Offshoring revenue cycle management has been an increasing phenomenon in the healthcare landscape today. Primary drivers for this include cost-efficiency, controlled management, specialization and expertise, economies of manpower, and an affordable edge in information technology.

However, seemingly apparent economic advantages have given rise to controversies and popular debate against offshore outsourcing. With offshoring, data transfer is inevitable because once access is given to foreign third-party service providers, it is almost impossible to prevent data from leaving the company and the country. In the event of offshore data breaches, healthcare companies may become target of domestic lawsuits.

According to a 2013 Trustwave Global Security Report of  450 global data breach investigations, 63% were linked to third party component of IT administration. The report says that outsourcing, itself, is not necessarily risky but that bad decisions are being made. Part of the problem, according to Trustwave is that service providers don’t view security as being as valuable as their American clients do.

An example of an infamous data breach incident happened on October 7, 2003 which sent terror throughout the medical system. The University of California at San Francisco (UCSF) Medical Center received an email from a Pakistani medical transcriber threatening to disclose private records if UCSF did not pay her a certain amount she claimed it owed her in backpay. UCSF then verified the authenticity of the records she possessed and launched an investigation. Authorities uncovered a chain of subcontractors of whom UCSF was completely unaware.

Privacy violators are subject to both civil and criminal penalties. According to the United States Department of Health and Human Services Office for Civil Rights (HHS OCR), these are the penalties for each tier:

Tier 1: $100-$50,000 per violation, capped at $25,000 per year the issue persisted

Tier 2: $1,000-$50,000 per violation, capped at $100,000 per year the issue persisted

Tier 3: $10,000-$50,000 per violation, capped at $250,000 per year the issue persisted

Tier 4: $50,000 per violation, capped at $1.5 million per year the issue persisted

The healthcare industry has long been a target for hackers and it seems the trend is still increasing. According to the US Department of Health and Human Services’ breach portal, in 1st quarter of 2017 there were 22 breaches recorded in the US while this figure soared to a high of 99 in 2nd quarter of 2018. Email was also the top source of data breaches in the healthcare industry in 2018.

An analysis of 1,138 health data breaches affecting a total of 164 million patients from October 2009 through the end of 2017 in the breach portal shows that the top cause of data breaches (42 percent of cases) was theft of equipment or information by unknown outsiders or by current or former employees. Another 25 percent of cases involved employee errors like mailing or emailing records to the wrong person, sending unencrypted data, taking records home or forwarding data to personal accounts or devices.

This means that more than half of breaches were due to internal negligence and thus to some extent preventable.

With recent data breaches surrounding outsourcing and offshoring, it is essential to assess your third-party vendors’ operations, data security capabilities, and procedures in safeguarding member data privacy to avoid all that comes with a data breach.

It is essential for healthcare organizations to go beyond the standard HIPAA compliance standards.

Think twice before offshoring the more sensitive aspects of your revenue cycle.

Always have a data security program in place that allows your organization to stay on top of the latest cyber threats and be able to respond and then recover when a breach takes place. You may not completely get ahead of all online risks, but that doesn’t mean you can’t be prepared.

Data security problems arise from poor management and negligence. Whether the decision to offshore is on the table or not, healthcare facilities must regularly check measures and defenses to prevent threats to data breaches and cyberattacks.