HIPAA Compliance for Accounting Firms Serving Healthcare Clients
When an accounting firm takes on a medical practice, hospital, or other healthcare provider as a client, it almost always ends up handling protected health information (PHI). Billing reconciliation, revenue-cycle audits, forensic accounting, and even routine bookkeeping for a clinic expose the firm to patient identifiers tied to treatment and payment. That exposure makes the firm a business associate under HIPAA — directly liable for safeguarding PHI, not merely contractually obligated through the client.
What makes an accounting firm a business associate
A firm preparing a dentist’s taxes from summary totals may never touch PHI. A firm auditing claims data, managing medical A/R, or reconciling explanation-of-benefits files handles PHI directly. The moment patient-identifiable health or payment information passes through your systems on behalf of a covered entity, you are a business associate (45 CFR 160.103). Since the 2013 Omnibus Rule, business associates are directly liable for Security Rule compliance and many Privacy Rule provisions, so OCR can penalize the firm itself.
Where PHI hides in accounting workflows
Working papers and spreadsheets that pair patient names with balances, EOBs and remittance advices, scanned superbills, shared client portals, email attachments, and multi-year backups all carry PHI. Because tax and audit working papers are commonly retained seven years or more, that PHI lingers long after the engagement ends — a reality your safeguards have to account for.
The Security Risk Analysis
Every business associate must conduct and document a Security Risk Analysis (SRA) — the foundational requirement at 45 CFR 164.308(a)(1)(ii)(A). For an accounting firm that means inventorying every system where client PHI lands: practice-management exports, your general ledger, cloud file shares, email, and the laptops of remote or seasonal staff. Firms that scope the SRA to “the tax application” and stop there routinely miss the client portal and the partner’s laptop, which is where breaches actually happen. A signed business associate agreement is required with each healthcare client before PHI changes hands, and with your own downstream vendors that touch the data.
The proposed 2026 Security Rule update
In December 2024, HHS published a Notice of Proposed Rulemaking (NPRM) that would significantly strengthen the HIPAA Security Rule — making currently “addressable” measures such as encryption and multi-factor authentication effectively mandatory, and adding asset-inventory and vendor-verification requirements. It is a proposal, not a final rule; if finalized, organizations would have roughly a 240-day window to comply once it publishes. Accounting firms should treat encryption at rest, MFA, and a current asset inventory as the clear direction of travel. Firms that also provide technology services to clients should review their obligations as IT vendors as well.
How Medcurity helps
Medcurity gives accounting firms a guided, documented Security Risk Analysis built around the HIPAA Security Rule, plus policy templates, workforce-training tracking, and BAA management — the evidence OCR asks for in an investigation. Pricing is $499/year (about $42/month); larger firms with multiple offices or many healthcare clients can request a quote.
Frequently Asked Questions
Is an accounting firm a business associate under HIPAA?
Yes, if it creates, receives, maintains, or transmits PHI on behalf of a healthcare client — for example by auditing claims, managing medical accounts receivable, or reconciling EOBs. Firms that only review de-identified summary financials and never touch patient identifiers generally are not.
Do we need a BAA with every healthcare client?
Yes. A signed business associate agreement must be in place before the firm receives any PHI, and the firm also needs its own BAAs with subcontractors — cloud storage, document management, outsourced IT — that can access that data.
How long must we keep HIPAA documentation?
HIPAA requires policies, risk analyses, and related documentation be retained for six years under 45 CFR 164.316(b)(2). That is separate from professional accounting-records retention, which often runs longer and may itself contain PHI.
What is the biggest HIPAA gap for accounting firms?
Incomplete scoping. Firms run a risk analysis on their tax software but overlook client portals, email attachments, backups, and the laptops of remote or seasonal staff — exactly where client PHI accumulates.