HIPAA compliance in an offshore RCM engagement is a contractual and operational requirement — not optional. Here is the compliance framework that should be in place:
Required contractual protections:
- A signed Business Associate Agreement (BAA) between the billing company and the offshore partner
- Data security requirements written into the service agreement — encryption standards, access controls, breach notification timelines
- Audit rights: the ability to request documentation of the partner’s security practices and access logs
Operational security standards to verify:
- Data transmission: all PHI transmitted via encrypted channels (SFTP, SSL/TLS, VPN)
- Access controls: PHI accessible only to personnel assigned to that client; role-based access with audit trails
- Device controls: restrictions on USB drives, personal devices, screen capture, and local storage of PHI
- Employee training: documented HIPAA training for all staff handling PHI, updated annually
- Incident response: documented breach identification and notification procedures that meet HIPAA’s 60-day notification window
Certifications to look for:
- SOC 2 Type II — independently verified controls over security, availability, and confidentiality
- ISO 27001 — international standard for information security management
Squadyen operates under a signed BAA with every billing company partner and maintains documented HIPAA-compliant security practices including encrypted transmission, role-based access controls, and annual staff training.