HIPAA Checklist: Determine Covered Entity Status for Medical Billing Companies

Covered Entity Definition

A covered entity under HIPAA is one of three types: a health plan, a health care clearinghouse, or a health care provider that transmits health information electronically in connection with Standard HIPAA Transactions. In practical terms, if you originate or submit Electronic Data Interchange (EDI) transactions for your own health plan or provider operations, you are likely a covered entity.

Standard HIPAA Transactions commonly include: claims (837), eligibility inquiries and responses (270/271), claim status (276/277), remittance advice (835), referrals/authorizations (278), enrollment/disenrollment (834), premium payments (820), and coordination-of-benefits. These transactions contain Protected Health Information (PHI) and trigger Privacy Rule compliance, Security Rule safeguards, and the Breach Notification Rule.

Healthcare Clearinghouses Role

Healthcare clearinghouses convert nonstandard health data into standard formats, and vice versa, to enable compliant EDI between providers and health plans. Because they transform, validate, and route Standard HIPAA Transactions, clearinghouses are themselves covered entities, even when they serve other organizations.

If your organization translates file formats, maps code sets, edits transactions, and brokers EDI connectivity for multiple trading partners, you are performing clearinghouse functions. That role requires full Privacy Rule compliance, implementation of appropriate Security Rule safeguards for ePHI, and adherence to Breach Notification Rule obligations.

Medical Billing Companies and HIPAA

Most medical billing companies act as business associates, not covered entities. You perform services—coding, claim preparation, accounts receivable, EDI submission—on behalf of providers or plans and handle PHI under a Business Associate Agreement (BAA). Your permitted uses and disclosures of PHI are limited to what your BAA and the Privacy Rule allow.

A billing company can become a covered entity when it performs healthcare clearinghouse functions for others (for example, translating and routing EDI for multiple clients) or when it operates as a provider or health plan. Evaluate your service model carefully: submitting transactions solely on behalf of clients does not by itself make you a covered entity, but transforming transactions for the marketplace generally does.

Business Associate vs Covered Entity

A covered entity determines the purposes for collecting and using PHI in its own operations as a plan, clearinghouse, or provider engaged in Standard HIPAA Transactions. A business associate performs functions or services involving PHI for a covered entity and may only use or disclose PHI as permitted by the BAA and Privacy Rule.

Key differences: covered entities must provide patient rights (access, amendments, accounting) and, for providers, a Notice of Privacy Practices. Business associates must implement Security Rule safeguards, follow minimum necessary, and support the covered entity with Privacy Rule requests as required by contract. Both must assess incidents and follow the Breach Notification Rule, with business associates notifying the covered entity promptly.

Compliance Requirements for Billing Companies

Privacy Rule compliance: establish policies that limit uses/disclosures to what the BAA permits; apply the minimum necessary standard; train your workforce; maintain sanctions for violations; and document processes for access, amendments, and accounting of disclosures when your BAA requires your assistance.

Security Rule safeguards: perform a documented risk analysis; implement risk management plans; control access (unique IDs, least privilege, MFA); encrypt ePHI in transit and at rest; maintain audit logs and monitoring; secure endpoints and mobile media; apply patching and vulnerability management; protect facilities and devices; and maintain contingency plans, backups, and disaster recovery.

Breach Notification Rule: define incident response workflows; conduct risk-of-compromise assessments; preserve evidence; and notify covered entities within contractual timelines so they can meet regulatory deadlines. Keep decision logs and remediation records.

EDI practices: use secure transport (e.g., AS2, SFTP with strong ciphers), trading partner agreements, and validation to reduce rejections; segregate environments; avoid unnecessary PHI in transaction notes; and routinely validate X12 transactions for compliance and data minimization.

Business Associate Agreements

Your BAA should clearly state permitted uses and disclosures; require Security Rule safeguards; mandate prompt reporting of incidents and breaches; and flow down the same obligations to subcontractors. It should address access to PHI to support requests, amendments, and accounting of disclosures; require return or destruction of PHI at termination; and allow audits or assessments.

Well-drafted BAAs also define breach/reporting timelines, data retention and disposal, de-identification where appropriate, EDI-specific responsibilities, cooperation during investigations, and termination rights if a material breach occurs. Keep executed BAAs and amendments organized and accessible for audits.

Steps to Assess Covered Entity Status

Step 1: Map your services

• List every function you perform (coding, claim submission, EDI translation, clearing, patient statements, payment posting, analytics).
• Identify where PHI is created, received, maintained, or transmitted.

Step 2: Identify who decides the purpose of PHI use

• If you decide purposes as a plan, provider, or clearinghouse for your own operations, you likely are a covered entity.
• If you act on behalf of a provider or plan under contract, you are generally a business associate.

Step 3: Check for clearinghouse functions

• Do you transform nonstandard data into Standard HIPAA Transactions (or the reverse) for multiple parties? Do you validate, edit, and route EDI between trading partners? If yes, you are operating as a healthcare clearinghouse and therefore a covered entity for those functions.

Step 4: Review EDI participation

• Confirm whether you originate transactions for your own operations versus submitting on behalf of clients. Originating for yourself indicates covered entity activity; submitting for clients aligns with business associate status.

Step 5: Determine organizational structure

• Consider whether a hybrid-entity designation applies if you have both clearinghouse (covered) and pure billing (business associate) components. Ensure proper separation and documentation.

Step 6: Validate contractual posture

• Inventory BAAs with clients and subcontractors; ensure “flow-down” obligations; and align your policies, procedures, and training accordingly.

Step 7: Document and revisit

• Write a short determination memo explaining your status, rationale, and evidence. Reassess when services, systems, or EDI roles change.

Conclusion

Use this HIPAA checklist to determine whether your medical billing company is a covered entity (typically only when acting as a healthcare clearinghouse) or a business associate supporting providers or plans. Align Privacy Rule compliance, Security Rule safeguards, and Breach Notification Rule processes to your role, and keep BAAs, EDI controls, and documentation current as your services evolve.

FAQs.

Is a medical billing company always a covered entity under HIPAA?

No. Most billing companies are business associates because they handle PHI on behalf of covered entities. A billing company becomes a covered entity when it performs healthcare clearinghouse functions or operates as a provider or health plan.

What distinguishes a business associate from a covered entity?

A covered entity (health plan, clearinghouse, or provider) uses PHI for its own operations and engages in Standard HIPAA Transactions. A business associate uses PHI only to perform services for a covered entity under a Business Associate Agreement (BAA) and must follow the Privacy Rule and Security Rule as the agreement and HIPAA require.

How can medical billing companies ensure HIPAA compliance?

Implement Privacy Rule policies (minimum necessary and workforce training), apply Security Rule safeguards (risk analysis, encryption, access controls, logging, backups), maintain incident response for the Breach Notification Rule, harden EDI workflows, and execute BAAs with clients and subcontractors that reflect your actual services.

What are the consequences of non-compliance for medical billing companies?

Consequences can include civil monetary penalties, corrective action plans, litigation exposure, regulatory investigations, contract termination, and reputational harm. Strong governance, documented safeguards, and timely breach response substantially reduce risk.