Outsourcing and the offshore
security conundrum

Is it safe?

The economics of health care is complex and highly regulated. Health systems, hospitals, physician practices, ACOs, and providers of all types find it harder and harder to stay out of the red. Efficiencies must be gained, and healthcare business executives looking to alternative delivery models and cost-cutting measures where possible.

One area where efficiencies can be gained and costs can be contained is the use of offshore outsourcing partners to perform medical coding and revenue cycle management services – either as an adjunct to an existing billing office or in wholesale replacement of a billing office.

This raises one of the most primary concerns of hospitals and health systems: is their patients’ privacy closely protected? Hospital executives want to know what measures they should demand of their outsourcing suppliers to safeguard patient health information and prevent information being accessed by hackers. They want to know – is it safe?

Is it safe?

Most medium to large sized organizations employ a variety of information security controls. However, without an information security management system (ISMS), controls tend to be limited or non-comprehensive. That is often because they were implemented to support point solutions to specific situations or simply as a matter of necessity for certain circumstances. Security controls in operation generally address certain parts of IT or data security, specifically, leaving non-IT information assets (such as paperwork and proprietary knowledge) usually unprotected. Also, it can occur because business continuity planning and physical security may be managed quite independently of IT or information security. Likewise, human resource practices may make little reference to the need to define and apply information security roles and responsibilities throughout the organization.

To compound matters, the U.S. healthcare system and its privacy and payment models are foreign to a large part of the world. Therefore, it is necessary that when work is being performed offshore, the outsourcing partner understands U.S. healthcare. They must have the appropriate infrastructure, process and human resource processes in place so that patient health information is protected.

At Vee Technologies, all employees undergo extensive training as to how the U.S. healthcare system operates, how insurance works, how healthcare services are rendered, and how bills are paid.

Part of this education includes HIPAA and PHI training. In fact, at Vee Technologies, employees undergo an oath and commit to a creed. Our workers fully comprehend and appreciate the company’s policy regarding 100% HIPAA compliance.

Next, there are other risk and security protections in place for process and computing and network technologies. “ISO 9001:2015 specifies requirements for a quality management system when an organization:

    • Needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and
    • Aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements

All the requirements of ISO 9001:2015 are generic and are intended to be applicable to any organization, regardless of its type or size, or the products and services it provides.

Training

ISO/IEC 27001 requires that management

  • Systematically examine the organization's information security risks, taking into account the threats, vulnerabilities, and impacts;
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.”
Security Risks

To comply with these certifications, we placed manned security at the perimeter of all Vee Technologies buildings, in the reception areas, and in front of all production environments. Biometric or card-key access is used to keep track of who is coming and going. Closed-circuit TV’s provide real-time monitoring of the production floors. Computers within production environments have no removable media and email is limited. No cell phones, no cameras and no papers are permitted. In short, there is no way an employee can save, take a picture of, print, write down or leave a Vee Technologies facility with PHI. Employees are provided lockers to keep personal belongings so that they can use cell phones and access their effects during breaks.

It is these safeguards that ensure patient records are kept confidential. It can require changes in organizational behavior until full adoption and adherence to these processes are fully institutionalized. The effort and investment in ISO certifications can be costly. However, without these processes and infrastructure in place, can you really answer the question, “is it safe”?

Jeff-Shelmire

Meet the Author

Jeff Shelmire - Vice President of Professional Services

Jeff is the Vice President of Professional Services at Vee Technologies. His expertise and ability to expand Vee Technologies’ client base into long-lasting relationships brings Vee Technologies ahead of the curve.

Outsourcing and the offshore security conundrum

In these unprecedented times, Vee Technologies is committed to doing our part to help those in need. With the ongoing spread of COVID-19 (coronavirus) and the incredible speed at which things are changing around us, organizations are continually adapting their operations and business structure. Vee Technologies has the experience and capability to help your organization through this difficult time. We've expanded our continuity plan and infrastructure to accommodate the current business needs. Please do not hesitate to contact us when your need arises, our implementation team can have you up and running quickly and efficiently.

X