The HIPAA Security Rule protects ePHI, and a medical billing or RCM company handles it constantly on behalf of its provider clients. Claims, diagnosis and procedure codes, patient demographics, Social Security numbers, and insurance and payment data all pass through your systems. Because you create, receive, maintain, or transmit that ePHI for a covered entity, HIPAA classifies you as a business associate, and since the HITECH Act and the 2013 Omnibus Rule that status carries direct legal liability, not just contractual obligation.
Business associates are directly liable, not just contractually bound.
Before HITECH, a business associate answered mainly to the covered entity through its contract. That changed. The HITECH Act and the HIPAA Omnibus Rule made business associates directly liable to the government for the Security Rule in full and for the Breach Notification and Privacy provisions that apply to them. In practice that means the HHS Office for Civil Rights can investigate and penalize your billing company directly for its own HIPAA failures, whether or not the covered entity is involved.
The chain of responsibility is specific. Your provider client is the covered entity. Your billing company is its business associate. When Cyber One Solutions supports your systems and touches your ePHI, we are your subcontractor business associate, and subcontractors carry the same direct liability for the safeguards they are responsible for. Each link signs a BAA with the one above it. We build your program so your own direct obligations are met and documented, not assumed to sit with your clients.
A breach at a billing company has a many-client footprint.
A single billing or RCM company often holds concentrated ePHI for dozens or hundreds of provider clients at once. That concentration is exactly what makes billing companies an attractive target, and it means one incident at your company can expose patients across many practices simultaneously rather than one.
When you discover a breach of unsecured ePHI, your duty as a business associate is to notify each affected covered-entity client, generally without unreasonable delay and no later than 60 days from discovery, so each client can then notify its patients, HHS, and where required the media. If one of your own subcontractors has the breach, they notify you, and you notify the affected clients. We define what counts as a breach for your environment, map which clients each system serves, and build the notification workflow so a real event is handled cleanly across every affected client instead of improvised under pressure.
Client due diligence and SOC 2 requests are now part of winning work.
Providers increasingly vet the security of the billing companies they hire. Expect a signed BAA to be table stakes and a detailed security questionnaire to follow, and larger provider organizations and health systems now often ask their billing and RCM vendors for a SOC 2 report on top of HIPAA. A weak or missing Security Risk Analysis, no MFA, or no documented safeguards can cost you the contract before HIPAA enforcement ever enters the picture.
A SOC 2 report is issued by an independent CPA firm, not by us, and Cyber One Solutions does not issue SOC 2 reports or attestations. What we do is build and document the control environment that a SOC 2 examination looks for and that your clients ask about, so you are ready for the questionnaire, ready for the audit your CPA firm performs, and able to answer due diligence with evidence rather than promises.
Clearinghouses, payers, and subcontractors are all part of your program.
Billing runs on connections: clearinghouse links, payer portals and EDI feeds, hosting and cloud platforms, and IT support. Any subcontractor that creates, receives, maintains, or transmits ePHI on your behalf is itself a business associate, and the rules require a written agreement with each one plus oversight of how they protect the data.
We inventory those relationships, help you put the subcontractor Business Associate Agreements in place, and fold that oversight into your program. When Cyber One Solutions accesses your ePHI, we sign a BAA with your company and support your compliance rather than assuming it.