The Fear That Stalls More Outsourcing Decisions Than Any Other
A revenue cycle director at a 200-bed community hospital once told us she had spent six months evaluating coding vendors, narrowed the list to two strong finalists, and then stopped the process entirely. Not because of price. Not because of turnaround times. Because when she asked the offshore finalist how her patients' protected health information would be handled on the other side of the world, the vendor's sales rep stumbled, promised to "follow up," and sent a three-sentence email two days later.
That hesitation cost the vendor a contract. And it is the single most common blocker we see in outsourcing evaluations: legitimate, well-founded fear about PHI security.
The concern is not paranoia. Healthcare data breaches are expensive, embarrassing, and increasingly common. The average cost of a healthcare breach now exceeds $10 million per incident, according to IBM's annual research. Handing patient records to a third party, especially one operating outside the United States, feels like expanding your attack surface. It might be, if you choose the wrong partner. The goal of this post is to give you the exact questions to ask so you can tell the difference between a compliant coding partner and a risky one.
First: Is Outsourcing Coding Even HIPAA-Permissible?
Yes, clearly and explicitly. HIPAA's Privacy and Security Rules anticipate that covered entities will share PHI with vendors who perform services on their behalf. Those vendors are called business associates, and the legal framework governing the relationship is the Business Associate Agreement, or BAA.
A coding company receives diagnostic and procedural documentation, assigns codes, and returns coded records. That work requires access to PHI. As long as the relationship is governed by a properly executed BAA and the vendor meets the Security Rule's technical, administrative, and physical safeguard requirements, the arrangement is entirely lawful. Tens of thousands of US hospitals and physician groups outsource coding today under exactly this structure.
The question is never whether outsourcing is legal. The question is whether your specific vendor is actually compliant.
The Business Associate Agreement: What to Verify Before You Sign
A BAA is not a formality. It is a legally binding document that allocates responsibility for PHI between your organization and the vendor. A compliant BAA must include specific elements required under the HITECH Act and the 2013 Omnibus Rule. Before you countersign anything, confirm the following.
Does the BAA clearly define permitted uses of PHI?
The agreement should specify that your vendor may only use PHI to perform the contracted coding services, period. Vague language that allows "operational" or "business improvement" uses is a red flag. A serious vendor will not resist precise language here.
Does it cover subcontractors?
Under HITECH, a business associate's subcontractors who handle PHI are also business associates. If your coding vendor uses a quality assurance team, a CDI partner, or offshore staff through a subsidiary or third party, those relationships must be covered by downstream BAAs. Ask explicitly: "Do any subcontractors access PHI, and do you have signed BAAs with all of them?"
What are the breach notification timelines?
Federal law requires a business associate to notify the covered entity of a breach without unreasonable delay and within 60 days of discovery. Your BAA should specify a shorter internal timeline, often 24 to 72 hours, so you have time to meet your own notification obligations. If a vendor pushes back on a short internal notification window, that is worth noting.
What happens to your data at contract termination?
The BAA must address return or destruction of PHI when the relationship ends. You want a clear written commitment that all copies of your data, including any backups held by the vendor, are either returned to you or securely destroyed within a defined period.
Access Controls: How PHI Actually Moves (or Doesn't)
The technical architecture of how your data is accessed matters as much as the paperwork. There are two fundamentally different models, and they carry very different risk profiles.
Remote desktop or VPN access into your own systems
In this model, the vendor's coders log into your EHR or encoder remotely. PHI never leaves your infrastructure. The coder sees the record on screen, codes it, and logs off. Nothing is downloaded or stored on the coder's device. This is generally the most defensible architecture from a security standpoint, and it is the model preferred by security-conscious partners.
File transfer and local access
In this model, records or billing files are exported and transmitted to the vendor's environment. This is workable, but it requires strict controls on how files are transmitted (encrypted, over secure channels), how they are stored (with access logging), and how long they are retained. Unencrypted email transmission of PHI-containing files is a common and entirely avoidable violation.
Ask your candidate vendor directly: "Does PHI ever touch a coder's local device?" The answer should be no, or it should come with a very detailed explanation of endpoint controls, including full-disk encryption, mobile device management policies, and the ability to remotely wipe a device if it is lost or stolen.
Network and connection security
All remote connections should run over encrypted VPN tunnels or equivalent secure channels. Multi-factor authentication should be required for every login session, not just on initial setup. Session timeout policies should automatically log out inactive users. These are table-stakes controls, not differentiators, and any serious vendor should confirm them without hesitation.
Workforce Security: The Human Side of the Risk
Technology controls matter, but the majority of healthcare data breaches involve human actors, whether through error, negligence, or deliberate misuse. Ask how your vendor manages the people who touch your data.
- Background checks: Are criminal background screenings conducted on all staff who access PHI, including offshore coders? Are checks repeated periodically or triggered by role changes?
- HIPAA training: Is training conducted at hire and annually thereafter? Is completion documented and auditable?
- Confidentiality agreements: Do individual coders sign confidentiality and non-disclosure agreements in addition to the company-level BAA?
- Physical environment controls: For offshore teams, are coders working in a supervised facility rather than from home? Are personal phones and external storage devices prohibited in coding areas? Are screens positioned to prevent visual eavesdropping?
The physical environment question matters especially for offshore delivery. A coder working from a HIPAA-controlled facility with monitored workstations and strict device policies represents a fundamentally different risk profile than a coder working from a home network with a personal laptop. Ask for a description of the physical workspace, and if possible, ask whether the vendor has hosted a client site visit or virtual facility tour. A confident, compliant vendor will say yes.
Certifications and Audits: What They Mean and What to Ask
Third-party certifications are one of the best proxies available for evaluating a vendor's security posture, but they are not all equivalent. Here is what matters.
SOC 2 Type II
A SOC 2 Type II report means an independent auditor has tested the vendor's security, availability, and confidentiality controls over a period of time, typically six to twelve months. A Type I report only confirms controls exist at a single point in time. Ask for a Type II, ask what period it covers, and ask whether you can review the report under NDA. A vendor unwilling to share its SOC 2 report with serious prospects is a vendor worth questioning.
HITRUST CSF Certification
HITRUST is a healthcare-specific framework that incorporates HIPAA requirements alongside NIST, ISO, and other standards. Achieving HITRUST certification is a significant operational investment and signals a high level of security program maturity. Not all compliant vendors are HITRUST-certified, and the absence of certification does not automatically mean a vendor is non-compliant, but its presence is meaningful.
Internal audits and penetration testing
Ask whether the vendor conducts regular internal security audits and whether independent penetration testing is performed at least annually. Ask when the last test was conducted and whether any significant findings were identified and remediated. A vendor that has never been tested is a vendor that does not know where its vulnerabilities are.
This is also a good moment to ask about the vendor's coding quality audit process, because quality controls and security controls often reflect the same underlying discipline. An operation with strong QA tends to have strong compliance culture across the board.
Breach Response: What Happens If Something Goes Wrong
No security program eliminates risk entirely. What separates a trustworthy partner from a dangerous one is what happens after an incident.
Ask your candidate vendor to walk you through their incident response plan. Who is the designated security officer? What triggers an internal escalation? At what point are you, the covered entity, notified? Who handles communication with HHS if a reportable breach occurs?
A vendor without a documented incident response plan is not prepared. Preparation is not optional in healthcare IT.
Offshore Delivery Can Be Secure. Here Is How.
The offshore delivery model often triggers the most anxiety among buyers evaluating outsourced coding for physician coding (ProFee) or outpatient coding services. The concern is understandable, but it conflates geography with security posture, and those are different variables.
Geography determines where a coder sits. Security posture determines what controls surround that coder. A compliant offshore coding operation can be more secure than a non-compliant domestic one. The right questions to ask are not "where are your coders located?" but rather: Do they access PHI through secure, audited connections? Do they work in controlled physical environments? Are they HIPAA-trained, background-checked, and bound by confidentiality agreements? Is the data architecture designed to prevent local storage or unauthorized transmission?
When all of those answers are yes, the country code of the facility is not the risk factor. The controls are what matter.
How MedCodex Handles PHI and BAAs
MedCodex is a HIPAA-compliant coding and CDI partner. We execute a Business Associate Agreement with every client before any work begins, and that agreement covers our full delivery chain. Our coders access client systems through encrypted, secured connections. PHI is not stored on local devices, and our offshore coding operations are conducted in supervised, controlled facilities with strict device and physical access policies. Our workforce undergoes background screening, mandatory HIPAA training at onboarding and annually, and individual confidentiality agreements.
We maintain a documented incident response program with defined escalation timelines, and we welcome security due diligence conversations at any stage of the evaluation process. If you want to review our security documentation or ask specific questions about our architecture, our team will answer them directly, not after a two-day delay.
We also offer a free pilot so you can evaluate our accuracy, turnaround, and processes before committing. Use our free Coding Outsourcing ROI Calculator to model the financial picture alongside the security picture.
Before you finalize your evaluation, we also recommend reviewing our posts on coding company red flags and how to evaluate a partner to make sure you are asking the full set of questions, not just the security ones.
The Right Partner Answers These Questions Without Blinking
Security due diligence is not an obstacle to outsourcing. It is the process of finding the partner who has already done the work to earn your trust.
A vendor that hesitates, deflects, or sends vague follow-up emails when you ask how your patients' data is protected is telling you something important. A vendor that walks you through their BAA provisions, describes their access architecture, references their audit history, and hands you a facility overview without being asked is telling you something different.
The questions in this post are not exhaustive, but they will separate a compliant partner from a risky one faster than any RFP questionnaire.
If you are ready to have that conversation, contact MedCodex to speak with our team about our outpatient coding and ProFee services, our security documentation, and how a free pilot works.