QUANTITATIVE ASSESSMENT OF DATA PROTECTION PRACTICES IN U.S. REVENUE CYCLE MANAGEMENT

Abstract

This study quantitatively assessed data protection practices in U.S. revenue cycle management (RCM) by applying an evidence-oriented measurement instrument and summarizing results as an overall RCM Data Protection Index (RCM-DPI) with five domain subscales. A cross-sectional, observational design was used, and data were obtained from 120 organizations representing provider-operated, outsourced vendor, and hybrid RCM operating models. The overall RCM-DPI averaged 67.4 (SD = 9.8; median = 68.1; range = 41.0–88.5), indicating mid-range protection maturity with meaningful variability. Subscale means were highest for workforce safeguards (74.2, SD = 8.6) and data security controls (70.8, SD = 10.1), while auditability and monitoring (62.7, SD = 12.7) and vendor oversight (60.3, SD = 13.4) showed lower central tendency and wider dispersion. The overall index correlated strongly with auditability and monitoring (r = 0.85), identity and access governance (r = 0.82), vendor oversight (r = 0.80), and data security controls (r = 0.77), and moderately with workforce safeguards (r = 0.69), supporting coherent index composition. Organizational descriptors were negatively associated with protection outcomes, including toolchain complexity (r = -0.36 overall; r = -0.41 for auditability) and outsourcing proportion (r = -0.33 overall; r = -0.44 for vendor oversight). In multivariable regression, governance cadence positively predicted the overall index (B = 3.12, p < .001), while outsourcing intensity (B = -2.76, p < .001), toolchain complexity (B = -2.21, p = .003), and clearinghouse concentration (B = -1.48, p = .034) predicted lower scores; size tier was not significant (p = .18). Model fit was R² = 0.49 (adjusted R² = 0.46). Subscale reliability ranged from 0.81 to 0.88, supporting measurement consistency.