Compliance Matters: Third-Party Vendors, Outsourced Agencies and You

Published 05/27/2025

What Are Third-Party Vendors?

Third-party vendors, also referred to as outsourced agencies or business associates/partners, have an equal obligation to maintain Medicare compliance. Examples of third-party vendors include:

  • Billing agencies
  • Clearinghouses
  • Software vendors
  • Auditing firms

By contracting with any external party to perform Medicare transactions on your behalf, you are authorizing them to:

  • Access and protect Health Insurance Portability and Accountability Act (HIPAA)-related information, including protected health information (PHI) and personally identifiable information (PII)
  • Conduct legal, ethical and compliant transactions with Medicare

Depending upon the type of contract/agreement, these external parties are authorized to do the following on your behalf:

  • Perform credentialing activities
  • Conduct billing transactions, appeals, etc.
  • Receive Medicare reimbursement for these transactions
  • Submit inquiries regarding your transactions

What Are Your Obligations?

If you use a third-party vendor, outsourced agency or business associate/partner, what is your obligation to ensure compliance? Use the information below when selecting a vendor, developing a written contract and monitoring ongoing vendor performance.

Step 1: Identify How They Protect Your Data

Questions to ask include:

  • Does this company use any sub-contractors?
  • Does your information or the information for your patients go outside of the United States (offshore)? 
    • Electronic health information processed or stored outside of the United States has a greater risk and vulnerability for unauthorized disclosure and potential security breaches

Step 2: Understand How They Will Ensure Accurate and Timely Claims, Appeals and Related Submissions

  • Are they knowledgeable and trained in Medicare rules and regulations and using Medicare Administrative Contractor (MAC) and the Centers for Medicare & Medicaid Services (CMS) resources?
  • Are you provided with proof of claim submission?
  • Do you receive feedback on claim denials, rejections and/or return to provider (RTP) to know if claim processing is correct?
  • What percentage of your claims require appeal submission?
  • Does the vendor have access to your remittance advices to determine claim processing outcomes? If so, how do they use that information?

Step 3: Determine Your Contractual Charge Structure

  • Are you charged per transaction? Per inquiry? Other?
  • How will you know the transactions and calls are legitimate?

For example, if the vendor can determine patient eligibility using the Interactive Voice Response (IVR) or eServices portal, why would they call the Customer Contact Center and charge you for that transaction?

Or, if the vendor is provided with copies of your remittance advices, why do they need to call to obtain claim status and charge you for that transaction? Claim status is readily available in the IVR and portal.

Consider validating the following with third-party vendors, outsourced agencies, and business associates/partners:

  • Document compliance and performance expectations, standards of conduct, vendor/provider responsibilities, and methods to ensure continued compliance in the written business contract
  • Ensure PHI/PII is protected, and your information is not outsourced offshore or to other vendors without your knowledge
  • Conduct frequent assessments regarding vendor performance
  • Request proof of submission
  • Validate accuracy and timeliness by reviewing claim denial, rejection and RTP rates
  • Determine charge structure and eliminate waste or excessive costs, including unnecessary inquiries whereby self-service tools could be leveraged instead of calling, improper or incorrect claim submissions, and overall Medicare compliance

Resources


Was this article helpful?