HIPAA documentation for medical billing companies. Built in 30 days.
A complete HIPAA-aligned documentation package for third-party medical billing services, claims processors, RCM firms, and clearinghouses, scoped to the Business Associate role you actually play. ComplianceArmor delivers 33 policies, the Security Risk Analysis at 45 CFR § 164.308(a)(1)(ii)(A), downstream BAA register, breach plan, and OCR-ready evidence library.
Third-party billers are Business Associates by default.
Since the HITECH Act, medical billing companies are directly liable to OCR under HIPAA, not just to the practice that hired them. The package documents the program OCR expects from a Business Associate, scoped to the way claims actually move.
This page is for third-party medical billing services, revenue cycle management (RCM) firms, claims processing companies, clearinghouses, denial-management services, patient statement vendors, and the AR follow-up call centers that get patient PHI on every workday. If your platform is Kareo, AdvancedMD, athenaCollector, eClinicalWorks RCM, Greenway, or a homegrown billing system, your team handles eligibility checks, claim submissions, EOB postings, denied claim appeals, and patient statements, and you carry workforce in offices and at home, this is the right scope.
The HIPAA Privacy Rule and Security Rule apply to Business Associates with the same force as to covered entities, since the 2013 Omnibus Rule. OCR can audit you, fine you, and enter into a resolution agreement with you, regardless of what your client (the medical practice) is doing. The Change Healthcare incident in 2024 made this concrete: a clearinghouse breach drove the largest HIPAA enforcement matter in OCR's history, with downstream effects on every covered entity and Business Associate that touched the same claims pipeline.
Billing companies have a different operational risk profile than provider offices. The PHI volume per employee is much higher (a single coder may touch hundreds of patient records a day). The remote workforce share is much higher (many billers run a fully distributed team). The downstream vendor footprint is much higher (clearinghouses, statement printers, payment posting services, collection agencies). The package treats those facts as scope inputs rather than asking you to retrofit a provider-office program.
Where OCR finds billing companies coming up short.
The enforcement pattern for Business Associates is younger than for covered entities, but the trajectory is now well-established. These are the failure modes named in resolution agreements.
BAA with covered entity but not with downstream subcontractors
You have a BAA with the practice. Do you have one with the clearinghouse, the statement vendor, the merchant processor, and the cloud host? Each is a downstream Business Associate of yours, requiring its own BAA under 45 CFR § 164.502(e)(1)(ii). Resolution agreements regularly cite missing subcontractor BAAs.
EOB and statement misdelivery
Patient statements and explanation of benefits sent to the wrong address are a low-tech, high-frequency breach pattern. The breach notification clock starts when the misdelivery is discovered. Without a documented mailroom and address-verification procedure, the practice's complaint becomes your complaint to OCR.
Remote workforce with no documented controls
Coders, billers, and AR follow-up staff working from home see PHI on the screen all day. Without a written remote workforce policy, screen privacy standard, network requirement, and acceptable-use rule, the practice has no defense against a workforce-based breach.
IRS retention treated the same as HIPAA retention
HIPAA requires policies and procedures be retained for 6 years from creation or last-effective date. State law sets medical record retention. IRS retention sets a separate financial records standard. Many billing companies treat these as the same number and end up with too much PHI for too long, expanding the breach footprint.
Identity theft response when claims data is exfiltrated
A breach of billing data is not just a HIPAA breach. It is a financial-identity event under state laws and FTC rules, since claims data includes Social Security numbers, dates of birth, and insurance card numbers. Most billing companies have a HIPAA breach plan but not a parallel identity theft response plan, and end up improvising under pressure.
Denied claim PHI moving by email
Denial appeals frequently get sent and received over email between the biller, the payer, and the practice. Without secure email, an inbound-PHI handling rule, and a workflow that keeps appeals inside a portal, every appeal cycle creates a transmission security risk.
Recent OCR enforcement against Business Associates has averaged six- and seven-figure resolution agreements, with corrective action plans running 18 to 36 months. Practices and payers increasingly require their billing partners to produce HIPAA documentation as a condition of contract renewal. The package gives you the binder you can hand a client's vendor risk team in 24 hours, and the documentation OCR is looking for if you become the named entity in a complaint.
Business-Associate-scoped HIPAA documentation. In one package.
The full ComplianceArmor HIPAA library, with billing-specific scoping written into every artifact. Branded, editable, yours forever, no subscription.
33 HIPAA Policy Templates
Administrative, Physical, Technical, and Organizational safeguards, scoped to a Business Associate.
Security Risk Analysis
Required at 45 CFR § 164.308(a)(1)(ii)(A), scored for the billing platform, clearinghouse, and remote team.
Two-Way BAA Register
Upstream BAAs (with practices and payers) and downstream subcontractor BAAs (clearinghouse, statements, cloud).
EOB & Statement Procedure
Address verification, mailroom controls, return-mail handling, and the misdelivery breach response.
Breach Notification Plan
HIPAA four-factor risk assessment, covered-entity notification clock, and parallel identity theft response.
Remote Workforce Policy
Coder, biller, and AR-staff home-office controls: screen privacy, network requirement, acceptable use, lost-device.
Retention Crosswalk
HIPAA 6-year policy retention vs state medical record retention vs IRS financial retention, with a defensible rule per record class.
Denied Claim Workflow
Secure email standard, portal-first appeal handling, and the inbound-PHI rule when payers send unencrypted.
Claims Pipeline ePHI Inventory
Where PHI lives across billing system, clearinghouse, statement vendor, payment processor, and reporting tools.
Workforce Training Program
Billing-specific privacy training, recorded for distributed staff, with annual refresh and sign-in logs.
Risk Management Plan
Remediation roadmap with owners, target dates, and the cadence to retire each finding.
OCR Interview Prep Guide
The questions investigators ask Business Associates, with confident, plain-English answers.
Billing HIPAA done-for-you. Fixed price.
No hourly billing. No surprise invoices. No external auditor required to attest to HIPAA. You own every document forever.
Delivered in 30 days, scoped to your billing platform, your clearinghouse and downstream subcontractor footprint, and your workforce model. Self-attested under HHS rules: there is no HHS-recognized HIPAA certification.
Where the price moves: A small billing company (under 25 staff, 1 to 3 client practices, single clearinghouse, single platform) sits at the $7,997 base. Mid-size RCM firms and clearinghouses, organizations with international workforce in scope, billers handling Part 2 substance use claims, and companies pursuing SOC 2 in parallel for client procurement add scoping time. We tell you the number before you sign, in writing. Bundle pricing with SOC 2 ($18,997) is common for RCM firms going through enterprise procurement.
If we missed something, we fix it free.
Every ComplianceArmor HIPAA engagement carries the Petronella Technology Group Audit-Ready Promise. If any artifact has a gap, we fix it at no charge within 30 days. If your package fails an OCR review or audit because of our work, we refund 50% of our fee. The package is yours forever, in editable native formats, with no subscription and no DRM.
Medical billing HIPAA questions buyers ask.
Is our medical billing company a HIPAA Business Associate?
Yes, by definition. A medical billing company creates, receives, maintains, or transmits PHI on behalf of a covered entity (the practice or payer). That makes it a Business Associate under 45 CFR § 160.103. The 2013 Omnibus Rule made Business Associates directly liable to OCR for the Privacy and Security Rules. Your client's BAA with you is required, but it does not change your independent obligation to OCR.
Do we need BAAs with our subcontractors?
Yes. Under 45 CFR § 164.502(e)(1)(ii), a Business Associate must obtain satisfactory assurances (in the form of a BAA) from any subcontractor that creates, receives, maintains, or transmits PHI on its behalf. That includes your clearinghouse, your patient statement printer, your cloud hosting provider, your secure email vendor, your IT support firm, and any AI-assisted coding or auditing tool. The Two-Way BAA Register tracks both your upstream BAAs (with practices and payers) and your downstream BAAs (with subcontractors).
What are the Change Healthcare-style risks for our company?
The 2024 Change Healthcare incident demonstrated three Business Associate risks at scale: a single clearinghouse breach can cascade to thousands of downstream practices and payers; OCR will treat the Business Associate as the primary investigation target; and identity theft exposure runs in parallel to HIPAA breach exposure since claims data includes financial identifiers. The package's Breach Notification Plan and Identity Theft Response Plan are designed to be run together so the response team is not improvising on either side under pressure.
How do we handle the remote workforce?
Coders, billers, and AR follow-up staff working from home are in scope. Your administrative safeguards have to address remote workforce security: screen privacy from family members, network controls (no shared Wi-Fi without protections), acceptable-use rules, lost-device response, and the question of who in the household is allowed to be in the room. The Remote Workforce Policy in the package writes these down at a level a distributed team can sign and meet without compliance making site visits.
What about EOB and statement misdelivery?
Mail to the wrong address is the most common low-tech breach pattern in billing. The HIPAA breach notification clock starts when the misdelivery is discovered, not when the patient calls in. The EOB and Statement Procedure in the package includes an address verification step, a mailroom control (envelope-window check, batch reconciliation), a returned-mail workflow, and a misdelivery breach response that distinguishes a single envelope event (low risk) from a systemic file mismatch (reportable breach).
How long do we have to keep claims and payment data?
Retention is set by three different rules layered on the same data. HIPAA requires policies and procedures be retained 6 years from the date of creation or last-effective date (45 CFR § 164.530(j)(2)). State law sets medical record retention (varies by state, often 7 to 10 years). IRS rules set financial records retention (typically 7 years). The Retention Crosswalk in the package writes a defensible rule per record class so you are not over-retaining PHI and inflating your breach footprint.
What happens if our system is breached?
Two clocks start. The HIPAA breach notification clock requires you to notify the affected covered entity (your client) without unreasonable delay and in no case later than 60 days after discovery; the covered entity then notifies patients and OCR. State data breach notification clocks may run shorter (30 to 45 days in many states). Identity theft notification under FTC rules and state laws runs in parallel. The Breach Notification Plan walks all three clocks at the same time. For active incident response, see our incident response services.
What does our client (the practice or payer) need to see?
Practices and payers increasingly send their billing partners a vendor risk questionnaire and ask for evidence: a copy of the Risk Analysis, the policies, the workforce training records, the BAA list, and a current SOC 2 report when applicable. The package gives you the binder a vendor risk team can review in an hour. SOC 2 readiness is a separate engagement available alongside HIPAA at a bundle price; many billers do both at once because their enterprise clients ask for both.
Stop authoring HIPAA policies. Start the program.
Schedule a 30-minute demo. We will walk through your billing platform, your clearinghouse and subcontractor footprint, and your workforce model, scope your HIPAA package live, and show the deliverables OCR and your enterprise clients would expect to see for a Business Associate.
Related: HIPAA software hub · ComplianceArmor · HIPAA compliance services · SOC 2 software · HIPAA for telehealth · HIPAA for mental health