How to choose an RCM vendor: 12 questions every CFO should ask before signing.

Below: 12 questions, what a good answer looks like, and what a bad answer reveals. Print this and bring it to every vendor presentation.

01"Who actually owns my account?"

Good answer: A named senior partner with their direct phone number, a tenure of 8+ years in RCM, and accountability for your P&L. The same person attends QBRs, signs your monthly scorecard, and picks up the phone when escalations happen.

Bad answer: "You'll have a dedicated account manager" (who turns out to be a 2-year-tenured CSM with 40 accounts). Or worse: "Your day-to-day will be handled by our team in [offshore location]" without naming a US-based owner.

02"What's in your written SLA, exactly?"

Ask for a redacted sample. Look for:

• First-pass clean claim rate target (good: 95%+)
• Days in AR target by aging bucket (0-30, 31-60, 61-90, 90+)
• Denial rate target (good: under 5% for most specialties)
• Charge lag target (good: under 48 hours)
• Credit balance resolution timing
• What happens when SLAs are missed (financial credit? remediation plan?)

Red flag: "We don't share SLAs in writing — targets are agreed verbally." Walk away.

03"How is pricing structured? Show me a sample invoice."

Good answer: Clear percentage of net collections (4-8% depending on specialty), or an FTE-based model, or a hybrid — with a sample invoice showing exactly what gets billed. See typical ranges by specialty.

Bad answer: Setup fees that aren't disclosed upfront. Per-transaction fees layered on top of percentage. Volume "tiers" that mysteriously reset. Aggressive auto-renewal terms.

04"What's your typical onboarding timeline?"

Good answer: 30-60 days, with a Day 1 / Day 30 / Day 60 / Day 90 plan in writing. Discovery, contracts, system access, payer mapping, parallel processing, go-live, SLAs activated.

Bad answer: "We'll go live next week" (no real onboarding = pain in month 2). Or: "Onboarding can take 4-6 months" (operationally weak).

05"Walk me through a denial appeal you handled last week."

This question separates marketing-led vendors from operations-led ones. A good RCM team can talk specifics: a CO-50 medical necessity denial from BCBS for a sleep study, the supporting documentation they pulled from the EHR, the appeal letter template they used, the turnaround time, and the outcome. A bad vendor gives you generalities.

06"What's your security posture?"

Good answer: Current SOC 2 Type II report (request a copy under NDA), HIPAA compliance attestation, ISO 27001 certification, HITRUST status, signed BAA at engagement start, encryption at rest and in transit, MFA on all systems, documented incident response plan with named breach notification timelines.

Red flag: "We're working on SOC 2." Or vague language about "industry-standard security." For healthcare, vague isn't enough.

07"How do you report to my CFO?"

Good answer: Monthly CFO scorecard with a fixed template covering: collections vs target, AR aging by bucket, denial rate trend, top 5 denial reasons, payer-mix breakdown, charge lag, credit balance, productivity per FTE. Plus a quarterly business review with the senior partner reviewing forward-looking initiatives.

Bad answer: "We can build whatever dashboard you want." Translation: they don't have a standard, you'll be writing requirements forever.

08"What happens if we want to leave?"

Read the termination clause carefully. Ask:

• Notice period? (60-90 days is standard. 12+ months is a red flag.)
• Data extraction process? (Should be free, in standard formats.)
• Transition support? (60-90 days of overlap support is reasonable.)
• Penalties for early termination? (Should be limited to wind-down costs.)

09"Who's onshore vs offshore? Where exactly?"

Most modern RCM operates with global teams — that's not bad in itself. What matters is who does what:

• Senior partner / account ownership: should be onshore (US)
• Coding (CPC, CCS): often onshore for higher complexity, can be offshore for high-volume routine
• Claims submission, payment posting, AR follow-up: often offshore (cost-effective, scales well)
• Patient-facing functions: should be onshore for cultural fluency

Ask the specific city/country for each function. Vendors that won't say are usually hiding lower-quality operations.

10"How do you handle credentialing?"

Good answer: Dedicated credentialing team with average enrollment times you can verify (industry average is 90-120 days; specialists like ASP-RCM hit 22-60 days). CAQH, PECOS, NPPES maintenance included. Re-credentialing tracked proactively. See our credentialing service.

Bad answer: "We do that as part of the package" (without specifics). Credentialing is operationally distinct from billing — if a vendor treats it as an afterthought, it'll be a problem.

11"Show me a current client's monthly scorecard (anonymized)."

The single most predictive question. A good vendor will pull up a real scorecard from a real similar-sized client (anonymized) and walk you through the metrics. A bad vendor will say "we can't share that" or send you a marketing PDF.

12"What's your AI policy? What's automated, what's reviewed by humans, and how do you handle errors?"

Good answer: Specific about which tasks use AI (e.g., autonomous coding for radiology with confidence thresholds, denial prediction for payer-mix routing, eligibility automation), what the human-in-the-loop policy is, and how errors are caught and corrected. They can show you the audit trail.

Bad answer: Either "we don't use AI" (you'll pay more for the same work) or "we're fully AI-automated" (no human accountability when things break). The right answer is "we use AI where it actually moves the needle, with humans accountable for outcomes." Read our AI trust framework for the framing CFOs should use.

The honest summary: price comparisons are the easy part. The questions above are the ones that predict whether your RCM partner will be a 5-year relationship or a 12-month divorce. Bring this list. The vendors that answer fluently are the ones worth signing.