HIPAA Compliance for Medical Billing Companies: Business Associate Guide

A third-party medical billing company occupies a specific and often misunderstood place in HIPAA. It is almost never a covered entity, yet it handles enormous volumes of protected health information on behalf of the providers it serves. That makes it a business associate, and since the HITECH Act and the 2013 Omnibus Rule, business associates are directly liable for compliance with the HIPAA Security Rule and much of the Privacy Rule. A billing company cannot treat HIPAA as its clients’ problem; the Office for Civil Rights can investigate and penalize the billing company itself.

The agreements that define your obligations

For a billing company, the business associate agreement is the document that defines the relationship in both directions. You need a signed agreement with every provider client before you touch their patient data, and that agreement sets the permitted uses, the safeguards you owe, and your breach-notification duties back to the client. Just as important, the obligation flows downstream: any subcontractor you use that will handle PHI, such as a clearinghouse, a coding partner, a cloud host, or an offshore data-entry vendor, must sign a business associate agreement with you. A gap anywhere in that chain leaves PHI moving without contractual protection and exposes you to liability for a partner’s failure.

Minimum necessary and standard transactions

Billing work runs on the HIPAA standard transactions and code sets, and it concentrates exactly the data that drives identity theft and fraud: names, dates of birth, insurance identifiers, diagnosis and procedure codes. Even though billing requires detailed records, the minimum necessary standard still applies, so your staff and systems should expose only the information each task actually requires. Strong role-based access, audit logging of who viewed which account, and clean separation between client datasets are the operational core of a compliant billing operation. Many billing companies also act as or route through a clearinghouse, which is itself a covered entity for some purposes, so understanding which hat you are wearing for a given data flow matters.

The Security Risk Analysis applies directly to you

Because the Security Rule reaches business associates directly, a billing company must conduct its own Security Risk Analysis, not rely on its clients’. The rule requires an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI (45 CFR § 164.308(a)(1)(ii)(A)). For a billing company that means assessing your billing software, the systems that connect to each client’s EHR, your email and file-transfer methods, remote-work setups, and every subcontractor. The risk analysis is also the first document OCR requests, and a billing company that cannot produce one has a serious, immediate gap.

The proposed 2026 update to the Security Rule would raise the bar further. The Notice of Proposed Rulemaking, published in December 2024, would make safeguards such as multi-factor authentication, encryption of ePHI, and network segmentation effectively mandatory and would require more rigorous, regularly updated risk analyses and asset inventories, with explicit attention to business associates. The proposal is not final; once a final rule is published, organizations would have a 240-day compliance window. Billing companies that tighten authentication and encryption now will be well ahead of the requirement.

How Medcurity helps

Medcurity gives medical billing companies a guided way to complete and document their own Security Risk Analysis, manage policies, and keep the evidence trail that proves direct compliance as a business associate. The platform is $499/year (about $42/month) for a single organization, and larger billing operations with many client connections can request a quote. To keep your contracts airtight in both directions, use our business associate agreement guide, and apply the same diligence to your own subcontractors as you would to any IT vendor handling PHI.

Frequently asked questions

Is a medical billing company a covered entity or a business associate?

Almost always a business associate. A third-party billing company handles PHI on behalf of its provider clients, which makes it a business associate that is directly liable under the HIPAA Security Rule and much of the Privacy Rule.

Do we need our own Security Risk Analysis?

Yes. Business associates must conduct their own risk analysis under 45 CFR 164.308(a)(1)(ii)(A). You cannot rely on a client’s assessment; OCR can investigate and penalize the billing company directly, and the risk analysis is the first document it requests.

Do we need BAAs with our own subcontractors?

Yes. Any subcontractor that handles PHI on your behalf, such as a clearinghouse, coding partner, cloud host, or offshore data-entry vendor, must sign a business associate agreement with you. The obligation flows down the entire chain.

Does the minimum necessary standard apply to billing?

Yes. Even though billing needs detailed records, your staff and systems should access only the information each task requires. Role-based access, audit logging, and separation between client datasets are how billing companies meet the standard.