HIPAA compliance for medical billing companies: obligations as a business associate

Medical billing companies are business associates directly liable under HIPAA since the 2013 Omnibus Rule. Here is what that means for Security Rule compliance, BAA obligations, subcontractor chains, and breach notification.

By CoreFolio

Published May 20, 2026Verified May 20, 20266-minute read

Medical billing companies sit at one of the highest-volume PHI exposure points in the U.S. healthcare system. A single billing company may process claims for dozens or hundreds of covered entity clients, handling patient names, dates of service, diagnoses, insurance identifiers, and financial information for thousands of individuals daily.

This exposure carries direct HIPAA liability. Since the HITECH Act of 2009 and the implementing regulations in the 2013 Omnibus Rule (78 Fed. Reg. 5566), business associates — including medical billing companies — are directly subject to HIPAA. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) can investigate and penalize a billing company without going through its covered entity clients.

Classification: billing companies as business associates

Under 45 CFR § 160.103, a business associate is a person or entity that, on behalf of a covered entity, creates, receives, maintains, or transmits protected health information (PHI) to perform a function including claims processing, billing, benefit management, or practice management.

Medical billing companies satisfy this definition directly. They receive patient PHI from covered entities, process it to generate claims, submit claims to payers, manage remittance, and often provide practice analytics and reporting. Each of these functions involves PHI.

A billing company is not a covered entity by virtue of providing billing services alone — it does not furnish health care. But as a business associate, it has Security Rule compliance obligations that are nearly as extensive as those of a covered entity.

What the Security Rule requires of a billing company

The HIPAA Security Rule (45 CFR §§ 164.302–164.318) requires business associates to implement administrative, physical, and technical safeguards for ePHI. For a billing company, this means:

Administrative safeguards (§ 164.308):

Conduct and document a current risk analysis covering all ePHI systems used in billing operations
Designate a Security Official responsible for security policies
Implement workforce training on security policies, with records
Maintain a security incident response procedure
Execute BAAs with all subcontractors that handle PHI (cloud platforms, clearinghouses, IT vendors with access to billing systems)
Maintain a contingency plan for ePHI recovery

Physical safeguards (§ 164.310):

Facility access controls for offices housing billing systems
Workstation security — screens not visible to unauthorized persons, automatic logoff on billing workstations
Device and media disposal procedures for equipment containing client ePHI

Technical safeguards (§ 164.312):

Unique user credentials for every staff member — no shared logins to billing systems
Audit logging on all systems handling ePHI, reviewed periodically
Encryption at rest for all stored ePHI (client databases, payment records, remittance files)
Encryption in transit for all ePHI submitted to payers and received from covered entity clients
Automatic session timeout on billing platforms

Privacy Rule obligations: what billing companies must and must not do

Under 45 CFR § 164.504(e), the BAA specifies the billing company’s permitted uses and disclosures of PHI. In general, a billing company may use and disclose PHI only:

As necessary to perform the billing and related functions specified in the BAA
As required by law
For the proper management and administration of the business associate itself (in limited circumstances)

Prohibited uses:

Using client PHI for marketing, data analytics, or other purposes not specified in the BAA
Sharing PHI with payers, analysts, or other parties beyond what is necessary for the billing function
Re-disclosing PHI received from a covered entity to a subcontractor without a BAA in place

Minimum necessary standard: When using or disclosing PHI, the billing company must make reasonable efforts to limit PHI to the minimum necessary for the billing function. A billing company that processes a claim does not need access to clinical notes beyond the diagnosis codes and dates of service required for the claim.

The BAA from the billing company’s perspective

A billing company must execute a BAA with:

Every covered entity client — before any PHI is received. The BAA defines the billing company’s permitted functions, its security obligations, its breach notification obligations, and the return or destruction of PHI at contract termination.
Every subcontractor that handles PHI — clearinghouses, cloud billing platforms, outsourced staff, data storage vendors, and any IT provider with access to client ePHI.

OCR has brought enforcement actions against billing companies for:

Operating without BAAs with covered entity clients
Failing to execute subcontractor BAAs
Using client PHI beyond the scope permitted in the BAA
Failing to implement adequate Security Rule safeguards

Breach notification: the billing company’s obligation

When a billing company discovers a breach of unsecured PHI belonging to a covered entity client, the billing company must notify the covered entity without unreasonable delay, and no later than 60 calendar days after discovery.

The notification must include:

Identification of each individual whose PHI was involved (or the best available information for covered entity use in notifications)
Description of the breach and the types of PHI involved
Date of the breach and date of discovery
Steps the billing company has taken to mitigate harm

The covered entity’s 60-day clock for notifying patients and HHS runs from the billing company’s discovery date — not from when the covered entity received the billing company’s report. A billing company that delays its internal discovery process or delays notifying its client compresses the covered entity’s response window and creates shared exposure.

The subcontractor chain

Many billing companies use:

Cloud-hosted billing platforms (Kareo, AdvancedMD, eClinicalWorks Revenue Cycle, and others)
Offshore or outsourced coding and data entry staff
Clearinghouses for claim submission
Data analytics vendors for reporting

Each of these is a downstream business associate. A signed BAA from the billing company’s perspective is required before any of these subcontractors receive PHI. The subcontractors are directly liable under HIPAA for their own Security Rule compliance, but the billing company is responsible for ensuring the BAA chain is in place.

Risk areas specific to billing operations

Remote access by staff: Billing staff working from home or offshore access billing systems over networks the company does not control. MFA and VPN for remote access to billing systems are expected under a thorough risk analysis.

Payment card data intersection: Billing companies that process patient payment card information also touch Payment Card Industry Data Security Standard (PCI DSS) obligations. PHI and payment card data are separate regulatory domains but often handled by the same systems.

Legacy formats: ERA (Electronic Remittance Advice) and 835 transaction files often contain extensive PHI. These files, once received, must be protected with the same safeguards as any other ePHI.

Long-term data retention: Billing companies sometimes retain years of client PHI in their systems long after the billing engagement has ended. The BAA should specify the retention period and require return or certified destruction of PHI at contract termination.

Sources: 45 CFR § 160.103 (business associate definition); 45 CFR §§ 164.308, 164.310, 164.312 (Security Rule safeguards); 45 CFR § 164.504(e) (BAA required provisions); 45 CFR § 164.410 (business associate breach notification); HHS Direct Liability of Business Associates Fact Sheet, hhs.gov; HHS 2013 Omnibus Rule (78 Fed. Reg. 5566, January 25, 2013); HITECH Act of 2009. Last verified May 20, 2026.

FAQ

Common questions

Are medical billing companies subject to HIPAA?

Yes. Medical billing companies are business associates under 45 CFR § 160.103 because they create, receive, maintain, or transmit PHI on behalf of covered entities to perform billing functions. Since the HITECH Act of 2009 and the 2013 Omnibus Rule, business associates are directly liable under HIPAA — OCR can investigate and penalize a billing company independently, without involving the covered entity clients.

What HIPAA rules apply to a medical billing company?

Business associates must comply with the HIPAA Security Rule in full — all administrative, physical, and technical safeguard requirements apply. They must also comply with applicable Privacy Rule provisions: using and disclosing PHI only as permitted, applying the minimum necessary standard, and supporting covered entity clients in meeting patient rights requests. The Breach Notification Rule requires billing companies to notify covered entity clients of breaches within 60 days of discovery.

Does a medical billing company need its own risk analysis?

Yes. The Security Rule risk analysis requirement at 45 CFR § 164.308(a)(1)(ii)(A) applies to business associates as well as covered entities. A billing company must conduct, document, and maintain a current risk analysis covering all systems that create, receive, maintain, or transmit ePHI from its covered entity clients.

What if a billing company uses a subcontractor that handles PHI?

The billing company must execute a BAA with any subcontractor (a business associate of a business associate, also called a 'downstream' business associate) that handles PHI. Subcontractors are directly liable under HIPAA. Failure to execute a subcontractor BAA is a violation by the billing company — and can also create exposure for the covered entity client.

Keep learning

How-to
Covered entity vs. business associate: which one are you under HIPAA?
The distinction between a HIPAA covered entity and a business associate determines your obligations, your direct liability, and what agreements you must have in place. Here is how to determine your status and what it means.
May 20, 20266-minute read
How-to
Who needs a HIPAA business associate agreement?
Not every vendor needs a BAA. Not every relationship that feels like it should requires one. Here is the legal test, the categories that consistently require BAAs, the common exceptions, and what happens if you skip one.
May 20, 20266-minute read
How-to
HIPAA administrative safeguards: the complete checklist for small practices
Administrative safeguards under 45 CFR § 164.308 are the most commonly cited standard in OCR enforcement actions. Here is every requirement, what 'addressable' actually means, and what a small practice must have documented.
May 20, 20268-minute read