Quintessence is now a Firstsource company! Learn More

Balancing the impact of RCM technology on cybersecurity

As a healthcare provider, you may use many criteria to choose third-party Revenue Cycle Management companies to handle your RCM processes. One such criterion needs to be the ability to manage cybersecurity.  

Cybersecurity is a very sensitive topic affecting all industries that digitally store, share, and use data. A lot of information that customers or clients share with their service providers is done assuming they would remain protected. It becomes the service provider’s duty to safeguard this from malicious attacks.

When it comes to the healthcare industry, cyber security is absolutely critical. A recent study mentions that criminal cyber-attacks worldwide have increased by 125% since 2010. The healthcare industry is saturated with sensitive patient information that can be used in so many ways when breached. With cloud storage and global tech tools, the chances of hacking or phishing information have also increased. 

When Revenue Cycle Management companies slowly started adapting to RCM tech, the first question everyone had was about Protected Health Information (PHI).

PHI needs to be protected by any healthcare organization. It includes patient information like demographics, health history, laboratory results, and insurance information that hospitals and other medical practices collect to provide appropriate care. 

When these hospitals work with third-party Revenue Cycle Management companies, such information is shared so they can bill and code precisely. Many of these RCM service providers now use intelligent tools and solutions to get their work done. Anytime information is stored or processed by a digital tool, the risk of this being stolen or compromised arises, and this could potentially expose PHI, which is taken very seriously in the industry.

While many systems are in place to protect PHI, managing cyber threats is a constant challenge for these Revenue Cycle Management companies that handle the data of various large clients. RCM tech comes with such incredible advantages for both the service providers and the clients; hence, moving back to manual processing does not make sense at all, just to protect PHI. The solution here would be to adapt to the latest RCM tech solutions and find ways to protect information. 

Latest cyber security breaches

The following are the latest cyber security breaches at popular Revenue Cycle Management companies that affected PHI data shared by multiple healthcare providers.

In April 2022, a large RCM company experienced an email security breach, leading to vital PHI exposure. Healthcare providers like The Baptist Medical Centre, The Hospitals of Providence Memorial Campus, and The Resolute Health Hospital were affected by the data breach.

At the end of May 2022, the Florida Springs Surgery Center (FSSC) data were phished by a third-party agent, and thousands of individuals’ personal information were stolen.

Another report mentions that in October 2022, a big and influential billing and coding service provider suffered a data breach, and about 510,574 individual accounts were hacked and information collected. This is supposed to be the third-largest health data breach of 2022!

RCM tech and cyber security – Finding the balance

The idea behind creating RCM tech is to build structures and processes that can withstand security breaches and hacking. To do that, your tools need to be strong, and your strategies need to be well-thought-out and protective. 

Adhering to HIPAA Act 

The first thing Revenue Cycle Management companies should do before they start working with healthcare clients is to learn the rules of PHI.

For this to happen, the companies have to be HIPAA compliant. Health Insurance Portability and Accountability Act (HIPAA) includes a set of rules and regulations that everyone in the healthcare industry needs to follow to ensure sensitive data stays protected. 

You can do three main things to be a HIPAA-compliant RCM service provider.

  1. Authorize logins and general usage – Your network team needs to ensure everyone who is authorized to access sensitive data has a unique login ID and password. There must be systems in place to regulate and change passwords regularly. 
  2. Have activity monitoring tools in place – These help quickly identify if any abnormal activities are happening with logging in/downloading/ or screen sharing.
  3. Have multiple security layers – Apart from having authorized login details, ensure you invest in other security layers like firewalls and network protection.

Quintessence is a HIPAA-compliant Revenue Cycle Management company. We ensure our employees access data only within our business centers and don’t encourage sharing or copying of sensitive files.

SOC 2 Type II auditing

SOC 2 Type II is a type of internal audit report that captures how well information is safeguarded within an organization. Typically, if Revenue Cycle Management companies use Cloud storage, then getting SOC 2 Type II audits regularly would help address cyber security threats and tighten protection. 

If you are a healthcare provider looking to hire a third-party RCM service provider, then make sure to explore their past SOC auditing reports to ensure data protection. Such audits are typically performed annually.

Quintessence is a SOC 2 Type II compliant organization, and our audits are conducted annually by third-party auditors. 


When you adapt to newer technologies, there may be a shift in the data security dynamics, and networking teams need to be ready to handle the shift. Revenue Cycle Management companies must find a fine balance between embracing new technologies and protecting information. 

As a healthcare client, make sure your RCM service providers are aware of HIPAA compliance and have regular audits to ensure data security. Pick providers who conduct regular security risk assessments to refine and upgrade their vigilance and protection plans. Talk to your service providers to understand how effective their data centers are. 

It is also important that your service providers stay updated about the latest regulatory requirements in data security. Remember that these regulations vary with different regions, and minor oversights may lead to legal hassles. 

As a healthcare provider, you choose an RCM service provider to make everyday operations easier, quicker, and cost-effective. Lack of security and careless handling of data shouldn’t put you on the spot and lead to legal complications.

Talk to experts from Quintessence to find out how we handle data security within our organization. 

    This will close in 0 seconds