing organizations should prepare now by making sure their credentialing activities have a solid footing going forward with proper and comprehensive business continuity documentation. This includes detailed standard operating procedures and file organization.

 Test Vendor Contract Performance

An unfortunate result of the COVID-19 pandemic has been the extreme curtailment of business activity around the world. This has left many credentialing organizations with candidates impacted by test center closures or questions and uncertainty aboutwhether they will be able to hold planned testing windows or events or meet contractually required or budgeted annual testing minimums. Credentialing organizations should be looking now at their testing and other contracts, such as hotel or venue agreements to ascertain whether they will be able to fully perform their obligations. In addition to evaluating their ability to perform, organizations should be analyzing any applicable provisions such as a force majeure provision that could be used to excuse performance of certain obligations.

However, even though the COVID-19 pandemic may be considered a force majeure event or circumstance, credentialing organizations should be aware that force majeure provisions are generally construed very strictly. The ability to invoke privileges under any specific force majeure provision will depend on the language of the provision. For example, a party is unlikely to be able to invoke a force majeure provision based on the actual COVID-19 pandemic unless the provision uses health-related language like epidemic, pandemic, or health advisory.  A force majeure provision will only excuse a party’s performance if the intervening force majeure event directly impacts a party’s ability to perform those obligations. Credentialing organizations may not be able to successfully invoke force majeure provisions to excuse any performance that will not occur for some significant amount of time, unless it is absolutely clear that a party will not be able to perform due to a force majeure circumstance that will be in place at the time of performance. Any such attempt could be viewed as a breach of the contract and result in significant liability to the organization.

Remote Work and Data Security

The credentialing industry seems to be ahead of the curve compared to other industries in terms of effective virtual operations. However, credentialing organizations not already operating in a completely virtual environment may soon find themselves operating with most or all of their staff working remotely. In addition to the standard remote work policies and procedures needed, , an organization should also focus specifically on ensuring that there are policies and procedures related to remote work with confidential and personally identifiable information. In addition, state and local laws may have requirements and restrictions affecting employment terms and conditions.

An even greater risk is that it is times and circumstances like the ones facing us now that also present the perfect environment for inadvertent data breaches. Organizations, whose personnel have not had to work virtually are now having to create remote work policies within a week or less, which may not be enough time to fully understand all of the data security requirements that may be needed. In addition, these are stressful times, so employees may not be able to rely on regular routines. While working remotely, they are being inundated with all kinds of issues that are probably not just work related. Kids are home due to school closures; there may be sick family members or friends, and not to mention, there is the COVID-19 pandemic to increase anxiety.

It would not be surprising for an organization to experience an inadvertent data breach during these times. If the data breach involves personal information, organizations can face large penalties, lawsuits and significant expenditures remediating the impact on the individuals affected. If the data breach relates to testing information, the organization may have to rebuild or replace test material, which could cost tens or hundreds of thousands of dollars, depending on the size of the breach. Because of the situation, organizations must try to be even more vigilant in terms of data security since the consequences can turn an already bad situation even worse.