The Hidden Costs of Outsourcing Healthcare Revenue Cycle Management

Why is healthcare RCM outsourcing on the rise?

There are several major reasons why the outsourcing of revenue cycle management continues to gain popularity. In addition to staffing challenges, the payment and collections landscape has become increasingly more complex due to the rising number of payer plans and the continually varying rates of reimbursement for services. These challenges all impede the sustainability and scaling of healthcare organizations.

Staffing

RCM is becoming more complicated as the number of payers contracted by healthcare providers increases, as does the number of plans offered — and each payer and plan has different coverages for different services. The rules vary by payer/plan, often from state to state, for reimbursement rates and procedures covered.

Many healthcare organizations — especially ones that practice across different municipalities — don’t have the staff to manage RCM services themselves and must turn to outsourcing to fulfill their responsibilities.

Skills

In addition to addressing staffing shortages and costs, RCM outsourcing has several other business and organizational benefits. Companies dedicated solely to RCM often possess a deeper bench of related skills. For example, specialized RCM teams are highly skilled at coding optimization, thus they can likely bill in a way that brings in more revenue.

Separation

Perhaps the biggest benefit comes from the separation of the business of revenue collection from the business of patient care. Outsourcing RCM to a third party pushes the financial part of the healthcare transaction to another source, allowing hospital systems to primarily focus more on clinical outcomes. The bad news, however, is that although this separation can enhance patient interaction – and satisfaction – it can also increase cybersecurity risks.

The cybersecurity risks of RCM outsourcing

RCM companies have access to both patient information and financial data. Revenue cycle management can involve up to 17 steps, which can introduce vulnerabilities in protecting valuable data. In other words, these companies are the perfect target for malicious actors. It’s no coincidence that one of the largest healthcare breaches of 2022 involved a large billing and coding service company.

RCM organizations aren’t always prepared to pass the high bars of compliance with the Health Insurance Portability and Accountability Act (HIPAA) and to provide the data security necessary in the healthcare industry.

People are the most vulnerable

Even if the company can handle these requirements, the addition of other points of access to this sensitive information still present a larger attack surface for threat actors. After all, U.S. Health and Human Services’ social engineering research finds that of the three areas of focus in healthcare — people, process, and technology — it’s people who are the most vulnerable.

Outsourcing creates risks

PwC’s recent Global Digital Trust Survey reported that three-fourths of executives found their organizations to have “concerning” privacy and cybersecurity risks. Adding another organization to the mix will only make these concerns more pronounced.

Beyond RCM, any outsourcing initiative necessitates a correlated evaluation of security and infrastructure. A study from Research and Markets estimated that the healthcare revenue cycle outsourcing market will almost double in size from 2020 to 2027 — from US$14.6 billion to US$27 billion. 

The number of parties — and people — exposed to financial and clinical data is expanding rapidly, so now is the time to assess cybersecurity risks to maintain your organization’s brand reputation and your patients’ privacy.

The need to enhance RCM risk management

Healthcare is highly regulated for good reason. While every business should take the protection of customer data seriously, the intimate nature of medical records — and their high value on the Dark Web — makes that protection all the more urgent.

Data security is as much about peace of mind as it is about financial protection. That's why leaders need to understand the ins and outs of how to prevent cyberattacks in healthcare, both in terms of their internal teams and their business partners.

How to manage the risks of outsourcing RCM 

The healthcare ecosystem needs to accommodate myriad considerations when outsourcing RCM. These considerations start with HIPAA compliance. To ensure their business will continue to follow HIPAA and Health Information Technology for Economic and Clinical Health (HITECH) guidelines, healthcare organizations need to ensure compliance in three key areas: 

1. Logins

2. Monitoring

3. Multiple security layers

Logins

Everyone authorized to access protected health information (PHI) should have a password-protected unique login ID. Authorized users should also be prompted to update their passwords regularly to maintain security.

Monitoring

Monitoring technology should be implemented to continually identify abnormalities. Specifically, businesses need to be monitoring areas of vulnerability like logins, downloads, and screen shares.

Multiple layers 

One, or even two, layers of security should not be considered sufficient for keeping PHI safe. Multiple security layers need to be in place to protect internal networks. Focus on implementing security layers like firewalls and network protection at the bare minimum.