Risks related to outsourced billing and considerations for mitigating those risks
Complexity and cost. Those are two reasons why clients tell us they use a third-party, offshore company for their billing operations. This practice has become particularly prevalent in the healthcare industry where billing can involve multiple locations, vendors, services, insurance companies, and personnel. Having another company manage the billing process can result in efficiencies and cost-savings. It can also increase a company’s risk of a data breach.
Outsourcing billing services may make financial sense, but it is important that hospitals and medical practices understand the risk landscape of this still-emerging industry. It is critical to ask the right questions to make sure international partners have the right security practices and protocols in place to protect sensitive information.
Know where you are vulnerable
Before engaging with a third-party for billing operations, a practice must understand its own vulnerabilities, which usually requires an outside perspective and assessment. A risk assessment will highlight areas where someone with enough access could collect sensitive patient, vendor, and personnel data. Any breach could result in brand reputation damage and loss of revenue. If a practice provides access to a third-party before mitigating the issues in its system, the risk that data will be exposed, whether intentionally or accidentally, increases.
Do your homework
While practices likely have many vendors handling a multitude of tasks, it is important to recognize that a billing company has unique access. They are provided with financial information, patient records, insurance data, and many other types of sensitive information.
It is critical that billing vendors are properly vetted. This involves far more than simply reviewing their website, having a conversation, getting a few references, having them sign a non-disclosure agreement, and awarding them the contract. Mitigating the probability of a data breach begins with a full investigation of the billing vendor. Inquire about the ownership structure as well as the policies, protocols, and practices in place to secure sensitive data. Ask for specifics: ascertain the exact steps they take to protect information, the systems and software they use, and the monitoring mechanisms they have in place. Get a list of all employees who will be working on the practice’s account and given access to its data. Speak with the department charged with employee screening to understand their hiring and training processes, and the consistency with which they are carried out.
It’s also important to understand the laws, regulations, and common practices of the country in which the billing company operates. Countries like India, China, and Vietnam have become popular for outsourced billing and other services. These countries, however, also have less regulatory rigor and uniformity when it comes to information security standards and monitoring, resulting in poorly-controlled security of sensitive data. No matter how much care a U.S. practice may take to protect and encrypt data before conveying it to its billing partner, there is always a risk that the information could fall into the wrong hands unless due diligence has been exercised.
Anonymity and complexity
Once the overseas billing partner is selected, the next step is for the practice to do what it can onits end to make it difficult or impossible for information to be sold or misused. Perhaps the most effective way is to anonymize financial and personal data before releasing it. However, it also adds cost and complexity-which could make this third-party option less appealing when a cost-benefit analysis is done.
While the general lack of uniformity around medical billing-with different billing, coding, and software solutions across the industry-makes it difficult to be definitive about anonymization techniques and recommendations, practices should be thoughtful and strategic about what fields of information are conveyed to their overseas partners. The general goal should be to have an in-house system that automatically collates bills and batches them to the third-party partner, while protecting personally identifiable information by keeping names and identifying data firewalled inside the hospital’s network.
Using an offshore, third-party billing operation can save millions of dollars. Many of them are legitimate, reputable firms that will value their clients’ business, but there are many that are not. It’s up to the practice, and perhaps the help of external risk management resources, to put forth the effort to determine the difference and remain vigilant in holding the company to a high standard.
Tim Williams is vice chairman of Pinkerton, which traces its roots to 1850 when Allan Pinkerton founded the Pinkerton National Detective Agency. Today, Pinkerton utilizes an applied risk science approach using technology such as artificial intelligence to provide companies with a holistic perspective for risk management and forecasting. Our global team of advanced security professionals offers a full range of comprehensive services including data-driven risk management planning, investigations, executive protection, employment screening, and protective intelligence. With employees and offices worldwide, Pinkerton maintains an unmatched reputation for protecting clients and their assets. “We never sleep.”