When considering working with a revenue cycle outsourcing partner, it’s important to ensure proper security precautions are in place. Because your partner will have access to important patient health and financial information, you’ll want to vet them in the following key areas.
Minimizing Cyber Risk: Must-Haves for Secure Revenue Cycle Outsourcing Partnerships
When vetting potential revenue cycle outsourcing partners, seek the following protections.
✔️ The revenue cycle outsourcing partner does not make use of offshore services.
Data security standards can vary geographically. The safest scenario is working with a partner that operates entirely within the continental United States, blocking all non-U.S. access to data and technology. Always ensure not only those working claims but others across the company, such as developers and IT, are U.S.-based.
✔️ The revenue cycle outsourcing partner has attained SOC 2 Type 2 certification.
SOC 2 is a voluntary compliance standard for service organizations developed by the American Institute of CPAs (AICPA). The system and controls standard specifies how organizations should manage customer data in accordance with the institute’s Trust Services criteria. SOC 2 certification demonstrates a company’s unwavering commitment to protecting data and ensuring its confidentiality and integrity. Users can rely on the partner having been thoroughly audited for these aspects of control for Type 1 (a point in time) or Type 2 (a rolling time period, such as 12 months).
✔️ All data is stored securely and encrypted while at rest and in transit.
All systems and data should be housed in secure locations by Enterprise Cloud Providers (e.g., Microsoft Azure) with all appropriate physical and digital security measures, including encrypted backups. Data shouldn’t leave the secured environment (i.e., no open access AI use); access should be limited by well-defined business use cases and logical separation of PHI; and physical and digital security measures should be upheld, including active directory, data loss prevention (DLP) mechanisms, and whole disc encryption. This tightly managed cloud environment should comply with Health Information Trust Alliance (HITRUST) risk mitigation standards, as is similarly seen in the banking industry. Data retention should be for no longer than seven years.
Data exchange can also present vulnerabilities. Therefore, the partner should ensure any transmittal will be done using Secure File Transfer Protocol (SFTP) and encrypted via TLS 1.2.
✔️ User logins require layers of identity verification.
Multi-factor authentication (MFA) is an electronic authentication method that requires the user to provide two or more forms of identity verification before allowing access to a website, network, or application. Revenue cycle partners should require two-factor authentication for logins and monitor for failed login attempts. MFA can guard against a bad actor gaining access to a system via a stolen password and potential instances of a tactic known as “credential stuffing,” where hackers use programs and codes to push through credentials in attempts to hack systems.
✔️ Formal continuity planning is in place and maintained.
Preventative measures aren’t enough when it comes to cybersecurity. Business continuity planning helps ensure that even if a security breach or other disaster occurs, the organization can continue to operate and serve its customers. Hospitals should ask partners for details of their business continuity and disaster recovery plans and how they are maintained to minimize the potential for disruption.
✔️ The risk users present is mitigated through active screening processes and ongoing training programs.
Partners should verify employee identity and conduct comprehensive background checks. Users should undergo and maintain yearly training and testing on HIPAA practices, safe handling of PHI, clean desk policy, and other security-focused measures.
✔️ Partners strictly control the workstation environment.
The revenue cycle partner should provide, configure, and maintain users’ equipment. Control over the workstation environment should be maintained through visual documentation, the right to inspection, and policies regarding equipment storage and use, including strict controls that are centrally managed on remote use. In addition, printing practices should be centrally managed and comply with HIPAA’s minimum necessary rule and guidance on the retention and destruction of paper PHI.
✔️ The partner will not sell data.
Data use should be limited to program scope, barring a few narrowly contracted exceptions where anonymous grouping (without PHI) may be of value, such as for benchmarking program success or providing aggregated insights.
✔️ The revenue cycle outsourcing partner aggressively monitors and tests system vulnerabilities.
In addition to ongoing system monitoring, partners should perform monthly vulnerability assessments to identify and address potential sources of risk in systems and infrastructure.
Choosing Knowtion Health as Your Revenue Cycle Outsourcing Partner
Knowtion Health meets all the cybersecurity criteria above—in addition to many more. As a trusted partner, Knowtion Health maintains data privacy and safe handling practices, including SOC 2 Type 2 certification and HIPAA compliance. It’s why organizations securely partner with us time and time again. Knowtion Health offers technology and services you can trust with your claims handing and denials management needs (Services@KnowtionHealth.com).
