RCM Staff
Sign in
Compliance

HIPAA & Compliance

Last updated: May 17, 2026

RCM Staff™ provides revenue cycle management staffing and operational support services for U.S. healthcare organizations. Because our work may involve access to Protected Health Information (PHI) within client-approved systems, we maintain administrative, technical, and workforce safeguards designed to support HIPAA-sensitive healthcare operations.

This page explains how RCM Staff™ approaches HIPAA-related responsibilities, workforce training, secure operations, and compliance communication.

Our Role

RCM Staff™ is not a healthcare provider, health plan, or healthcare clearinghouse. We do not provide medical treatment, diagnosis, clinical advice, or patient-facing healthcare services.

When RCM Staff™ supports healthcare organizations with billing, coding, claims, A/R follow-up, eligibility verification, prior authorization, or related revenue cycle functions, we may operate as a Business Associate under HIPAA, depending on the client relationship and the nature of the work performed.

RCM Staff™ may enter into a Business Associate Agreement (BAA) with clients when required.

Website and PHI

The public RCM Staff™ website is intended for marketing, business inquiries, and consultation scheduling only. For information on how personal data submitted through this website is collected and used, see our Privacy Policy.

Please do not submit Protected Health Information (PHI), patient records, medical documentation, insurance information, claim details, or other sensitive patient data through our website forms, general email inboxes, or scheduling tools.

If PHI must be exchanged as part of an active client engagement, it should only be transmitted through client-approved secure systems or other authorized methods agreed upon in writing.

HIPAA-Aligned Safeguards

RCM Staff™ maintains policies and procedures intended to support secure handling of healthcare information. The HIPAA Security Rule requires appropriate administrative, physical, and technical safeguards to protect electronic PHI.

Our safeguards may include:

  • HIPAA and privacy awareness training for assigned workforce members
  • Confidentiality agreements for personnel handling healthcare information
  • Role-based access principles
  • Minimum necessary access practices
  • Controlled onboarding and offboarding procedures
  • Multi-factor authentication where supported or required
  • Secure password and account management practices
  • Device security expectations
  • Restrictions on unauthorized storage, copying, printing, or sharing of PHI
  • Incident reporting procedures
  • Client-specific workflow and system access rules

Specific safeguards may vary depending on the client environment, contract terms, EHR, clearinghouse, payer portal, or practice management system involved.

Workforce Training

RCM Staff™ personnel assigned to healthcare-related work are expected to complete HIPAA and confidentiality training as part of onboarding and ongoing workforce education.

Training may cover:

  • What PHI is and why it must be protected
  • Privacy Rule and Security Rule awareness
  • Minimum necessary use and disclosure principles
  • Secure handling of electronic PHI
  • Password security and multi-factor authentication
  • Phishing and social engineering awareness
  • Remote work security expectations
  • Incident identification and reporting
  • Client-specific system and workflow requirements

Training is intended to support practical day-to-day compliance, not just document completion.

Business Associate Agreements

When RCM Staff™ performs services that require access to PHI on behalf of a covered entity or another business associate, we may execute a Business Associate Agreement.

A BAA generally defines permitted uses and disclosures of PHI, safeguarding obligations, reporting requirements, subcontractor expectations, and other HIPAA-related responsibilities between the parties.

Access to Client Systems

RCM Staff™ personnel typically perform work inside client-approved systems, such as EHRs, practice management systems, clearinghouses, payer portals, secure communication tools, and other authorized platforms.

RCM Staff™ does not independently create patient portals, clinical records, or treatment documentation unless specifically authorized by the client and within the assigned scope of work.

Access to client systems should be limited to assigned workforce members and based on job responsibilities.

Reporting Privacy or Security Concerns

RCM Staff™ encourages prompt reporting of privacy, security, or compliance concerns. Reports may include:

  • Suspected unauthorized access to PHI
  • Accidental disclosure of patient information
  • Lost or compromised login credentials
  • Suspicious emails or phishing attempts
  • Incorrect recipient emails or messages
  • Improper storage, download, or sharing of PHI
  • Potential breach or security incident
  • Questions about permitted uses of patient information

Reports should be made as soon as possible so the matter can be reviewed and addressed.

Incident Response

If RCM Staff™ becomes aware of a potential privacy or security incident involving PHI, we will review the issue and coordinate with the affected client as appropriate.

Under the HIPAA Breach Notification Rule, business associates are required to notify covered entities following a breach of unsecured PHI.

RCM Staff™ will follow applicable contractual obligations, Business Associate Agreement terms, and client-specific reporting procedures when responding to suspected or confirmed incidents.

Compliance Officer

RCM Staff™ has designated a Compliance Officer to receive and review HIPAA, privacy, security, and compliance-related questions or reports.

RCM Staff™
Compliance Officer: Kevin Jamito
Email: compliance@rcmstaff.com
Website: rcmstaff.com

No Guarantee of Universal Compliance

HIPAA compliance depends on the combined policies, systems, safeguards, contracts, workforce behavior, and operational controls of all parties involved.

RCM Staff™ maintains compliance-focused practices to support healthcare clients, but each client remains responsible for its own HIPAA obligations, internal policies, system configurations, user access decisions, and legal compliance requirements.

Questions

For HIPAA, privacy, security, or compliance-related questions, please contact:

RCM Staff™
Compliance Officer: Kevin Jamito
Email: compliance@rcmstaff.com
Website: rcmstaff.com