Covered Entity vs Business Associate: HIPAA Guide for Billing Companies

Defining Covered Entities

Under HIPAA, covered entities are health plans, health care clearinghouses, and health care providers that transmit health information electronically for standard transactions. These organizations create, receive, maintain, or transmit Protected Health Information (PHI) as part of routine operations.

Covered entities drive the permissible uses and disclosures of PHI. They determine the minimum necessary standards, issue Notices of Privacy Practices, and remain accountable for ensuring that their vendors and partners handle PHI appropriately.

Understanding Business Associates

A business associate is any person or organization that performs services for or on behalf of a covered entity and requires access to PHI to do so. Medical billing companies typically function as business associates because they use PHI to submit claims, post payments, and manage revenue cycle tasks.

As a business associate, you must comply with applicable HIPAA Privacy and Security Rule requirements and the HITECH Act. Your obligations include implementing safeguards, reporting incidents, and ensuring downstream vendors protect PHI to the same standard.

Business Associate Agreements

A Business Associate Agreement (BAA) is a contract that must be in place before a covered entity shares PHI with you. The BAA defines permitted uses and disclosures, establishes required safeguards, and sets reporting and cooperation duties.

• Permitted use/disclosure: How you may use PHI and when disclosure is allowed.
• Safeguards: Commitment to Administrative, Technical, and Physical Safeguards to protect PHI and ePHI.
• Reporting: Prompt notice of security incidents and Breach Notification duties.
• Individual rights support: Assistance with access, amendment, and accounting of disclosures.
• Subcontractors: Flow-down BAA requirements to any subcontractor with PHI access.
• Termination: Return or secure destruction of PHI and continuity steps if destruction is infeasible.

HIPAA Compliance Requirements

Billing companies must operationalize HIPAA requirements through documented policies, workforce training, and demonstrable controls. A current risk analysis and risk management plan anchor your compliance program and guide resource allocation.

Administrative Safeguards

• Risk analysis and ongoing risk management tailored to your systems and data flows.
• Workforce training, role-based access, and sanction procedures for violations.
• Vendor management, BAAs, and due diligence over subcontractors handling PHI.
• Contingency planning, including backups, disaster recovery, and incident response.

Technical Safeguards

• Access controls with unique user IDs, strong authentication, and automatic logoff.
• Encryption in transit and at rest where feasible to reduce breach risk.
• Audit controls to log, monitor, and review access and activity in systems containing ePHI.
• Integrity protections to prevent improper alteration or destruction of ePHI.

Physical Safeguards

• Facility access controls and visitor management for secure areas.
• Workstation and device security, including screen privacy and secure storage.
• Media controls for the movement, reuse, and disposal of devices holding ePHI.

Breach Notification

You must investigate potential incidents, perform a risk assessment, and notify the covered entity without unreasonable delay and within required timeframes. Your BAA may set a shorter reporting window, so align your incident response plan accordingly.

Responsibilities of Billing Companies

As a billing company, you may use PHI only for permitted purposes such as claims submission, payment posting, appeals, and related health care operations. Apply the minimum necessary standard to limit access and disclosures to what the task requires.

Maintain accurate data handling procedures: verify payer identifiers, reduce over-collection of PHI, and segregate test or training data. Implement quality controls for coding and charge capture to minimize rework and avoid unnecessary exposure of PHI.

Establish an incident response process, document investigations, and mitigate any harmful effects. Support individual rights by helping covered entities provide access to PHI, amendments, and accounting of disclosures when requested.

Demonstrate accountability through written policies, routine audits, workforce training, and leadership oversight. Designate privacy and security leads who can coordinate with covered entities and regulators when needed.

Subcontractor Considerations

Any subcontractor that creates, receives, maintains, or transmits PHI on your behalf is also a business associate. You must execute BAAs with these partners and flow down all HIPAA and HITECH Act requirements.

Perform due diligence before onboarding vendors: assess security posture, data location, access methods, and incident history. Monitor performance with audits, attestations, or reports, and enforce corrective actions or termination if obligations are not met.

Direct Liability Under HITECH Act

The HITECH Act established direct liability for business associates. You can face enforcement for impermissible uses or disclosures of PHI, failure to implement Security Rule safeguards, failure to enter required BAAs with subcontractors, and failure to provide timely Breach Notification.

Additional areas of liability include not providing access to PHI when supporting a covered entity and not maintaining required documentation. Penalties scale with the level of culpability and can be substantial, making proactive compliance and thorough documentation essential.

In practice, you reduce risk by maintaining current risk analyses, testing controls, training your workforce, and validating subcontractor compliance. Treat your BAA obligations as operational requirements, not just legal terms.

FAQs.

Is a medical billing company considered a covered entity under HIPAA?

No. A medical billing company is typically a business associate because it performs services for a covered entity and needs PHI to do so. It must comply with HIPAA and HITECH requirements applicable to business associates and the terms of its Business Associate Agreement.

What are the HIPAA responsibilities of a medical billing company?

You must implement Administrative, Technical, and Physical Safeguards; use or disclose only the minimum necessary PHI; report incidents and potential breaches promptly; support individual rights requests through the covered entity; maintain required documentation; and ensure subcontractors sign BAAs and meet the same standards.

When is a business associate agreement required?

A BAA is required before a covered entity shares PHI with a vendor or partner that will create, receive, maintain, or transmit PHI to perform services. It is also required between a billing company and any subcontractor that handles PHI on its behalf.

What penalties apply for HIPAA violations by billing companies?

Business associates can face civil monetary penalties that scale by violation tier and are adjusted for inflation, as well as corrective action plans and costly settlements. In cases of willful misuse or certain criminal conduct, criminal penalties, including fines and potential imprisonment, may apply.