HIPAA Business Associate Agreement for Medical Billing Companies
By BAA Generator Editorial · Updated Apr 19, 2026 · 6 min read
Key Takeaways
- ✓ Medical billing companies are HIPAA business associates — BAAs are required with every provider client
- ✓ The BAA must be executed before any patient claims data is shared
- ✓ Billing companies must also obtain BAAs from their own subcontractors (clearinghouses, coders)
- ✓ Either party can generate and send the BAA — BAA Generator works for both sides
- ✓ BAA obligations include breach notification, safeguards, and PHI destruction at termination
Medical billing is one of the most heavily scrutinized vendor relationships in HIPAA compliance. Billing companies receive patient names, dates of service, diagnosis codes, insurance IDs, and procedure codes — the full set of information needed to submit a claim. Every one of those data elements is protected health information. Every covered entity client of a billing company must have a signed BAA with that company before claims data starts flowing.
Medical Billing Companies Are Business Associates by Definition
Under 45 CFR § 160.103, a business associate is any person or entity that performs functions or activities involving the use or disclosure of PHI on behalf of a covered entity. Medical billing companies satisfy this definition unambiguously — they receive PHI from covered entities and use it to submit claims and collect payments on those entities' behalf.
This applies regardless of how the billing is structured:
- Full-service revenue cycle management companies
- Coding-only services that access and code clinical records
- Clearinghouses that process and route claims electronically
- Denial management and appeals companies
- Credentialing services that handle provider enrollment with payers
- Medical billing software platforms where the vendor can access client data
What Must Be in the BAA
Under 45 CFR § 164.504(e)(2), a BAA between a covered entity and a medical billing company must include:
| Required provision | What it covers for medical billing |
|---|---|
| Permitted uses and disclosures | Claim submission, payment posting, denial management, audit support — scoped to billing functions only |
| Prohibition on unauthorized use | Billing company cannot use PHI for marketing, sale, or any purpose beyond the agreed billing scope |
| Safeguards | Administrative, physical, and technical safeguards for PHI systems — mirrors HIPAA Security Rule requirements |
| Breach notification | Billing company must notify provider within 60 days of discovering a breach involving that provider's patient data |
| Subcontractor BAAs | Billing company must obtain BAAs from any clearinghouse, offshore coding vendor, or software provider with PHI access |
| PHI return or destruction | On termination, billing company must return or certifiably destroy all patient data from the provider's records |
| Termination right | Provider can terminate the agreement if the billing company materially breaches the BAA |
Who Provides the BAA: Provider or Billing Company?
Either party can initiate the BAA. In practice:
- Large billing companies typically send providers their standard BAA during onboarding. Providers should review these agreements carefully — vendor-provided BAAs are not always as protective as a provider-generated agreement.
- Small and mid-size billing companies often don't have a standard BAA template ready. In these situations, the provider generates a BAA and sends it to the billing company for review and countersignature.
- BAA Generator can be used by either party — whether you're a provider sending a BAA to your biller, or a billing company standardizing the agreements you send to your provider clients.
Subcontractor BAAs: The Downstream Obligation
A billing company's BAA obligations don't stop at the provider relationship. Under the HITECH Act, business associates must obtain BAAs from their own subcontractors who access PHI. For a medical billing company, this typically includes:
- Clearinghouses used to route claims (Availity, Change Healthcare, Office Ally)
- Offshore coding or charge entry services
- Billing software platforms where the software vendor can access client data
- IT support providers with remote access to billing systems
- Cloud storage or backup services used to store patient records
Failure to obtain subcontractor BAAs is a HIPAA violation for the billing company, independent of whether any breach occurs.
Generate a compliant BAA in 5 minutes
HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word
No subscription · PDF + Word · Free watermarked preview
Frequently Asked Questions
Can a medical billing company use the same BAA template for all provider clients?
Yes, with caveats. A standardized BAA template can cover the mandatory HIPAA provisions for all relationships. However, the permitted uses and disclosures section should accurately reflect the specific billing services being provided for each client. BAA Generator lets you generate a customized BAA for each provider relationship in minutes.
What if the provider wants to use their own BAA instead of the billing company's standard agreement?
That's acceptable under HIPAA. Either party can generate the BAA. If a provider sends a BAA to their billing company, the billing company should review it to ensure it doesn't impose obligations that conflict with their operations — particularly around the scope of permitted uses and the breach notification timeline. The Word export from BAA Generator makes this negotiation easy.
Does an in-house billing department need a BAA?
No. HIPAA's BAA requirement applies to outside vendors — employees of the covered entity are not business associates, even if they handle PHI as part of their job. An in-house billing team is covered by the covered entity's own HIPAA policies and workforce training obligations, not by a BAA.
More Specialty BAA Guides