Medical Billing Company: Covered Entity or Business Associate Under HIPAA?

A medical billing company’s HIPAA status turns on what it does with protected health information (PHI). In most arrangements, a third‑party billing vendor functions as a business associate because it performs claims processing and other practice management tasks on behalf of a covered entity. A company qualifies as a covered entity only when it performs its own covered functions, such as operating as a health care clearinghouse.

Medical Billing Company Classification

In typical scenarios, your medical billing vendor is a business associate. It creates, receives, maintains, or transmits PHI to submit claims, post payments, manage denials, or perform revenue cycle reporting. Because these activities are on behalf of a provider or health plan, HIPAA treats the vendor as a business associate rather than a covered entity.

Two notable edge cases can change the label. First, if the billing operation is part of your organization’s workforce (employees within the same legal entity), it is not a business associate; it is simply you, the covered entity, performing billing in-house. Second, if the billing company also acts as a health care clearinghouse—translating nonstandard data to HIPAA-standard transactions—it may be a covered entity for that clearinghouse function.

Definition of Business Associate

A business associate is any person or organization that performs functions or provides services for a covered entity that involve PHI. If a company will create, receive, maintain, or transmit PHI for regulated activities—such as claims processing, utilization review, or practice management—it meets the business associate definition.

Business associates must comply with the HIPAA Security Rule and applicable Privacy Rule provisions. They must implement administrative, physical, and technical safeguards; limit uses and disclosures to what the contract permits; and support rights like access and amendment when the function requires it.

Examples of Business Associate Functions

• Claims processing, billing, coding, and payment posting.
• Practice management services, including scheduling, eligibility checks, and denials management.
• Utilization review, prior authorization support, and medical necessity audits on behalf of a provider or plan.
• Revenue cycle analytics, data aggregation, and reporting using PHI.
• Hosting or maintaining ePHI systems (e.g., billing software, cloud storage, data backup) for a covered entity.
• Clearinghouse-like services that translate or route transactions; when operating as health care clearinghouses, entities are covered entities and may simultaneously be business associates for certain services.

Business Associate Agreement Requirement

When you disclose PHI to an outside organization for business associate functions, you must have a written Business Associate Agreement (BAA). The BAA documents “satisfactory assurances” that the vendor will safeguard PHI and use it only as permitted.

What a BAA must address

• Permitted and required uses/disclosures of PHI and minimum necessary standards.
• Safeguards under the Security Rule, risk management, and workforce training.
• Breach reporting, incident response, and cooperation with investigations.
• Subcontractor flow-down—any subcontractor that handles PHI must sign a BAA with the business associate.
• Patient rights support when applicable (access, amendment, accounting of disclosures).
• Return or destruction of PHI at termination, where feasible, and retention obligations.
• Compliance monitoring and documentation retention to evidence satisfactory assurances.

When a BAA is not required

• In-house workforce performing billing within the same legal entity.
• Services that do not involve PHI (e.g., generic consulting without access to PHI).
• Mere conduits that transport information without persistent storage (e.g., postal services), which is not the case for billing companies.

In-House vs Outsourced Billing

In-house billing

If you keep billing inside your organization, those staff are your workforce, not a business associate. You remain responsible for HIPAA compliance, including role-based access, secure systems, and policies for claims processing and practice management.

Outsourced billing

When you outsource billing, the vendor becomes a business associate. Execute a BAA before sharing PHI, confirm technical safeguards (encryption, access controls, audit logs), and ensure subcontractors handling PHI also have BAAs. Map data flows, apply the minimum necessary standard, and verify breach notification timelines in the contract.

Covered Entity Definition

Covered entities under HIPAA include health plans, health care providers who transmit health information electronically in connection with HIPAA standard transactions, and health care clearinghouses. If a company performs covered functions in its own right—such as operating as a clearinghouse—it is a covered entity for that role.

Most medical billing companies do not meet this definition because they perform services on behalf of another covered entity. Their access to PHI is derivative, which places them in the business associate category.

Dual Role of Covered Entities

A single organization can wear multiple hats. For example, a hospital (a covered entity) that offers billing or utilization review services to independent practices functions as a business associate to those clients. Likewise, an entity operating a clearinghouse component may be a covered entity for that function while simultaneously acting as a business associate for other services.

In such cases, use role-based separation or a hybrid entity designation, and put BAAs in place where services for another entity involve PHI. The goal is to maintain clear boundaries and satisfactory assurances regardless of which hat the organization wears.

Conclusion

Bottom line: a medical billing company is usually a business associate because it handles PHI for claims processing and practice management on behalf of a covered entity. It becomes a covered entity only when performing its own covered functions—most commonly as a health care clearinghouse. Align contracts, safeguards, and workflows with the correct role to stay HIPAA-compliant.

FAQs

Is a medical billing company considered a covered entity under HIPAA?

Generally no. A medical billing company typically acts as a business associate because it uses PHI to perform services for a covered entity. It would be a covered entity only if it performs covered functions itself, such as operating as a health care clearinghouse.

What functions classify a company as a business associate?

Any function involving the creation, receipt, maintenance, or transmission of PHI on behalf of a covered entity—such as claims processing, practice management, utilization review, data analysis, or hosting ePHI systems—classifies the company as a business associate.

When is a business associate agreement required?

A BAA is required whenever a covered entity shares PHI with an outside organization to perform business associate functions, and when a business associate uses subcontractors that handle PHI. The BAA provides satisfactory assurances that PHI will be safeguarded and used only as permitted.

Can a covered entity also act as a business associate?

Yes. A covered entity can serve as a business associate when it provides services involving PHI to another covered entity—for example, a hospital performing billing for an independent clinic or a clearinghouse also offering other services. In those relationships, BAAs and role-based separation are still required.