Outsourcing and the offshore
security conundrum

Is it safe?

The economics of health care is complex and highly regulated. Health systems, hospitals, physician practices, ACOs, and providers of all types find it harder and harder to stay out of the red. Efficiencies must be gained, and healthcare business executives looking to alternative delivery models and cost-cutting measures where possible.

One area where efficiencies can be gained and costs can be contained is the use of offshore outsourcing partners to perform medical coding and revenue cycle management services – either as an adjunct to an existing billing office or in wholesale replacement of a billing office.

This raises one of the most primary concerns of hospitals and health systems: is their patients’ privacy closely protected? Hospital executives want to know what measures they should demand of their outsourcing suppliers to safeguard patient health information and prevent information being accessed by hackers. They want to know – is it safe?

Is it safe?

Most medium to large sized organizations employ a variety of information security controls. However, without an information security management system (ISMS), controls tend to be limited or non-comprehensive. That is often because they were implemented to support point solutions to specific situations or simply as a matter of necessity for certain circumstances. Security controls in operation generally address certain parts of IT or data security, specifically, leaving non-IT information assets (such as paperwork and proprietary knowledge) usually unprotected. Also, it can occur because business continuity planning and physical security may be managed quite independently of IT or information security. Likewise, human resource practices may make little reference to the need to define and apply information security roles and responsibilities throughout the organization.

To compound matters, the U.S. healthcare system and its privacy and payment models are foreign to a large part of the world. Therefore, it is necessary that when work is being performed offshore, the outsourcing partner understands U.S. healthcare. They must have the appropriate infrastructure, process and human resource processes in place so that patient health information is protected.

At Vee Healthtek, all employees undergo extensive training as to how the U.S. healthcare system operates, how insurance works, how healthcare services are rendered, and how bills are paid.

Part of this education includes HIPAA and PHI training. In fact, at Vee Healthtek, employees undergo an oath and commit to a creed. Our workers fully comprehend and appreciate the company’s policy regarding 100% HIPAA compliance.

Next, there are other risk and security protections in place for process and computing and network technologies. “ISO 9001:2015 specifies requirements for a quality management system when an organization:

  • Needs to demonstrate its ability to consistently provide products and services that meet customer and applicable statutory and regulatory requirements, and

  • Aims to enhance customer satisfaction through the effective application of the system, including processes for improvement of the system and the assurance of conformity to customer and applicable statutory and regulatory requirements

All the requirements of ISO 9001:2015 are generic and are intended to be applicable to any organization, regardless of its type or size, or the products and services it provides.


ISO/IEC 27001 requires that management

  • Systematically examine the organization's information security risks, taking into account the threats, vulnerabilities, and impacts;
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.”
Security Risks

To comply with these certifications, we placed manned security at the perimeter of all Vee Healthtek buildings, in the reception areas, and in front of all production environments. Biometric or card-key access is used to keep track of who is coming and going. Closed-circuit TV’s provide real-time monitoring of the production floors. Computers within production environments have no removable media and email is limited. No cell phones, no cameras and no papers are permitted. In short, there is no way an employee can save, take a picture of, print, write down or leave a Vee Healthtek facility with PHI. Employees are provided lockers to keep personal belongings so that they can use cell phones and access their effects during breaks.

It is these safeguards that ensure patient records are kept confidential. It can require changes in organizational behavior until full adoption and adherence to these processes are fully institutionalized. The effort and investment in ISO certifications can be costly. However, without these processes and infrastructure in place, can you really answer the question, “is it safe”?


Meet the Author

Jeff Shelmire - Senior Vice President of Professional Services

Jeff Shelmire is the Senior Vice President of Professional Services at Vee Healthtek. His expertise and ability to expand Vee Healthtek’ client base into long-lasting relationships brings Vee Healthtek ahead of the curve.