Do Accountants Need to Be HIPAA Compliant? A Beginner’s Guide for CPAs and Bookkeepers

HIPAA Compliance for Accountants

If you work with healthcare clients, you may handle Protected Health Information (PHI) while reconciling patient receivables, processing Explanation of Benefits, or reviewing claims reports. When you create, receive, maintain, or transmit PHI for a healthcare client, you are a Business Associate under HIPAA and must comply with the Privacy Rule, Security Rule, and Breach Notification Standards.

Accountants employed directly by a medical practice are part of the practice’s workforce and follow the client’s policies. Independent CPAs and bookkeeping firms that access PHI—even incidentally through electronic systems—are Business Associates and need written Business Associate Agreements (BAAs) before work begins.

What counts as PHI?

• Any individually identifiable health information tied to a person (names, addresses, dates, account numbers) that relates to care or payment for care.
• Paper and electronic forms (ePHI), including billing exports, remittance files, and patient statements.
• De-identified data is not PHI; if you can re-identify a person, treat it as PHI.

Core HIPAA rules at a glance

• Privacy Rule: Use or disclose only what’s permitted and apply the minimum necessary standard.
• Security Rule: Safeguard ePHI with administrative, physical, and technical controls.
• Breach Notification Standards: Report suspected breaches promptly and cooperate with client notifications.

Role of Accountants in HIPAA Compliance

Your role is to protect PHI while delivering accounting services to Covered Entities and other Business Associates. That means, as a Business Associate under HIPAA, designing processes that limit PHI exposure and documenting how you secure any PHI you must handle.

Practical duties for Business Associates

• Perform a documented risk analysis and implement risk management plans for systems that store or access ePHI.
• Limit access via unique user IDs, role-based permissions, and multi-factor authentication.
• Encrypt ePHI in transit and at rest, maintain audit logs, and use secure transfer methods.
• Apply the minimum necessary standard to work papers and exports; redact or de-identify when feasible.
• Manage subcontractors (e.g., cloud or IT providers) with BAAs and verify their safeguards.
• Retain only required records, then securely dispose of PHI with approved destruction methods.

Lifecycle controls to keep PHI safe

• Intake: Collect only the fields you need for accounting and tax work.
• Processing: Keep PHI out of general-purpose tools and chat platforms; use approved secure systems.
• Storage: Segregate healthcare data, enforce device encryption, and back up securely.
• Transmission: Use encrypted portals or SFTP, not regular email, for PHI.
• Disposition: Follow retention schedules and document destruction.

Business Associate Agreements for Accountants

A BAA is required when your services for a client involve PHI. It defines how you may use or disclose PHI, the safeguards you must maintain, and what happens if a breach occurs. You also need BAAs with your own subcontractors who touch PHI.

When you need a BAA

• Bookkeeping, AR support, or revenue cycle work that references patient identifiers.
• Hosting or maintaining systems that store billing exports or remittance data.
• Data conversion, backups, or analytics using non-de-identified health payment data.

Essential clauses to include

• Permitted uses/disclosures and the minimum necessary requirement.
• Security Rule obligations, including risk management and subcontractor oversight.
• Breach Notification Standards: timelines, cooperation duties, and incident response.
• Return or destruction of PHI at termination and continued protections if destruction isn’t feasible.
• Right of the Covered Entity to audit or request compliance documentation.

Common pitfalls

• Relying on email alone for PHI transfer without encryption.
• Letting third-party IT or cloud tools access PHI without a BAA.
• Storing patient details inside accounting notes when a reference number would suffice.

HIPAA Training Requirements

Business Associates must train their workforce on HIPAA-relevant policies and security awareness. Training should be role-based, documented, and refreshed at hire and periodically thereafter (and whenever policies or systems change).

What to cover

• Recognizing PHI, the minimum necessary standard, and acceptable uses/disclosures.
• Password hygiene, multi-factor authentication, device security, and phishing awareness.
• Secure file transfer, encryption practices, and avoiding shadow IT.
• Incident reporting: how to escalate suspected breaches or unauthorized access quickly.
• Data retention, secure disposal, and working securely when remote.

Proof of compliance

• Keep training rosters, materials, completion dates, and acknowledgments.
• Log security reminders and tabletop exercises to demonstrate ongoing awareness.

Penalties for HIPAA Violations

Enforcement actions can include civil monetary penalties based on the level of culpability, corrective action plans, and public resolution agreements. Business Associates are directly liable for many Privacy Rule provisions and all Security Rule safeguards.

What violations look like in accounting

• Sending patient spreadsheets through unencrypted email or storing them in unsecured drives.
• Sharing logins across staff, disabling audit trails, or ignoring access reviews.
• Delaying breach reporting after discovering a loss or unauthorized disclosure.

Consequences to expect

• Tiered civil penalties per violation with annual caps, adjusted for inflation.
• Potential criminal liability for knowingly obtaining or disclosing PHI under false pretenses or for gain.
• Contract termination, litigation under state laws, reputational damage, and lost client trust.

HIPAA-Compliant Accounting Software

No software is “certified HIPAA compliant” by the government. Compliance depends on your configuration, your processes, and whether the vendor signs a BAA and meets Security Rule expectations.

Capabilities to require

• BAA from the vendor and any integrated subcontractors that may access ePHI.
• Encryption at rest and in transit, strong authentication, and granular role-based access.
• Comprehensive audit logs, immutable history, and easy export for investigations.
• Data retention controls, secure backups, and documented incident response.

Configuration tips

• Keep PHI out of free-text notes; use patient IDs rather than names whenever possible.
• Disable risky integrations and restrict API scopes to the minimum necessary.
• Segment healthcare books or tenants, enforce device encryption, and require MFA.

Considerations of Stark Law in Accounting

Stark Law prohibits physician self-referrals for designated health services paid by federal programs unless an exception applies. It is a strict liability statute, so accountants help clients avoid technical violations through sound documentation and controls—this is core to Stark Law Compliance.

How accountants support Stark compliance

• Validate written agreements, terms set in advance, and fair market value compensation.
• Ensure arrangements are commercially reasonable and not tied to the volume or value of referrals.
• Track leases, personal services arrangements, time logs, and board approvals.

Intersection with HIPAA

• When reviewing referral patterns or compensation, apply the minimum necessary standard to any PHI.
• Use de-identified datasets where possible and protect ePHI with Security Rule safeguards.
• Document access rationales and retain only what compliance testing requires.

Key takeaways

• If you handle PHI for healthcare clients, you are a Business Associate and must follow the Privacy Rule, Security Rule, and Breach Notification Standards.
• Put BAAs in place, train your team, minimize PHI in accounting workflows, and harden your systems.
• Support Stark Law compliance with robust documentation while safeguarding PHI at every step.

FAQs.

What is HIPAA compliance for accountants?

It means implementing policies, safeguards, and practices that protect PHI while you deliver accounting services to Covered Entities or other Business Associates. You observe the Privacy Rule’s minimum necessary standard, apply Security Rule controls to ePHI, and follow Breach Notification Standards if an incident occurs.

When do accountants need to sign a Business Associate Agreement?

Sign a BAA before you create, receive, maintain, or transmit PHI on behalf of a healthcare client (or another vendor working for that client). If subcontractors or cloud tools can access that PHI, they also need BAAs and must meet comparable safeguards.

What training is necessary for HIPAA compliance?

Provide role-based HIPAA and security awareness training at onboarding and periodically thereafter, with refreshers whenever policies or technology change. Cover recognizing PHI, minimum necessary, secure handling, incident reporting, phishing, authentication, device security, retention, and secure disposal—and keep records of completion.

What are the penalties for violating HIPAA as an accountant?

Penalties range from corrective action plans and tiered civil monetary fines to, in egregious cases, criminal liability. You may also face contract termination, state-level claims, and reputational harm. Prompt reporting, remediation, and strong preventive controls reduce exposure.