Cyber One Solutions logo.
Get Support

HIPAA Compliance for Medical Billing Companies

Compliance / HIPAA

HIPAA Compliance for Medical Billing Companies.

A medical billing or revenue cycle management company is a HIPAA business associate, not a covered entity. You process electronic protected health information (ePHI) on behalf of your provider clients: claims, diagnosis and procedure codes, Social Security numbers, and insurance and payment data. Under the HITECH Act and the HIPAA Omnibus Rule, business associates are directly liable for the HIPAA Security Rule and for the Breach Notification and Privacy provisions that apply to them. That direct liability, not just your contracts, is what puts your billing operation squarely in scope.

Cyber One Solutions builds and manages the technical and administrative safeguards a billing company needs to meet its own direct HIPAA obligations, starting with the Security Risk Analysis the Security Rule requires. When we support your systems and access your ePHI, we act as your subcontractor business associate under a signed Business Associate Agreement. We produce the evidence your clients, their security questionnaires, and a regulator expect. We support your compliance program, we do not assume your legal obligations, and we make no guarantees against a breach.

What You Get
A documented Security Risk Analysis covering the ePHI you process across your billing, clearinghouse, and payer-facing systems for every provider client.
Administrative, physical, and technical safeguards mapped to the required and addressable specifications of the Security Rule you are directly liable for.
MFA and role-based access on the systems that hold claims, diagnoses, and patient identifiers, with encryption applied to ePHI in transit and at rest.
Business Associate Agreements in place with your covered-entity clients and with every subcontractor that touches ePHI, including Cyber One Solutions.
A contingency plan with tested backups and a breach-notification workflow that satisfies your duty to notify the affected covered entity.
An evidence trail ready for a client security questionnaire, a SOC 2 readiness effort, or an OCR inquiry.
What the Rule Requires

HIPAA for Business Associates, Mapped to Your Billing Company.

Because you are a business associate, you owe the HIPAA Security Rule in full and the Breach Notification and Privacy provisions that apply to your role, and you owe them directly to the government, not only through your client contracts. The Security Rule organizes its protections into administrative, physical, and technical safeguards built from required and addressable implementation specifications. Addressable is not optional: you must implement it, adopt a documented equivalent, or record why it is not reasonable and appropriate. The Security Risk Analysis is the foundation everything else rests on. These are the core elements every medical billing and RCM company must put in place, each paired with the work we deliver against it.

Security Risk Analysis (SRA)

The Security Rule requires an accurate, thorough assessment of the risks to the confidentiality, integrity, and availability of the ePHI you process. We inventory where client data lives, from your billing and practice-management platform to your clearinghouse and payer connections, identify the threats and vulnerabilities to each, and document the assessment so it stands up as the foundation of your program. Because you serve many providers at once, that inventory spans every client data flow.

Administrative Safeguards

Policies, workforce security, and access management: assigning a security official, training billing and coding staff, defining who may access which client records, and reviewing that access. We produce the written policies and the training and access records that evidence the required and addressable administrative specifications a business associate owes directly.

Physical Safeguards

Controls over the facility, workstations, and devices that hold ePHI. For a billing operation that reaches biller and coder workstations, on-site and remote endpoints, servers, and portable media. We document facility access, workstation-use policy for in-office and work-from-home staff, and secure device and media disposal.

Technical Safeguards

Access control, audit logging, integrity, and transmission security for ePHI. Unique user IDs, multi-factor authentication, automatic logoff, audit trails that show who viewed which client record, and encryption of claims and patient data in transit and at rest across your billing systems and your links to clearinghouses and payers.

Business Associate Agreements, Clients & Subcontractors

You need a written Business Associate Agreement with each covered-entity client whose ePHI you handle, and you must in turn sign a BAA with every subcontractor that creates, receives, maintains, or transmits that ePHI on your behalf. We inventory both sides of that chain, from your clearinghouse and hosting vendors to your IT support, and help you put the agreements and oversight in place. Cyber One Solutions signs a BAA with your company as your subcontractor.

Contingency Planning & Breach Notification

A data backup plan, disaster recovery, and an emergency-mode operations plan so billing operations and records survive a ransomware event or hardware failure. Paired with the business associate breach-notification duty: when you discover a breach of unsecured ePHI, you must notify each affected covered-entity client, generally without unreasonable delay and no later than 60 days from discovery, so the client can meet its own notification obligations to individuals and HHS. We build and test the plan and the notification workflow so a real event is handled inside the window.

Why It Applies to Medical Billing Companies

A billing company is a business associate with direct HIPAA liability.

The HIPAA Security Rule protects ePHI, and a medical billing or RCM company handles it constantly on behalf of its provider clients. Claims, diagnosis and procedure codes, patient demographics, Social Security numbers, and insurance and payment data all pass through your systems. Because you create, receive, maintain, or transmit that ePHI for a covered entity, HIPAA classifies you as a business associate, and since the HITECH Act and the 2013 Omnibus Rule that status carries direct legal liability, not just contractual obligation.

Business associates are directly liable, not just contractually bound.

Before HITECH, a business associate answered mainly to the covered entity through its contract. That changed. The HITECH Act and the HIPAA Omnibus Rule made business associates directly liable to the government for the Security Rule in full and for the Breach Notification and Privacy provisions that apply to them. In practice that means the HHS Office for Civil Rights can investigate and penalize your billing company directly for its own HIPAA failures, whether or not the covered entity is involved.

The chain of responsibility is specific. Your provider client is the covered entity. Your billing company is its business associate. When Cyber One Solutions supports your systems and touches your ePHI, we are your subcontractor business associate, and subcontractors carry the same direct liability for the safeguards they are responsible for. Each link signs a BAA with the one above it. We build your program so your own direct obligations are met and documented, not assumed to sit with your clients.

A breach at a billing company has a many-client footprint.

A single billing or RCM company often holds concentrated ePHI for dozens or hundreds of provider clients at once. That concentration is exactly what makes billing companies an attractive target, and it means one incident at your company can expose patients across many practices simultaneously rather than one.

When you discover a breach of unsecured ePHI, your duty as a business associate is to notify each affected covered-entity client, generally without unreasonable delay and no later than 60 days from discovery, so each client can then notify its patients, HHS, and where required the media. If one of your own subcontractors has the breach, they notify you, and you notify the affected clients. We define what counts as a breach for your environment, map which clients each system serves, and build the notification workflow so a real event is handled cleanly across every affected client instead of improvised under pressure.

Client due diligence and SOC 2 requests are now part of winning work.

Providers increasingly vet the security of the billing companies they hire. Expect a signed BAA to be table stakes and a detailed security questionnaire to follow, and larger provider organizations and health systems now often ask their billing and RCM vendors for a SOC 2 report on top of HIPAA. A weak or missing Security Risk Analysis, no MFA, or no documented safeguards can cost you the contract before HIPAA enforcement ever enters the picture.

A SOC 2 report is issued by an independent CPA firm, not by us, and Cyber One Solutions does not issue SOC 2 reports or attestations. What we do is build and document the control environment that a SOC 2 examination looks for and that your clients ask about, so you are ready for the questionnaire, ready for the audit your CPA firm performs, and able to answer due diligence with evidence rather than promises.

Clearinghouses, payers, and subcontractors are all part of your program.

Billing runs on connections: clearinghouse links, payer portals and EDI feeds, hosting and cloud platforms, and IT support. Any subcontractor that creates, receives, maintains, or transmits ePHI on your behalf is itself a business associate, and the rules require a written agreement with each one plus oversight of how they protect the data.

We inventory those relationships, help you put the subcontractor Business Associate Agreements in place, and fold that oversight into your program. When Cyber One Solutions accesses your ePHI, we sign a BAA with your company and support your compliance rather than assuming it.

Frequently asked questions.

Does being a business associate mean HIPAA compliance is really our client's job?

No. That is a common and costly misunderstanding. Since the HITECH Act and the 2013 Omnibus Rule, business associates are directly liable to the government for the HIPAA Security Rule and for the Breach Notification and Privacy provisions that apply to them. The HHS Office for Civil Rights can investigate and penalize your billing company for its own failures independently of your client. Your covered-entity clients have their own obligations, but they do not absorb yours. We build and document the program that meets your direct obligations.

We are a small billing company. Are we too small for this to matter?

No. HIPAA does not exempt a business associate for being small. If you process ePHI for a covered entity, the Security Rule applies and your direct liability applies. The size of your company changes the scale of the safeguards that are reasonable and appropriate, not whether the rules reach you. We scope the program to the size and systems of your operation during onboarding.

Common Questions

HIPAA Compliance for Medical Billing Companies, Answered.

Common questions from medical billing and revenue cycle management companies working out their direct obligations as HIPAA business associates and what compliance actually involves.

Don't see your question?
Our team answers questions like these every day, no sales pitch attached.
Ask a Question