HIPAA Compliance in Revenue Cycle Management: From Intake to Collections

Revenue cycle management (RCM) is where protected health information (PHI) travels the farthest. From the moment a patient is registered, the same data flows through eligibility verification, coding, claim submission, clearinghouses, payer adjudication, patient statements, and — when accounts go unpaid — collections. Every handoff in that chain is a HIPAA touchpoint, and most of them involve a third party. That is what makes RCM distinctive: compliance is less about a single system and more about controlling PHI as it moves across a long line of internal staff and external vendors.

Where PHI moves in the revenue cycle

Intake collects demographics, insurance details, and often clinical reason-for-visit notes. Coding and charge capture attach diagnoses and procedures. Claims carry that PHI to a clearinghouse and on to payers. Statements and payment portals expose balances and service descriptions to patients. Collections agencies — if you use them — receive enough information to pursue a debt. At each stage the minimum necessary standard applies: a claim, a statement, or a collections file should contain only the PHI required for that specific purpose, not the patient’s full record. A billing statement that itemizes a sensitive diagnosis, or a collections referral that ships an entire chart, is a common and avoidable exposure.

Vendors and Business Associate Agreements

Most revenue cycle work is outsourced or software-driven, which means most of it runs through business associates: clearinghouses, billing companies, RCM platforms, statement printers, payment processors, and collections agencies. Each one needs a signed Business Associate Agreement (BAA) before it touches PHI, and your program should track which vendors have current agreements and what PHI each is permitted to handle. A lapsed or missing BAA with a billing vendor is one of the most frequent findings in HIPAA enforcement actions.

Start with a Security Risk Analysis

The HIPAA Security Rule requires an accurate, thorough Security Risk Analysis (SRA) under 45 CFR § 164.308(a)(1)(ii)(A). For a revenue cycle operation, the SRA should map every system and vendor that creates, receives, maintains, or transmits PHI — the practice management system, the clearinghouse connection, the patient payment portal, statement vendors, and collections partners — and assess the threats to each. Because the revenue cycle changes constantly as vendors and payer connections come and go, the SRA needs to be revisited whenever the workflow changes, not just once a year.

The proposed 2026 Security Rule update

In December 2024, HHS published a Notice of Proposed Rulemaking (NPRM) to strengthen the HIPAA Security Rule. It is proposed, not finalized, but several provisions matter directly for RCM: a maintained asset and vendor inventory, encryption of PHI in transit and at rest, multi-factor authentication for systems holding PHI, and stronger oversight of business associates. If finalized as written, organizations would have roughly a 240-day compliance window after the final rule is published. Tightening BAA tracking and vendor oversight now positions you well no matter how the rule is finalized.

How Medcurity helps

Medcurity helps revenue cycle teams complete the Security Risk Analysis, track remediation, and manage the BAA and vendor documentation that the revenue cycle depends on — all in one platform built for HIPAA. Pricing is $499/year (about $42/month) for a single organization; larger billing operations and multi-entity groups can request a quote. For the broader picture, see our HIPAA compliance checklist and our guide to the HIPAA risk assessment.

Frequently asked questions

Is a billing or collections company a business associate?

Yes. Any company that handles PHI to submit claims, process payments, or collect on patient accounts is a business associate, and you must have a signed BAA with each before sharing any PHI.

How does the minimum necessary standard apply to statements?

Patient statements and collections files should include only the information needed for billing or payment — typically dates of service and balances — not detailed clinical notes or full diagnoses that are not required to collect the debt.

Are clearinghouses covered by HIPAA?

Yes. Healthcare clearinghouses are explicitly covered entities under HIPAA when they process claims, and they act as business associates when handling PHI on your behalf, so a BAA and appropriate safeguards still apply.

What is the biggest RCM compliance risk?

Missing or expired Business Associate Agreements and oversharing PHI with vendors. Because the revenue cycle touches so many third parties, gaps in vendor oversight are the most common and most cited weaknesses.