The HHS Office for Civil Rights (OCR) collected $4.18 million in HIPAA penalties during the first half of 2025 alone, and billing-related violations accounted for a growing share of those enforcement actions. What makes HIPAA compliance in medical billing tricky is not that the rules are hidden. They’re public, well-documented, and updated on a regular schedule. The problem is that most billing teams learn HIPAA through annual training slide decks that cover the basics without ever getting into the operational details that actually trigger violations. When a practice receives a breach notification letter from OCR, the gap between “we thought we were compliant” and “here is what the regulation actually required” becomes expensive.
HIPAA’s billing requirements sit across two rulesets, and understanding which rule applies to which part of your billing operation is the first step toward compliance that holds up under scrutiny.
The Security Rule vs. the Privacy Rule: Where Billing Teams Get Confused
Most practices treat HIPAA as a single set of rules. It is not. The Privacy Rule (45 CFR Part 164, Subparts A and E) governs how protected health information (PHI) can be used and disclosed. The Security Rule (45 CFR Part 164, Subparts A and C) governs how electronic PHI (ePHI) must be protected from unauthorized access.
For billing operations, both rules apply, but they cover different parts of the workflow. The Privacy Rule controls who on your billing team can access patient records, what information can be shared with a clearinghouse or payer, and how patients can request restrictions on billing disclosures. The Security Rule controls how your billing software stores claim data, how ePHI is transmitted to payers and clearinghouses, and what happens when a laptop with billing data gets stolen from someone’s car.
| Rule | What It Covers in Billing | Key Requirement | Common Violation |
|——|————————–|—————–|—————–|
| Privacy Rule | Who can see and share PHI | Minimum necessary standard | Billing staff accessing records for patients they don’t handle |
| Security Rule | How ePHI is stored and transmitted | Administrative, physical, and technical safeguards | Unencrypted claim files emailed to a billing vendor |
| Breach Notification Rule | What happens after a breach | 60-day notification to affected individuals | Late reporting of a billing data exposure |
| Enforcement Rule | Penalties and investigation process | Tiered penalty structure | Failure to cooperate with OCR investigation |
The minimum necessary standard under the Privacy Rule is the one that catches billing teams most frequently. Your billing staff should access only the PHI they need for the specific claim they’re working on. A coder processing a dermatology claim does not need access to the patient’s psychiatric treatment records. But if your EHR and practice management system give all billing staff the same access level to all patient records, you have a minimum necessary violation built into your workflow (and most practices do).
Common HIPAA Violations in Billing Operations
OCR enforcement actions paint a clear picture of where billing-related violations cluster. These are not hypothetical risks. They are patterns drawn from published resolution agreements and civil money penalty cases.
Impermissible disclosure to business associates without a BAA. In 2023, OCR settled with a cardiology practice in Connecticut for $200,000 after the practice sent claim data to a third-party billing company without a signed Business Associate Agreement in place. The billing company had been processing claims for 14 months before anyone noticed the BAA was missing. The relationship was not the problem. The missing contract was.
Lack of access controls on billing systems. A multi-location orthopedic group in Florida paid $1.5 million in 2022 after an OCR investigation found that all 43 billing staff members had full access to every patient record across all locations. The investigation started with a patient complaint about a billing error, not a breach. OCR found the access control failure during the subsequent review.
Unencrypted ePHI in transit. Sending claim files, explanation of benefits documents, or patient billing statements via unencrypted email is a Security Rule violation. OCR has been consistent on this point since the 2013 Omnibus Rule. HIPAA does not mandate a specific encryption standard, but it does require encryption for ePHI in transit unless you have documented an equivalent alternative safeguard. In practice, that means TLS 1.2 or higher for email and SFTP or AS2 for file transfers.
Failure to conduct a risk analysis. The Security Rule requires a documented risk analysis (45 CFR 164.308(a)(1)(ii)(A)) that covers all ePHI your practice creates, receives, maintains, or transmits. Your billing workflow handles ePHI at every stage, from eligibility verification through payment posting. If your risk analysis does not specifically address billing systems, clearinghouse connections, and billing staff access, it is incomplete. OCR has cited incomplete risk analysis in more enforcement actions than any other single violation.
From what we’ve seen working with practices across multiple specialties, the risk analysis gap is almost universal. Practices conduct a risk analysis for their EHR system, their patient portal, and their network infrastructure. They forget the billing side entirely.
Business Associate Agreements: What Your BAA Must Include
If any outside entity handles PHI on your behalf for billing purposes, you need a BAA with that entity before they touch a single claim. This includes billing companies, clearinghouses, coding consultants, collection agencies, and cloud hosting providers for your practice management system.
A compliant BAA is not a template downloaded from a legal website with your name pasted in. It must include specific provisions:
- Permitted uses and disclosures. The BAA must define exactly what the business associate can do with PHI. A billing company needs access to demographic data, insurance information, clinical codes, and diagnosis information. The BAA should say that, and it should say the business associate cannot use PHI for any other purpose.
- Safeguards obligation. The business associate must agree to implement administrative, physical, and technical safeguards for ePHI. This is not optional language.
- Breach notification timeline. The BAA must require the business associate to notify you of a breach within a specific timeframe. HIPAA requires notification “without unreasonable delay” and no later than 60 days after discovery. Most well-drafted BAAs shorten this to 5 to 10 business days.
- Subcontractor flow-down. If your billing company uses a sub-contractor (a coding service, a clearinghouse, a collection agency), the BAA must require the billing company to have its own BAA with that sub-contractor. PHI does not lose its protection just because it moved one more step down the chain.
- Return or destruction of PHI at termination. When the relationship ends, the business associate must return or destroy all PHI. If destruction is not feasible (archived claims data in a backup system, for instance), the BAA must extend protections to that retained data indefinitely.
So if your current BAA is a two-page document that says “both parties agree to comply with HIPAA,” you do not have a compliant BAA. You have a piece of paper that will not help you when OCR comes asking questions.
What to Audit in Your Billing Workflow
A billing-specific HIPAA audit should examine six areas. Most practices audit zero of them unless they’ve already had an OCR inquiry.
Access controls. Pull a list of every person who has access to your billing system. Compare that list to your current billing staff. If former employees still have active credentials, if temporary staff were given permanent access, or if all users share the same login, you have a finding.
Data transmission. Map every path that ePHI takes from your practice to an external entity. Claims to clearinghouses. Statements to patients. Eligibility queries to payers. Billing data to your outsourced billing partner. Every path should use encryption. Document the encryption method for each path.
Workstation security. Billing staff workstations should have automatic screen locks (15 minutes maximum), encrypted hard drives, and current endpoint protection. If a billing team member works remotely, their home workstation must meet the same standards.
BAA inventory. Create a list of every entity that receives PHI from your billing operation. Confirm that a current, signed BAA exists for each one. Check that each BAA includes all five required provisions listed above. “We have a BAA somewhere” is not compliance.
Training documentation. HIPAA requires workforce training. Not just completion certificates, but training specific to billing-related privacy and security risks. Your training records should show what was covered, when it happened, and who attended.
Incident response for billing breaches. If a billing file is sent to the wrong payer, if a patient’s EOB is mailed to the wrong address, if a billing staff member accesses a record they shouldn’t have viewed, your team needs to know the exact steps to follow. This response plan must be written, accessible, and tested.
How My Medical Bill Solution Maintains HIPAA Compliance
HIPAA compliance in billing is not a checkbox. It is an operational requirement that touches every claim, every file transfer, and every staff interaction with patient data. My Medical Bill Solution builds compliance into the billing workflow rather than layering it on top.
Our medical billing services operate under a signed BAA with every client practice that includes all five required provisions, a 5-business-day breach notification commitment, and annual BAA reviews. We do not use template BAAs. Each agreement is reviewed against the practice’s specific data-sharing requirements.
Our technical infrastructure runs on HIPAA-compliant hosting with AES-256 encryption at rest and TLS 1.3 for all data in transit. Role-based access controls restrict our billing staff to the specific practice and patient data they need for their assigned claims. Every access event is logged and auditable, with access logs retained for six years per the Security Rule’s retention requirement (45 CFR 164.530(j)).
Our team completes billing-specific HIPAA training quarterly, not just the annual refresher that meets the minimum requirement. Training covers real enforcement actions, billing-specific risk scenarios, and updates from the most recent OCR guidance documents. And every staff member signs a confidentiality agreement that goes beyond what HIPAA requires.
We conduct internal risk assessments twice per year that specifically cover billing workflows, clearinghouse connections, and client data access patterns. The findings feed into a corrective action plan with deadlines and accountable owners. That plan is not a document that sits in a drawer. Our compliance officer reviews progress monthly.
For practices that want to strengthen their claims management process while maintaining full HIPAA compliance, the billing partner you choose makes a material difference. A billing company that treats HIPAA as a training obligation rather than an operational architecture will eventually produce a violation. The question is when, not if.
Frequently Asked Questions
Does HIPAA require encryption for all billing data?
The Security Rule classifies encryption as an “addressable” implementation specification, not a “required” one. That does not mean you can skip it. “Addressable” means you must either implement encryption or document an equivalent alternative safeguard that provides the same level of protection. In practice, encryption is the standard because no alternative measure achieves the same result for ePHI in transit. AES-256 for data at rest and TLS 1.2 or higher for data in transit are the accepted benchmarks.
What happens if our billing company has a data breach?
Your billing company is a business associate under HIPAA. If they experience a breach affecting your patients’ PHI, they must notify you within the timeframe specified in your BAA (the HIPAA maximum is 60 days from discovery). You, as the covered entity, are then responsible for notifying affected individuals within 60 days of when you learn of the breach. If the breach affects 500 or more individuals, you must also notify OCR and prominent local media outlets.
How long must we retain billing records under HIPAA?
HIPAA itself requires retention of policies, procedures, and documentation for six years (45 CFR 164.530(j)). But state laws and payer contracts can require longer retention for billing records specifically. Medicare claims records must be retained for at least seven years. Check your state’s medical record retention laws and your major payer contracts to determine the longest applicable requirement.
Can billing staff access any patient record in the system?
No. The Privacy Rule’s minimum necessary standard (45 CFR 164.502(b)) requires that workforce members access only the PHI needed for their specific job function. A billing team member working on cardiology claims does not need access to behavioral health records. Your practice management system should enforce role-based access controls that limit visibility to relevant records only.
Do we need a separate BAA for our clearinghouse?
Yes. A clearinghouse that processes your claims is a business associate, and HIPAA requires a BAA before they receive any PHI. If your billing company submits claims through a clearinghouse on your behalf, either you or your billing company must have a BAA with that clearinghouse. Check your billing company’s BAA to confirm whether their subcontractor provisions cover this relationship.
Is annual HIPAA training sufficient for billing staff?
HIPAA requires training for new workforce members and periodic refresher training, but it does not specify frequency for refreshers. Annual training meets the minimum. However, billing staff handle ePHI every day across multiple systems and payer connections. Quarterly training that covers billing-specific scenarios, recent OCR enforcement actions, and changes to payer security requirements provides stronger protection and better prepares your team for an OCR audit.
Concerned about HIPAA compliance in your billing operations? Get Your Free Assessment or call My Medical Bill Solution at (888) 555-0123.
Last updated: March 2026