Choosing the Right RCM Company has Its AdvantEdge

By Jeanne A. Gilreath, CHBME, Senior Vice President and Chief Compliance Officer

Headline:  OCR Settles with Touchstone Medical for $3M after Health Data Breach.[1]

Background:   Touchstone, a radiology imaging center, had a data breach due to a misconfigured (unsecured) FTP (file transfer protocol) which affected 307,000 patients of the imaging center.    In addition, an Office for Civil Rights (OCR) investigation found issues with business associate agreements, timely notification and risk assessments among others.

MedIT Associates, a business associate of the imaging center and a provider of comprehensive IT solutions to the healthcare industry, was the vendor that managed the FTP server in question.   Currently, the URL for this company can’t be reached when googled.

OCR received information in an email that social security numbers were leaked in an unsecured file transfer protocol. As a result, the error allowed open access to electronic protected health information (ePHI) and search engines were able to index patients’ health data.

FBI notified Touchstone of the breach, and three months later OCR officials contacted the imaging center that the security incident was being investigated for HIPAA compliance.   The compromised data included demographic information including social security numbers.

What Went Wrong:   OCR found that Touchstone:

  • failed to thoroughly investigate the incident until more than four months after being notified by the FBI of the breach;
  • did not implement appropriate technical policies and procedures to ensure appropriate authorized access to servers containing ePHI until after the incident occurred;
  • failed to enter into a business associate agreement (BAA) with its vendor until two years after the incident was reported, and that the provider continued its business associate communications without a BAA in place;
  • failed to perform an accurate and thorough assessment of potential risk to the confidentiality, integrity, and availability of ePHI until one month before OCR received the email notification; and
  • failed to notify patients in a timely manner, waiting 147 days to notify patients instead of the HIPAA required without unreasonable delay, and no later than 60 days from the discovery of the breach.

“Covered entities must respond to suspected and known security incidents with the seriousness they are due, especially after being notified by two law enforcement agencies of a problem,” OCR Director Roger Severino said in a statement.  “Neglecting to have a comprehensive, enterprise-wide risk analysis, as illustrated by this case, is a recipe for failure.”[2]

Choosing a Medical Billing Service:    When choosing a third party billing company to manage your practice’s revenue cycle management process, there are a number of resources that a provider can reference in print, online, through consultants and peers.   However, evaluation criteria is generally about the company, reputation, track record, service levels, cost, KPI performance, and support.

What is rarely discussed with providers when evaluating billing companies is the billing company’s compliance program, risk assessments and audit requirements to meet statutory and regulatory requirements of HIPAA Privacy and Security, the HITECH Act of 2009, and OIG’s compliance guidance for medical billing companies.

HIPAA Security Rule requires covered entities and business associates to comply with technical, physical and administrative safeguards.    One of the required Administrative Safeguards is to conduct a Risk Analysis[3] for an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.    This can be a self-analysis or it can be conducted by an objective third-party audit organization as part of a billing company’s compliance program.    Does a billing company that your practice may be considering conduct an annual security risk assessment?   Is it self-directed or conducted by a third party audit firm?   It’s too late to find out after you have signed a service agreement without asking these questions.

The U.S. Department of Health and Human Services (HHS) published an update in July 2018 of its Phase 2 HIPAA Audit Program[4] which reviews the policies and procedures adopted and employed by covered entities and business associates (billing companies) to meet selected standards and implementation specifications of the Privacy, Security and Breach Notification Rules.    The update was done to reflect the Omnibus Final Rule.   The audits performed assess entity compliance with selected requirements and may vary based on the type of covered entity or business associate selected for review.    When facing an audit, practices should ask – is the billing company under consideration able to meet the requirements of Phase 2 HIPAA Audit Program?

Healthcare Cybersecurity is Under Attack

The number of breaches worldwide is staggering and it’s in all industries, but the U.S. healthcare industry is by far the focus of these breaches.[5]

  • 4 trillion data records compromised in the first half of 2018 worldwide
    • 5 million records lost or stolen every day
    • 771,909 records lost or stolen every hour
    • 12,865 records lost or stolen every minute
    • 214 records lost or stolen every second
  • 65% of the breaches were from identity theft
  • 56% were caused by a “malicious outsider”
  • 27% of the breaches were in healthcare; the highest percentage of all incidents by industry
  • 57% of the breaches were in the U.S.A.; the highest of all regions worldwide

Within the last six months, “North Carolina-based Atrium Health is notifying 2.65 million individuals of a data breach involving a cyber attack on databases hosted by a third-party billing vendor, AccuDoc.  If details are confirmed by federal regulators, the incident would be the largest health data breach reported so far in 2018.”[6]

How to Reduce the Risk When Selecting a Billing Company:

There are four questions -that every provider should ask a billing company in the proposal process, but are typically not discussed- that ensure the vendor meets the necessary security, cybersecurity, federal regulatory and statutory requirements in a healthcare environment where cyber-attacks and threats to ePHI security are a daily occurrence.   Providers need a trusted and compliant billing company to protect the security of information

  1. “Does the RCM company have an effective billing compliance program according to OIG’s compliance guidance for third-party medical billing companies?”[7] Then ask them to explain their program elements.


  1. “Does the billing company submit to an annual third-party audit according to SSAE 18 (Statement on Standards for Attestation Engagements No. 18) SOC 1 Type 2 attestation standards established by the American Institute of Certified Public Accountants?” SOC 1, Type 2 reports on the existence of process controls in place at a service organization and the effectiveness of those process controls.    It considers the direct and indirect impact of risks and controls that are likely to be relevant over financial reporting.   The description of system controls covers billing, payments, accounts receivable, client services, and general computer controls, and considers the initiation, authorization, recording, processing, and reporting of related transactions.


  1. “Does the billing company submit to an SSAE 18 SOC 2, Type 2 which reports on non-financial reporting controls which may include security, availability, processing integrity, confidentiality, and privacy of a system?”


  1. “Does the billing company perform a HIPAA Security Assessment Report to assess the internal controls in place to satisfy the Omnibus Final Security Rule governing protected health information that the Department of Health and Human Services issued in January 2013?” The assessment involves understanding the medical billing services provided by an RCM company and then documenting and verifying the safeguards in place to meet the relevant aspects of the omnibus final rule on behalf of covered entities who maintain protected health information within a billing company’s software and facility.

These four questions are just as important as the financial performance of a billing company.    To ensure that an RCM company does not fall prey to cybersecurity bad actors; it is imperative that the RCM company invest in security and audit procedures to prevent a cyber-attack from harming its clients and the billing company’s reputation.    Choosing AdvantEdge Healthcare Solutions, with its SOC1, SOC2 and HIPAA Attestations since 2014, is a clear Advantage!

[1] HealthITSecurity, HIPAA and Compliance News, (accessed May 26, 2019).

[2] ibid.

[3] CFR 164.308(a)(1)(ii)(A)

[4], Health Information Privacy, (accessed May 29, 2019).

[5] Statistics presented are based on the Breach Level Index []©2018 Gemalto N.V.

[6] Marianne Kolbasuk McGee, “Attack on Billing Vendor Results in Massive Breach,”, Nov 28, 2018, (accessed May 28, 2019).



Jeanne A. Gilreath, CHBME, Senior Vice President and Chief Compliance Officer

Ms. Gilreath has more than thirty years’ experience in the healthcare industry. At AdvantEdge, she is the Compliance Officer, reflecting ongoing industry changes and policy throughout AdvantEdge. She is also responsible for client development and expansion of value-added services to clients.

To lean more call 877-501-6111 or email