The essential compliance checklist for evaluating medical billing companies — from BAA requirements and encryption standards to security certifications and breach protocols.
When you outsource medical billing, you are handing a third party your patients' most sensitive data — names, Social Security numbers, diagnoses, treatments, and insurance information. HIPAA requires that any company handling this data meets specific security, privacy, and breach notification standards. Yet many practices select billing partners based solely on cost and collections performance, without verifying compliance.
That is a mistake that can cost millions. HIPAA penalties range from $100 to $50,000 per violation, and the provider is liable for choosing a non-compliant billing partner. This guide covers exactly what your medical billing partner must have to meet HIPAA requirements.
A Business Associate Agreement (BAA) is the legal foundation of any relationship where PHI is shared. Under HIPAA, a medical billing company is a business associate — period. No BAA, no PHI sharing. If your billing company has not signed a BAA, you are already in violation.
A compliant BAA must include: permitted and required uses and disclosures of PHI, the requirement to implement appropriate administrative, physical, and technical safeguards, mandatory reporting of security incidents and breaches, requirements that subcontractors agree to the same restrictions, the provider's right to terminate the agreement for HIPAA violations, and requirements for return or destruction of PHI upon contract termination.
Review the BAA carefully. Some billing companies use generic or outdated BAA templates that miss required elements. Have your compliance officer or healthcare attorney review the BAA before signing.
All PHI must be encrypted both in transit and at rest. In transit means that data moving between your practice and the billing company — claims, patient records, reports — must be transmitted over encrypted channels (TLS 1.2 or higher for web-based connections, encrypted VPN for network connections). At rest means that PHI stored on the billing company's servers, workstations, and backup media must be encrypted using AES-256 or equivalent.
The billing company must implement role-based access controls (RBAC) that limit PHI access to only those employees who need it for their specific job function. A payment poster does not need access to clinical notes. A coder does not need access to financial reports. Ask the billing company to describe their access control model — if the answer is "everyone has access to everything," that is a serious red flag.
HIPAA requires audit logs that track who accessed PHI, when, and what they did with it. The billing company must maintain detailed audit trails for all system access, with regular review of access logs for unauthorized or unusual activity. Ask how long audit logs are retained (minimum 6 years per HIPAA) and who reviews them.
All remote access to systems containing PHI should require multi-factor authentication (MFA). Single-factor authentication (password only) is insufficient for healthcare data. MFA combines something the user knows (password) with something they have (phone, token) or something they are (biometric). If the billing company's employees can access your patient data with just a username and password, the system is not adequately secured.
Revenue Synergy's compliance framework
We maintain HIPAA compliance, ISO 27001 certification, and HITRUST CSF alignment with annual third-party audits, AES-256 encryption, role-based access controls, and a dedicated compliance team.
Request Our Compliance Documentation →Every billing company employee who handles PHI must receive HIPAA training at onboarding and annually thereafter. Training should cover PHI handling procedures, breach identification and reporting, social engineering and phishing awareness, physical security requirements, and incident response procedures. Ask the billing company for their training program documentation and completion records.
HIPAA requires a documented risk assessment that identifies threats to PHI confidentiality, integrity, and availability. This assessment must be conducted regularly (annually is standard) and updated when significant changes occur — new systems, new office locations, new third-party vendors. Ask for the most recent risk assessment summary and the corrective action plan for any identified risks.
The billing company must have a documented incident response plan that covers breach identification, containment, investigation, notification, and remediation. Under HIPAA, breaches affecting 500 or more individuals must be reported to HHS and the media within 60 days. Smaller breaches must be reported to HHS annually. Your BAA should specify the billing company's obligation to notify you of any breach or security incident involving your patients' PHI — ideally within 24-48 hours of discovery.
Physical security is often overlooked in billing company evaluations, but it matters — especially for companies with offshore operations. Key requirements include facility access controls (badge access, visitor logs, security cameras), workstation security (locked screens, privacy filters, clean desk policies), device controls (encrypted laptops, prohibited use of removable media like USB drives), and secure disposal of PHI (shredding, degaussing, or certified data destruction for electronic media).
If the billing company has offshore operations, verify that the offshore facility meets the same physical security standards as the U.S. operations. HIPAA applies to PHI regardless of where it is processed or stored.
Red flags to watch for: No signed BAA before PHI sharing, inability to provide security documentation when requested, no named HIPAA Security Officer, offshore operations without documented security standards, use of consumer-grade tools (Gmail, Dropbox) for PHI transmission, and no documented incident response plan. Any of these should disqualify a billing company from consideration.
Before signing with any billing company, verify the following:
HIPAA compliance is not a nice-to-have — it is a legal requirement that carries severe financial and reputational penalties for violations. When you outsource billing, you extend your compliance perimeter to include the billing company and all of its systems, employees, and subcontractors. The cheapest billing company is not a bargain if it exposes your practice to a data breach.
Evaluate billing partners on their security posture with the same rigor you apply to their billing performance. Your patients' data — and your practice's financial viability — depend on it.
Related: How to Choose an RCM Company · Medical Billing Outsourcing Guide · Billing & AR Management
Need a HIPAA-compliant billing partner? Revenue Synergy maintains HIPAA, ISO 27001, and HITRUST-aligned security with annual third-party audits. Schedule a free consultation to review our compliance documentation and discuss your billing needs.