Medical billing companies handle protected health information for dozens or hundreds of covered entities simultaneously. A single breach at a billing company isn't an isolated incident — it's a mass-casualty event that exposes every client's patients at once. OCR has been increasing enforcement against business associates since 2022, and billing companies sit at the center of that enforcement push. This guide covers what HIPAA compliance actually requires when you're on the business associate side of the BAA.
Get Your Billing Company Audit-Ready →Medical billing companies occupy the highest-risk position in the HIPAA ecosystem. Unlike a single-practice provider that holds PHI for its own patients, a billing company aggregates claims data, insurance information, diagnoses, Social Security numbers, and payment records across every covered entity it serves. One company, one breach, hundreds of thousands of affected patients.
Since the 2013 HITECH Omnibus Rule, business associates are directly liable for HIPAA compliance — not just contractually through their BAAs, but under federal law. OCR can investigate and penalize a billing company independently of the covered entities it serves. And they have been. Enforcement actions against business associates increased from 13 in 2023 to 16 in 2024 and 21 in 2025, with billing companies and clearinghouses representing a growing share.
The concentration of PHI at billing companies also creates a compounding problem: when a billing company is breached, every covered entity client becomes a participant in the breach response. Each must notify their own patients, file with OCR, and potentially alert the media. A billing company that lacks a breach notification plan doesn't just fail itself — it cascades failure across its entire client base.
A gap assessment of a typical billing company surfaces 8–15 specific deficiencies — more than most provider practices — because the attack surface is larger, the data volume is higher, and the regulatory obligations span both Privacy and Security Rules in ways that single-practice providers don't encounter.
These are not hypothetical risks. OCR has settled enforcement actions directly against billing companies, clearinghouses, and business associates — with penalties, corrective action plans, and multi-year monitoring. Here are the cases billing companies need to know:
| Entity | Type | Violation | Records Exposed | Penalty |
|---|---|---|---|---|
| Comstar, LLC | Medical billing company | Ransomware attack; no risk analysis conducted | 585,621 individuals across 70+ covered entities | $75,000 + 2-year CAP |
| Inmediata Health Group | Healthcare clearinghouse | ePHI publicly accessible on Internet; indexed by search engines; no risk analysis | 1.5 million individuals (exposed 2016–2019) | $250,000 + prior $1.4M state settlement |
| MMG Fusion, LLC | Software vendor (business associate) | Data breach unreported for 2+ years; PHI posted to dark web; no risk analysis | 15 million individuals | $10,000 + 3-year CAP |
| Elgon Information Systems | Business associate | Ransomware via open firewall ports; inadequate security controls | Not publicly disclosed | Settlement + CAP (2025) |
The Comstar case is particularly instructive for billing companies. Comstar provided billing and collection services to non-profit and municipal ambulance services — the kind of low-profile, essential work many billing companies do. A 2022 ransomware attack exposed PHI across every one of its 70+ covered entity clients. OCR's investigation found Comstar had never conducted a compliant risk analysis. The $75,000 penalty came with a two-year corrective action plan monitored by OCR.
The Inmediata case demonstrates clearinghouse-specific risk: a server misconfiguration left 1.5 million patients' data — including names, SSNs, diagnoses, and claims information — indexed by Google for nearly three years. On top of the $250,000 OCR settlement, Inmediata paid $1.4 million to resolve a 33-state investigation and $1.125 million in a class action lawsuit. Total cost: over $2.7 million.
Most billing companies have signed BAAs. Far fewer actually understand what those agreements obligate them to do. Here are the compliance areas that directly apply to billing companies — and where audits find the most gaps:
Every covered entity relationship requires a signed BAA that specifies what PHI you'll handle, how you'll protect it, and what happens in a breach. BAAs must be reviewed annually and updated when services change, new subprocessors are added, or regulations change. The proposed 2025 HIPAA Security Rule modifications would make annual BAA verification an explicit requirement. An outdated BAA from 2015 provides almost no protection.
The HIPAA Security Rule requires a comprehensive risk analysis that identifies every system where ePHI is stored, processed, or transmitted — and evaluates the risks and vulnerabilities specific to your environment. This is the #1 cited deficiency in OCR enforcement actions. A vendor's built-in compliance checklist does not satisfy this requirement. The risk analysis must be your own, specific to your infrastructure, and documented.
When a breach occurs at a business associate, you must notify every affected covered entity within 60 days of discovery. Not 60 days from when you finished investigating — 60 days from discovery. Each covered entity then has 60 days to notify patients and OCR. MMG Fusion went two years without reporting. The cascading failure meant 15 million individuals' PHI sat on the dark web without any notification.
Encryption at rest and in transit for all ePHI. Unique user authentication — no shared credentials. Automatic logoff. Audit controls that log who accessed what data and when. Emergency access procedures. These aren't suggestions — they're required implementation specifications. Billing companies handling claims through clearinghouse integrations need to verify that data-in-transit encryption covers every connection point in the claims pipeline.
If your billing company uses subcontractors who access PHI — IT vendors, cloud hosting providers, shredding services, software tools — each one requires its own BAA. Under HIPAA, a subcontractor of a business associate is itself a business associate. The chain of liability doesn't stop at your company. Many billing companies have 5–10 subcontractor relationships with no BAA in place.
Every employee who handles PHI must receive documented HIPAA training — not a one-time onboarding slide deck, but role-specific training with documented attendance, content covered, and date completed. New hires must be trained before accessing PHI. Refresher training must occur regularly. Verbal-only training with no documentation is the same as no training in OCR's eyes.
These are the specific failures OCR finds in business associate investigations — and the gaps most likely to surface in an audit of a billing company today.
Your IT support company, cloud backup provider, and clearinghouse integration vendor all access PHI on your behalf. Each one is a subcontractor that requires a BAA. Most billing companies have signed BAAs with their covered entity clients but have zero BAAs with their own vendors. This creates a liability gap that flows upward — if your subcontractor is breached, you're responsible because the chain was broken at your level.
When a breach happens, the 60-day clock starts immediately. If you don't have a written incident response plan that specifies who investigates, who decides if a breach occurred, who notifies which covered entities, and how individual notifications are handled — you will miss the deadline. MMG Fusion went over two years. Even 61 days is a Breach Notification Rule violation. The procedure needs to exist before the breach, not during it.
Billing staff often have broader access to practice management systems and EHRs than their role requires. HIPAA's minimum necessary standard requires that access be limited to the PHI needed for the specific task. A billing specialist who can view clinical notes, imaging records, and lab results — when they only need claims data — is an access control violation and an unnecessary risk surface. Role-based access must be configured and documented.
OCR cites missing or inadequate risk analyses in the majority of its enforcement actions. A billing company risk analysis must map every system that stores or processes ePHI — your billing platform, clearinghouse connections, email, file servers, cloud storage, employee devices — and evaluate the specific threats and vulnerabilities for each. A vendor's generic questionnaire or a compliance software "assessment" that produces a score without analyzing your actual infrastructure does not meet the standard.
Billing companies have high employee turnover. Each new hire who touches PHI must be trained before they start processing claims. Each existing employee needs refresher training. And all of it must be documented: who attended, what was covered, when it happened. A billing company that trained everyone in 2021 and never again has a compliance gap — and if a breach occurs, the lack of current training documentation significantly increases liability.
Separate from breach notification, billing companies need a documented plan for detecting, containing, and responding to security incidents. Who monitors systems for unauthorized access? What happens when a phishing email is clicked? How is a compromised workstation isolated? Elgon Information Systems was breached through open firewall ports — a vulnerability that an incident response framework with regular monitoring would have caught. The plan needs to include lessons-learned reviews after each incident to prevent recurrence.
Claims data moves between providers, billing companies, clearinghouses, and payers through multiple transmission points. Each connection must use encryption that meets HIPAA standards. Many billing companies encrypt data at rest in their billing platform but transmit claims via unencrypted FTP connections, unsecured email, or legacy clearinghouse integrations that predate modern encryption standards. Every transmission path for ePHI must be inventoried and verified.
Medical billing companies that operate as or integrate with healthcare clearinghouses face additional HIPAA obligations. A clearinghouse that converts claims from non-standard to standard formats, processes EDI transactions, or routes claims between providers and payers is a covered entity in its own right — and must comply with both Privacy and Security Rules independently.
The Inmediata case is a cautionary tale for every clearinghouse and billing company that interfaces with one. A misconfigured server exposed patient data to public search engines for three years. The PHI included Social Security numbers, diagnosis codes, claims details, and treatment information. The total financial impact exceeded $2.7 million across federal, state, and civil settlements.
Clearinghouse-specific risks that billing companies must evaluate: data flows through multiple systems (provider → billing company → clearinghouse → payer), each handoff point requires verified encryption; claims data contains dense PHI (diagnosis codes, procedure codes, SSNs, dates of service), making every record high-value for identity theft; and the volume of records processed daily means even a brief exposure window affects hundreds of thousands of individuals.
If your billing company uses a third-party clearinghouse, you need a signed BAA with that clearinghouse, verification that they conduct their own risk analysis, and documentation that the data transmission between your systems and theirs is encrypted end-to-end. If you can't verify all three, you have a gap.
Billing companies don't need a year-long compliance project. They need a structured assessment, targeted remediation, and documented evidence that every obligation is addressed. Here's how we do it:
We review your complete compliance posture against billing-company-specific HIPAA requirements: every system that touches ePHI (billing platform, clearinghouse integrations, email, file storage, backups), your BAA inventory with both covered entities and subcontractors, workforce training documentation, access control configurations, encryption status on all transmission paths, and breach notification procedures. The output is a prioritized findings report with risk scores. Billing companies typically receive 8–15 findings.
We produce the documentation your billing company needs: a formal security risk analysis, BAA templates for your covered entity clients and your subcontractors, privacy and security policies customized for a billing operation (not provider boilerplate), workforce training materials for billing-specific roles, an incident response plan, and a breach notification procedure with timelines and responsibilities. Where technical controls are missing, we specify exactly what needs to change. Most documentation is delivered within 72 hours.
Billing companies add covered entity clients, change clearinghouse integrations, hire staff, and adopt new software constantly. Each change requires a compliance response — a new BAA, updated risk analysis, training for new hires, verification of a new vendor's security posture. We provide ongoing support to keep your compliance documentation current, conduct annual risk assessment refreshes, and review new vendor agreements. One relationship, senior consultant access, no account managers.
Fixed pricing, direct senior consultant access, and a 72-hour promise from kickoff to initial deliverable. No account managers, no templated PDFs, no surprises.
A structured review of your billing company's full compliance posture — systems inventory, BAA status with clients and subcontractors, clearinghouse integration security, workforce training, and breach readiness. Output: a prioritized findings report and remediation roadmap.
Book a Call →Core policy set, BAA templates for covered entities and subcontractors, incident response plan, breach notification procedures, and workforce training materials customized for billing operations. The fastest path from zero to documented compliance — delivered in 72 hours.
Book a Call →Deep review of your BAAs with covered entities and subcontractors, clearinghouse agreements, and data transmission security. Identifies gaps in your chain of liability and ensures every vendor relationship is documented and compliant.
Book a Call →A 30-minute discovery call costs nothing. We'll scope the engagement, identify your biggest compliance gaps, and tell you exactly what HIPAA compliance looks like for a billing operation your size — before any money changes hands.
Book a Free Discovery Call →Free call · No commitment · 72-hour delivery after kickoff
Yes. Under the HITECH Act and the 2013 Omnibus Rule, business associates — including medical billing companies — are directly liable for HIPAA compliance. Your clients' compliance programs do not cover you. You need your own documented risk analysis, your own security policies, your own workforce training, and your own breach notification procedures. OCR enforces against business associates independently of the covered entities they serve.
A billing company breach triggers a cascading notification obligation. The business associate must notify every affected covered entity within 60 days of discovering the breach. Each covered entity then has 60 days to notify the affected individuals, OCR (if over 500 individuals), and the media (if over 500 in a single state). In 2025, Comstar LLC — a billing company with 70+ covered entity clients — settled with OCR for $75,000 after a ransomware attack exposed the PHI of 585,621 individuals across all its clients.
Yes. A healthcare clearinghouse that processes claims is a covered entity under HIPAA and also functions as a business associate when handling PHI on behalf of providers. Every relationship where the clearinghouse creates, receives, maintains, or transmits PHI requires a signed BAA. In 2024, OCR settled with Inmediata Health Group — a healthcare clearinghouse — for $250,000 after finding that the ePHI of 1.5 million individuals was publicly accessible on the Internet for nearly three years.
Concentration of PHI. A single billing company may handle the protected health information of hundreds of thousands of patients across dozens of covered entities. A single breach exposes every client's patients simultaneously. This is why OCR has been increasing enforcement against business associates — billing companies represent systemic risk to the healthcare data ecosystem. The most critical control is a comprehensive risk analysis that maps every system where PHI is stored, processed, or transmitted.
With structured help, a billing company can have core documentation — risk analysis, BAA templates, security policies, workforce training materials, and breach notification procedures — completed within 72 hours of kickoff. Full operational compliance including staff training, technical safeguard implementation, and subcontractor BAA review typically takes 2–4 weeks depending on the number of covered entity relationships and systems in scope. The key is starting with a gap assessment to identify exactly what's missing.