Compliance matters: Third-party vendors, outsourced agencies, and you

Third-party vendors, also referred to as outsourced agencies or business associates / partners, have an equal obligation to maintain Medicare compliance. Examples of third-party vendors include:

• Billing agencies
• Clearinghouses
• Software vendors
• Auditing firms

By contracting with any external party to perform Medicare transactions on your behalf, you are authorizing them to:

• Access and protect HIPAA-related information, including protected health information (PHI) and personally identifiable information (PII)
• Conduct legal, ethical and compliant transactions with Medicare 

Depending upon the type of contract / agreement, these external parties are authorized to do the following on your behalf:

• Perform credentialing activities
• Conduct billing transactions, appeals, etc.
• Receive Medicare reimbursement for these transactions
• Submit inquiries regarding your transactions

If you use a third-party vendor, outsourced agency, or business associate / partner, what is your obligation to ensure compliance?

Use the information below when selecting a vendor, developing a written contract, and monitoring ongoing vendor performance.

Step 1: Identify how they protect your data

• Questions to ask include:
  • Does this company use any subcontractors?
  • Does your information or the information for your patients go outside of the United States (offshore)?
    • Electronic health information processed or stored outside of the United States has a greater risk and vulnerability for unauthorized disclosure and potential security breaches

Step 2: Understand how they will ensure accurate and timely claim, appeal, etc., submission

• Are they knowledgeable and trained on Medicare rules and regulations and using MAC and CMS resources?
• Are you provided with proof of claim submission?
• Do you receive feedback on claim denials, rejections, return to provider (RTP) to know if claims are processing correctly?
  • What percentage of your claims require appeal submission?
• Does the vendor have access to your remittance advice to determine claim processing outcomes? If so, how do they use that information?

Step 3 –Determine your contractual charge structure

• Are you charged per transaction, inquiry, etc.?
• How will you know the transactions and calls are legitimate?

  • For example, if the vendor can determine patient eligibility using the IVR or Portal, why would they call the Customer Contact Center and charge you for that transaction?

    *Effective December 1, 2025, eligibility will no longer be available through the IVR.

  • If the vendor is provided with copies of your remittance advice, why do they need to call to obtain claim status and charge you for that transaction?
    • Claim status is readily available in the IVR and portal

Consider validating the following with third-party vendors, outsourced agencies, and business associates / partners:

• Document compliance and performance expectations, standards of conduct, vendor / provider responsibilities, and methods to ensure continued compliance in the written business contract
• Ensure PHI/PII is protected, and your information is not outsourced offshore or to other vendors without your knowledge
• Conduct frequent assessments regarding vendor performance
• Request proof of submission
• Validate accuracy and timeliness by reviewing claim denial, rejection and RTP rates
• Determine charge structure and eliminate waste or excessive costs, including unnecessary inquiries whereby self-service tools could be leveraged instead of calling, improper or incorrect claim submissions, and overall Medicare compliance

References

• Security Rule at 45 Code of Federal Regulations (CFR) 164.308(a)(1)(ii)(A) and (a)(1)(ii)(B)
• Medicare Learning Network (MLN) Matters Article: MLN8816413 “Checking Medicare Eligibility”
• HIPAA Privacy Rule Business Associates Guidance
• Compliance Program Guidance for Third-Party Medical Billing Companies: Federal Register, Volume 63