Compliance & Security
The combination of healthcare and receivables management creates a complex compliance challenge that requires expert personnel and systematic management. USCB has a highly qualified staff who drive our compliance and quality control initiatives and also employs a robust quality management system subjected to the rigors of internal and third-party audits.
USCB employs a General Counsel and Vice President of Compliance, who is certified as Credit, Collection and Compliance Attorney by ACA International, and three compliance managers, who are all certified as Credit, Collection and Compliance Officers. Working in concert with the compliance team is a separate Audit and Quality Assurance team focused on internal review of USCB’s procedures and compliance with client requirements.
USCB has begun the process for Professional Practices Management System (PPMS) certification, a compliance and quality control system based on the management program developed and certified through ACA International. USCB expects certification by December 2020.
PPMS was developed specifically for receivables management companies and is based on principles of ISO 9001. It is a comprehensive quality assurance program that ensures documentation of all policies, procedures and work instructions with an audit schedule throughout the company.
A robust documentation procedure for client and patient concerns are some of the key components of USCB’s compliance management system. When there is an issue or complaint raised, the compliance team investigates the issue and, if there was a deviation from procedure, determines the root cause of the problem, and applies an appropriate corrective action to prevent recurrence of the same issue.
USCB conducts a training program for every new employee, which covers an overview of the accounts receivable industry, and in-depth discussions regarding USCB’s Code of Ethics, the Fair Debt Collection Practices Act (FDCPA), the Telephone Consumer Protection Act (TCPA), the Health Insurance Portability and Accountability Act (HIPAA), and Data Security. Continuous training is provided by emailing questions to employees directly to their workstations every day. All employees are required to pass annual examinations regarding FDCPA and HIPAA.
Security & Privacy
USCB’s Vice President of Security is responsible for coordinating the security of client account information on USCB’s database as well as overall compliance with the HIPAA Security Rule, and data protection strategies. The IT Department continually monitors for any internal and external risks to the security, confidentiality, and integrity of customer information, and makes adjustments when necessary. USCB’s Audit Department assists the IT Department with internal audits regarding the security and privacy of physical and electronic information. Additionally, USCB has retained the services of a third-party data security company that evaluates USCB’s IT systems for potential risks and vulnerabilities. The external security audit includes a review of USCB’s written policies, evaluation of IT infrastructure and penetration testing.
USCB is certified compliant with the following security standards, regulations, and laws:
- Health Insurance Portability & Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS) version 3.1.
- Level 1Service Provider
- ISO 27002
- Gramm-Leach-Bliley Act (GLBA) Safeguards Rule
- Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth (Mass 201 CMR 17.00)
- Minnesota Plastic Card Security Act (MN PCA)
- Nevada Security of Personal Information (NRS 603A)
- Federal Trade Commission (FTC) Red Flag Rules
In addition to requiring each employee to display a company ID badge during all work hours, other standard safeguards such as individual log-in passwords, and automated workstation timeouts, USCB also ensures that the level of access given to an employee strictly corresponds with the employee’s job duties. Job segregation controls are designed to limit access to personal and private client data to only those employees with a job description where access is necessary.