Offshore medical billing is not the problem. Bad offshore medical billing is. The difference is not geography. It is architecture: how your vendor structures the work, who owns accountability, what security controls are proven, and what escalates back to US staff when a denial gets complicated. A healthy offshore stack can cut your cost-to-collect by 30 to 50 percent without compromising cash. A bad one will cost you more than you saved in the form of aged AR, HIPAA exposure, and denial backlogs no one on your team can unwind.
This is the CFO’s pre-contract audit. Read it before you sign. Read it before you renew. Read it before you let a sales rep show you one more slide with a 98 percent clean-claim rate that does not include the denominator.
The Real Cost Math
The offshore pitch usually opens with a per-FTE cost comparison: $65,000 onshore versus $18,000 offshore. That is not the number that matters. The number that matters is cost-to-collect as a percentage of net patient revenue, including all layers of the stack.
The Onshore AM Plus Offshore Production Stack
A defensible offshore model is never “all offshore.” It is a hybrid. The right structure:
- Onshore Account Manager (AM): US-based, named, single point of accountability. Owns the client relationship, manages escalations, signs the monthly review.
- Onshore Denials and Appeals Lead: US-based clinical-adjacent staff who handle complex denial logic, payer policy interpretation, and appeal drafting.
- Offshore Production: charge entry, payment posting, simple AR follow-up, eligibility verification, credentialing data operations. This is the volume layer.
- Onshore Patient-Facing: US-based team for patient collections calls when accent, time zone, or complaint patterns require it.
If your vendor quotes you a pure offshore number, you are being quoted a production-only cost that does not include the onshore layer you will be paying for separately or will be forced to staff internally.
True Cost-to-Collect Benchmark
For a well-run hybrid RCM stack in 2026, expect cost-to-collect between 3.5 and 5.5 percent of net patient revenue, depending on specialty and complexity. Behavioral health and ABA often run 4.5 to 6.0 percent due to payer complexity. Physician group primary care can run 3.0 to 4.0 percent. Anything significantly below those numbers with a pure-offshore model is either loss-leading or cutting corners you will pay for later.
Security and HIPAA: Non-Negotiables
Business Associate Agreement (BAA)
Every offshore vendor touching PHI must sign a BAA that binds them and their subcontractors. Read the subcontractor flow-down clause. Confirm that any sub-tier offshore BPO is also bound by BAA and is named in your vendor’s subcontractor registry. “We have a BAA” is a starting point, not a finish line.
SOC 2 Type II
SOC 2 Type I confirms that controls exist on a given date. That is not enough. SOC 2 Type II confirms the controls operated effectively over a period (typically 6 to 12 months). Demand the Type II report with an observation period that ends within the last 12 months. Read the exceptions section. A clean SOC 2 Type II with zero exceptions is rare and slightly suspicious. Moderate exceptions with documented remediation is normal. Qualified opinions or material exceptions are a decline.
HITRUST Certification (Preferred)
HITRUST CSF certification goes beyond SOC 2 for healthcare-specific risk. Not every vendor has it. The ones that do are generally operating at a higher baseline.
Data Residency and Access Controls
Where does PHI live? Where can it be accessed? Can offshore staff download, screenshot, or email PHI? The defensible answer is: PHI is accessed only through a virtualized session (VDI or equivalent), with clipboard, print, USB, and local file storage disabled. Physical sites must have clean-room controls: no phones, no paper, no personal devices in production floors. Biometric entry. Session recording. Keystroke logging is table stakes in mature offshore RCM operations.
Breach Notification and Cyber Insurance
Contractual breach notification should require the vendor to notify you within 24 to 72 hours of any suspected incident. Cyber liability insurance coverage must be sized to your risk (minimum $5M for mid-market practices, $10M-plus for health systems). Request certificates of insurance and verify with the carrier.
Where Offshore Works and Where It Does Not
Where It Works
- AR follow-up on routine claims (status calls, simple rebills, straightforward resubmissions)
- Charge entry from scanned encounter forms or EHR exports
- Payment posting (ERA and manual)
- Eligibility verification and benefits checks
- Credentialing data operations (CAQH maintenance, payer portal updates, data entry in enrollment applications)
- Prior authorization data entry and tracking
- Coding for standardized, high-volume specialties (with US coder QA)
Where It Does Not
- Complex denial appeals requiring payer policy interpretation, medical necessity argumentation, or clinical chart review
- High-touch patient collections calls, especially for vulnerable populations (behavioral health, SUD, pediatric specialty)
- Payer negotiation escalations
- Clinical coding for complex specialties (interventional pain, surgical oncology, behavioral health CoCM, high-complexity ABA)
- Compliance, audit defense, and regulatory correspondence
- Relationship-driven payer escalations where a named US AM is answering the phone
If a vendor pitches you an all-offshore stack that includes complex appeals and patient calls, they are either lying about where the work is actually done or they are going to deliver poor outcomes and let your AR age.
The 12-Point Pre-Contract Audit Checklist
1. Named Onshore Account Manager
Demand a named AM in writing, with resume, tenure, and backup. No named AM is a decline.
2. SOC 2 Type II Report (Current)
Request the full report, not the summary. Period end within 12 months. Review exceptions and management responses.
3. BAA with Subcontractor Flow-Down
Every sub-tier BPO named. Every one bound.
4. PHI Access Architecture
VDI or equivalent. No local storage. No clipboard. No screenshot. Documented in the security questionnaire with evidence.
5. Physical Site Controls
Clean-room production floors. No personal devices. Biometric entry. Session recording. Third-party audit evidence (not just vendor claims).
6. Staffing Plan by Function
Written breakdown: how many FTEs onshore, how many offshore, by function (charge entry, posting, AR, denials, patient calls). Ratios that shift production offshore with no onshore complement on denials are a red flag.
7. Escalation Path to US Leadership
Named escalation contacts: AM, Director, VP, and ultimately C-level. Response time SLAs in writing.
8. KPIs and SLAs with Financial Consequences
Days in AR, clean-claim rate, denial rate, first-pass resolution, payment posting lag, patient call answer rate, and turnaround on charge entry. SLAs must be measurable. Missed SLAs must have financial credits.
9. Reporting Transparency
Daily operational dashboards. Monthly performance review decks. Direct access to raw data (not just vendor-produced PDFs). If you cannot pull the underlying data yourself, you cannot verify performance.
10. Transition and Exit Plan
How does work transition in? How does work transition out? Exit provisions: data return format, transition assistance hours, non-solicitation constraints, timeline. If the exit clause is weaker than the entry clause, you have a trap door.
11. Pricing Transparency
Percentage-of-collections is the most common RCM pricing model. Confirm the base: all payments, or only payer payments (excluding patient)? Are refunds netted? Are takebacks netted? Are implementation, credentialing, coding, and technology fees inside or outside the percentage? Black-box pricing is a decline.
12. Compliance and Audit Support
Who handles a payer audit? Who handles an OIG letter? Who drafts appeal narratives under time pressure? The vendor’s answer must include named onshore staff with clinical or audit-defense experience. “We will figure it out” is not an answer.
Red Flags in the Sales Pitch
Magical Denial Rates
“We have a 2 percent denial rate across all clients.” Denial rates vary by specialty, payer mix, and complexity. A sub-5 percent denial rate across a diverse book of business is either aggressive definition (they are not counting administrative denials, or they are counting first-pass only), or it is fiction.
No Named Account Manager
“You will have access to our team.” Translation: no one owns your account. Decline.
Black-Box Pricing
“We offer a single blended percentage for everything.” Ask what is included. If you cannot get a written line-item breakdown, the price will grow post-signature.
No US Escalation Path
“Our offshore leadership handles all issues.” You will not get a US director or VP on the phone at 4pm on a Tuesday when you have a crisis. Decline.
Hype Around AI Without Substance
“Our AI auto-appeals denials.” Ask for specifics. What models? What payers? What denial categories? What is the QA layer? AI-generated appeal narratives without human review are a compliance grenade. AI as a triage and draft tool with human review is legitimate. Know the difference. Evaluate the vendor’s actual technology platform, not the sales deck.
Unreasonably Short Implementation
“We go live in 2 weeks.” For a single-specialty small practice, possibly. For a multi-site group with multiple payer contracts and EHR integrations, 2 weeks is a promise that will be broken and your AR will suffer for it. Realistic implementations for mid-market practices run 45 to 120 days.
Reference List That Does Not Include Similar Practices
If the references are all orthopedic single-sites and you are a 40-clinic ABA group, the references are not evidence. Demand references in your specialty and your size band.
Reference-Check Questions That Get Real Answers
Vendor-supplied references are rehearsed. Ask questions that force specifics.
- What is your current days-in-AR under 30, under 60, under 90, over 120? What was it before the vendor? What is it now?
- What is your first-pass clean-claim rate? How is it calculated?
- How many times in the last 12 months has a denial appeal required your own clinical staff to draft or redraft the narrative?
- What is the vendor’s response time when you email the AM? When you email the AM’s boss?
- Have you had a HIPAA incident or near-miss? How was it handled?
- What have you had to insource after signing with this vendor?
- Did the pricing grow after signature? By how much? Why?
- If you were signing again today, would you sign with the same vendor?
The last question is the one that matters most. A hesitation before “yes” is a no.
Contract Terms to Non-Negotiate
Auto-renewal with greater than 30-day opt-out notice: delete. Exclusivity clauses: delete. Vendor-owned claim-level data: delete. Vague SLA language without credits: rewrite with specifics. Indemnification caps below your cyber insurance floor: renegotiate. Term lengths over 36 months without performance outs: renegotiate.
What a Good Hybrid RCM Partnership Looks Like
Named US AM with 3-plus years of RCM experience in your specialty. A US denials and appeals lead with clinical or coding credentials. Offshore production team with documented training and QA. Monthly performance review with real data, not curated dashboards. Transparent line-item pricing. SOC 2 Type II with clean or lightly exceptioned reports. A technology platform that gives you data access, not vendor-gated dashboards. Clear escalation to VP and C-suite on demand.
That is the bar. Anything below the bar is a future problem. Learn how we structure our revenue cycle management delivery model, and see specialty-specific approaches for mental health, ABA, substance abuse treatment, and physician groups.
Frequently Asked Questions
Is offshore medical billing HIPAA-compliant?
It can be, when the vendor operates under a BAA with subcontractor flow-down, maintains SOC 2 Type II (ideally HITRUST) controls, uses virtualized PHI access with no local storage, and enforces clean-room physical site controls. HIPAA does not prohibit offshore PHI handling. It requires the same controls as onshore handling, with additional contractual safeguards.
What percentage of RCM work should stay onshore?
There is no universal percentage, but a defensible hybrid model typically keeps 15 to 30 percent of FTE-equivalents onshore (AM, denials lead, high-touch patient-facing, compliance) and places 70 to 85 percent offshore (production, AR follow-up, data operations). Practices with higher clinical complexity or vulnerable patient populations should skew more onshore.
How long does a realistic RCM vendor transition take?
For a mid-market multi-site practice: 45 to 120 days from contract signature to full production, depending on EHR integrations, payer enrollment transfers, and data migration. Anything shorter is either a simple practice or an over-promise.
What is the most important single contract term to negotiate?
The exit clause, including data return format and transition assistance hours. If you cannot exit cleanly, you are not a client. You are captive. Everything else is negotiable if the exit is clean.
How do I verify a vendor’s SOC 2 Type II report is legitimate?
The report is issued by an independent CPA firm. Verify the firm’s license and request direct confirmation from the firm if the vendor is evasive. The report should name the auditing firm, the observation period, the Trust Services Criteria covered (Security at minimum, ideally Availability and Confidentiality for RCM), and include management’s assertion and the auditor’s opinion.
Can offshore teams handle coding?
Standardized, high-volume specialty coding can be performed offshore with US-based QA review, AAPC or AHIMA certified coders, and documented accuracy rates above 95 percent. Complex coding (interventional pain, complex surgical, high-complexity behavioral health) should be US-based or US-QA gated. See our approach to medical coding for the full model.
Do the Audit. Then Sign.
The offshore RCM market is large, mature, and full of very good operators and very bad ones. The difference is not price. The difference is architecture, accountability, and controls. If a vendor cannot answer the 12 points above with documentation in hand, the vendor is not ready for your business, regardless of how attractive the pricing looks.
Revenant Care runs a hybrid onshore-plus-offshore RCM model built for multi-site practices, behavioral health, ABA, SUD, and physician groups. We publish our SOC 2 Type II. We name your AM. We give you raw data access. We price line-item. If you are evaluating RCM partners and you want a vendor who passes its own checklist, see our revenue cycle management services and then contact us.