info@qualigenix.com 786-259-0231 HIPAA Compliant

HIPAA and Medical Billing: What Your Billing Company Must Do to Keep You Compliant

June 25, 2026 Marcus D. Holloway 8 mins read

The Qualigenix Editorial Team consists of certified billing and coding experts with over 40 years of experience across 38+ medical specialties. Our content is rigorously researched against CMS, AMA, and payer-specific guidelines to ensure total compliance and accuracy. We apply the same elite standards to our resources as we do our client work, consistently delivering high claim accuracy and significant reductions in AR days.

Qualigenix Author
Marcus D. Holloway Senior RCM Strategist, Qualigenix Healthcare

Your medical billing company is a HIPAA business associate. That means its mistakes can become your liability. A compliant billing partner must sign a valid Business Associate Agreement, encrypt your PHI, limit access, train its staff, run risk assessments, and notify you fast if a breach happens. If your biller can’t prove these, your practice is exposed.

When you hand patient data to a billing company, you’re not just outsourcing claims. You’re sharing protected health information with an outside party, and HIPAA has strict rules about that.

Here’s the part many practices miss. If your billing company mishandles that data, the penalty doesn’t always stop at the vendor. It can land on you. A Tennessee billing company once exposed the records of 300,000 patients, and the hospital that hired them paid the price because it never signed a proper agreement.

So the question isn’t only whether your billing company is good at billing. It’s whether they keep you compliant.

Why your billing company is a business associate

HIPAA splits the world into covered entities and business associates. You, the provider, are a covered entity. Your billing company is a business associate because it performs work that involves your patients’ PHI.

This matters because of a law change most practices never noticed. The 2013 Omnibus Rule made business associates directly liable for HIPAA Security Rule compliance. Before 2013, a billing company was only bound by its contract with you. Now it faces its own federal penalties, the same tiers you do.

That cuts both ways. Your biller carries real legal weight. But you still have to choose a compliant one, because a failure on their side can pull you in.

What’s at stake: HIPAA penalty figures

ItemFigureSource
Penalty range per violation$145 to $2,190,294HHS / HIPAA Journal (2026)
Tier 1 (no knowledge) range$145 to $73,011Federal Register
Tier 4 (willful neglect, uncorrected)$73,011 to $2,190,294Federal Register
Annual cap for one provision (Tier 4)$2,190,294HHS (2026)
OCR settlements collected in 2024Over $9.9 millionOCR
OCR enforcement actions in 202422OCR
Breach notification deadlineWithin 60 daysBreach Notification Rule
BAA review frequency (best practice)At least annuallyHHS guidance

Penalties stack because most breaches count one violation per affected record. A single missed agreement can be cited as several violations at once.

The Business Associate Agreement comes first

Before you share one piece of PHI with a billing company, you need a signed Business Associate Agreement. This isn’t a formality. Without a valid BAA, the disclosure itself is a HIPAA violation, even if no data is ever breached.

Missing or outdated BAAs are among the most common findings in OCR audits. Many practices still rely on a template they downloaded years ago and never updated. A BAA drafted before January 2013 is out of compliance.

A strong BAA does more than exist. It defines exactly what the billing company can do with PHI, what safeguards it must keep, and who handles breach notification. It also spells out what happens to your data when the relationship ends. Vague language like “use data as needed” is a red flag.

Warning: A BAA does not automatically protect you from penalties. If you fail to do due diligence on your billing vendor and a breach occurs, you may still be held liable for the breach. Choosing a verifiably compliant partner is part of your own compliance duty.

The safeguards a compliant biller must have

A signed agreement is the start. What backs it up is a set of real controls. Here’s what your billing company should be able to show you.

Encryption in transit and at rest

Your PHI should be encrypted both when it moves and when it sits in storage. The 2025 proposed Security Rule update points toward making encryption a firmer requirement, so a forward-looking biller already does it.

Access controls and logging

Only authorized staff should touch your data, and every access should be logged. Tight access limits, not “everyone can see everything,” is the standard.

Ongoing staff training

HIPAA training can’t be a one-time onboarding box. A compliant billing company trains its workforce on an ongoing schedule and keeps records to prove it.

Documented risk assessments

Your biller should run a real risk analysis and document it. The 2025 NPRM proposes annual verification by a subject-matter expert, which is what well-run companies already do.

Clear breach notification

If a breach happens, the billing company must notify you within 60 days so you can meet your own reporting duties. The BAA should spell out exactly who does what.

How Qualigenix keeps you compliant

At Qualigenix, HIPAA compliance isn’t a feature we mention. It’s the foundation our medical billing and RCM services are built on. We are a US-based business associate that treats your patients’ data with the same care you do.

We sign a current, Omnibus-compliant Business Associate Agreement before any PHI changes hands. We encrypt protected health information in transit and at rest, limit and log access, and run documented risk assessments. Our staff complete ongoing HIPAA training, not a single onboarding session. And our agreements assign breach notification clearly, so nothing falls through a gap.

The point is simple. When your billing partner is genuinely compliant, your practice stops carrying risk it didn’t create.

What practice managers say about working with Qualigenix

“Our old billing vendor still had a pre-2013 BAA. Qualigenix flagged it, replaced it with a compliant agreement, and walked us through every safeguard. We passed our next audit with zero BAA findings.”

Laura Bennett
Practice Manager, Family Medicine, Minnesota

“What sold us was encryption in transit and at rest plus full access logging. Qualigenix gave us documented proof for every HIPAA control, which our prior biller never could.”

Samuel Ortiz
Administrator, Internal Medicine Group, Texas

“Their team runs annual risk assessments and documents staff HIPAA training every cycle. That paper trail saved us during an OCR inquiry that closed with no penalty.”

Rachel Kim
Compliance Officer, Behavioral Health, California

“We needed clear breach notification terms after a scare with another vendor. Qualigenix built them into the BAA and committed to notifying us well inside the 60-day window.”

David Okafor
Billing Director, Multi-Site Practice, Georgia

Billing company HIPAA checklist

Use this list to vet any billing partner. If they can’t check every box, keep looking.

  • ☐ A signed BAA exists before any PHI is shared
  • ☐ The BAA is updated for the 2013 Omnibus Rule
  • ☐ The BAA names permitted uses of PHI specifically
  • ☐ PHI is encrypted in transit and at rest
  • ☐ Access to PHI is limited and logged
  • ☐ Staff receive ongoing HIPAA training
  • ☐ A documented risk assessment is in place
  • ☐ Breach notification duties are clearly assigned
  • ☐ Subcontractor compliance is addressed
  • ☐ The BAA is reviewed at least once a year

Frequently asked questions

Is my medical billing company a HIPAA business associate?

Yes. Any company that handles PHI on your behalf, including a billing service that processes claims, is a business associate. That makes it directly subject to HIPAA’s Security Rule and liable for its own violations.

Do I need a Business Associate Agreement with my billing company?

Yes. HIPAA requires a signed BAA before you share any PHI. Without a valid one, the disclosure itself is a violation, and both parties face federal penalties.

Can I be penalized for my billing company’s HIPAA mistakes?

You can. If you fail to do due diligence on a vendor and a breach occurs, you may be held liable. A billing breach often lands on the practice that hired the vendor, not just the vendor.

What are the penalties for HIPAA violations?

Penalties run from 145 dollars to over 2.1 million dollars per violation, depending on fault. Because most breaches involve many records, the totals stack quickly into the millions.

What must a HIPAA-compliant billing company do?

It signs a valid BAA, encrypts PHI in transit and at rest, limits access, trains staff regularly, runs risk assessments, and notifies you of any breach within the required timeframe.

How often should a BAA be reviewed?

Review it at least once a year and whenever the vendor changes services or subcontractors, or a regulation changes. A BAA drafted before 2013 is out of compliance.

Related resources

Bill with a partner that protects you

HIPAA risk shouldn’t be the price of outsourcing your billing. Work with a US-based team that proves its compliance, not just promises it.

Our team delivers 99% claim accuracy, a 95% first-pass acceptance rate, an average 36-day collection cycle, and a 30% reduction in AR days. We onboard in as few as 6 days.

Book a Free Consultation →

Precision.
Progress.
Qualigenix.

Qualigenix delivers transparent, tech-enabled RCM solutions that simplify billing, safeguard compliance, and optimize collections.
Experience revenue experts who treat every claim like their own—bringing unmatched precision and peace of mind.