HIPAA and Medical Billing: What Your Billing Company Must Do to Keep You Compliant
The Qualigenix Editorial Team consists of certified billing and coding experts with over 40 years of experience across 38+ medical specialties. Our content is rigorously researched against CMS, AMA, and payer-specific guidelines to ensure total compliance and accuracy. We apply the same elite standards to our resources as we do our client work, consistently delivering high claim accuracy and significant reductions in AR days.

Your medical billing company is a HIPAA business associate. That means its mistakes can become your liability. A compliant billing partner must sign a valid Business Associate Agreement, encrypt your PHI, limit access, train its staff, run risk assessments, and notify you fast if a breach happens. If your biller can’t prove these, your practice is exposed.
When you hand patient data to a billing company, you’re not just outsourcing claims. You’re sharing protected health information with an outside party, and HIPAA has strict rules about that.
Here’s the part many practices miss. If your billing company mishandles that data, the penalty doesn’t always stop at the vendor. It can land on you. A Tennessee billing company once exposed the records of 300,000 patients, and the hospital that hired them paid the price because it never signed a proper agreement.
So the question isn’t only whether your billing company is good at billing. It’s whether they keep you compliant.
A medical billing company is a HIPAA business associate because it handles protected health information on your behalf. It must sign a Business Associate Agreement, encrypt PHI in transit and at rest, limit and log access, train staff on HIPAA, run documented risk assessments, and notify you of any breach within 60 days. Without these, both the biller and your practice face federal penalties.
Why your billing company is a business associate
HIPAA splits the world into covered entities and business associates. You, the provider, are a covered entity. Your billing company is a business associate because it performs work that involves your patients’ PHI.
This matters because of a law change most practices never noticed. The 2013 Omnibus Rule made business associates directly liable for HIPAA Security Rule compliance. Before 2013, a billing company was only bound by its contract with you. Now it faces its own federal penalties, the same tiers you do.
That cuts both ways. Your biller carries real legal weight. But you still have to choose a compliant one, because a failure on their side can pull you in.
What’s at stake: HIPAA penalty figures
| Item | Figure | Source |
|---|---|---|
| Penalty range per violation | $145 to $2,190,294 | HHS / HIPAA Journal (2026) |
| Tier 1 (no knowledge) range | $145 to $73,011 | Federal Register |
| Tier 4 (willful neglect, uncorrected) | $73,011 to $2,190,294 | Federal Register |
| Annual cap for one provision (Tier 4) | $2,190,294 | HHS (2026) |
| OCR settlements collected in 2024 | Over $9.9 million | OCR |
| OCR enforcement actions in 2024 | 22 | OCR |
| Breach notification deadline | Within 60 days | Breach Notification Rule |
| BAA review frequency (best practice) | At least annually | HHS guidance |
Penalties stack because most breaches count one violation per affected record. A single missed agreement can be cited as several violations at once.
The Business Associate Agreement comes first
Before you share one piece of PHI with a billing company, you need a signed Business Associate Agreement. This isn’t a formality. Without a valid BAA, the disclosure itself is a HIPAA violation, even if no data is ever breached.
Missing or outdated BAAs are among the most common findings in OCR audits. Many practices still rely on a template they downloaded years ago and never updated. A BAA drafted before January 2013 is out of compliance.
A strong BAA does more than exist. It defines exactly what the billing company can do with PHI, what safeguards it must keep, and who handles breach notification. It also spells out what happens to your data when the relationship ends. Vague language like “use data as needed” is a red flag.
Warning: A BAA does not automatically protect you from penalties. If you fail to do due diligence on your billing vendor and a breach occurs, you may still be held liable for the breach. Choosing a verifiably compliant partner is part of your own compliance duty.
The safeguards a compliant biller must have
A signed agreement is the start. What backs it up is a set of real controls. Here’s what your billing company should be able to show you.
Encryption in transit and at rest
Your PHI should be encrypted both when it moves and when it sits in storage. The 2025 proposed Security Rule update points toward making encryption a firmer requirement, so a forward-looking biller already does it.
Access controls and logging
Only authorized staff should touch your data, and every access should be logged. Tight access limits, not “everyone can see everything,” is the standard.
Ongoing staff training
HIPAA training can’t be a one-time onboarding box. A compliant billing company trains its workforce on an ongoing schedule and keeps records to prove it.
Documented risk assessments
Your biller should run a real risk analysis and document it. The 2025 NPRM proposes annual verification by a subject-matter expert, which is what well-run companies already do.
Clear breach notification
If a breach happens, the billing company must notify you within 60 days so you can meet your own reporting duties. The BAA should spell out exactly who does what.
How Qualigenix keeps you compliant
At Qualigenix, HIPAA compliance isn’t a feature we mention. It’s the foundation our medical billing and RCM services are built on. We are a US-based business associate that treats your patients’ data with the same care you do.
We sign a current, Omnibus-compliant Business Associate Agreement before any PHI changes hands. We encrypt protected health information in transit and at rest, limit and log access, and run documented risk assessments. Our staff complete ongoing HIPAA training, not a single onboarding session. And our agreements assign breach notification clearly, so nothing falls through a gap.
The point is simple. When your billing partner is genuinely compliant, your practice stops carrying risk it didn’t create.
What practice managers say about working with Qualigenix
“Our old billing vendor still had a pre-2013 BAA. Qualigenix flagged it, replaced it with a compliant agreement, and walked us through every safeguard. We passed our next audit with zero BAA findings.”
Laura Bennett
Practice Manager, Family Medicine, Minnesota
“What sold us was encryption in transit and at rest plus full access logging. Qualigenix gave us documented proof for every HIPAA control, which our prior biller never could.”
Samuel Ortiz
Administrator, Internal Medicine Group, Texas
“Their team runs annual risk assessments and documents staff HIPAA training every cycle. That paper trail saved us during an OCR inquiry that closed with no penalty.”
Rachel Kim
Compliance Officer, Behavioral Health, California
“We needed clear breach notification terms after a scare with another vendor. Qualigenix built them into the BAA and committed to notifying us well inside the 60-day window.”
David Okafor
Billing Director, Multi-Site Practice, Georgia
Billing company HIPAA checklist
Use this list to vet any billing partner. If they can’t check every box, keep looking.
- ☐ A signed BAA exists before any PHI is shared
- ☐ The BAA is updated for the 2013 Omnibus Rule
- ☐ The BAA names permitted uses of PHI specifically
- ☐ PHI is encrypted in transit and at rest
- ☐ Access to PHI is limited and logged
- ☐ Staff receive ongoing HIPAA training
- ☐ A documented risk assessment is in place
- ☐ Breach notification duties are clearly assigned
- ☐ Subcontractor compliance is addressed
- ☐ The BAA is reviewed at least once a year
Frequently asked questions
Is my medical billing company a HIPAA business associate?
Yes. Any company that handles PHI on your behalf, including a billing service that processes claims, is a business associate. That makes it directly subject to HIPAA’s Security Rule and liable for its own violations.
Do I need a Business Associate Agreement with my billing company?
Yes. HIPAA requires a signed BAA before you share any PHI. Without a valid one, the disclosure itself is a violation, and both parties face federal penalties.
Can I be penalized for my billing company’s HIPAA mistakes?
You can. If you fail to do due diligence on a vendor and a breach occurs, you may be held liable. A billing breach often lands on the practice that hired the vendor, not just the vendor.
What are the penalties for HIPAA violations?
Penalties run from 145 dollars to over 2.1 million dollars per violation, depending on fault. Because most breaches involve many records, the totals stack quickly into the millions.
What must a HIPAA-compliant billing company do?
It signs a valid BAA, encrypts PHI in transit and at rest, limits access, trains staff regularly, runs risk assessments, and notifies you of any breach within the required timeframe.
How often should a BAA be reviewed?
Review it at least once a year and whenever the vendor changes services or subcontractors, or a regulation changes. A BAA drafted before 2013 is out of compliance.
Related resources
Bill with a partner that protects you
HIPAA risk shouldn’t be the price of outsourcing your billing. Work with a US-based team that proves its compliance, not just promises it.
Our team delivers 99% claim accuracy, a 95% first-pass acceptance rate, an average 36-day collection cycle, and a 30% reduction in AR days. We onboard in as few as 6 days.
