HIPAA BAA Requirements for Revenue Cycle Management Companies

By BAA Generator Editorial  ·  Updated Apr 20, 2026  ·  5 min read

Revenue cycle management companies sit at the center of healthcare's financial data flows. They receive clinical documentation, assign billing codes, submit claims to payers, manage denials and appeals, pursue collections, and generate analytics — all of which involves extensive protected health information. The RCM company's BAA obligations run in two directions: upward toward the covered entity clients they serve, and downward toward their own subvendors that handle PHI in performing RCM functions.

The Dual BAA Role of RCM Companies

Role 1: RCM Company as Business Associate

An RCM company receives PHI from covered entity clients — hospitals, physician practices, behavioral health organizations — to perform billing and coding functions. This makes the RCM company a business associate of those covered entities. A signed BAA is required with each provider client before the RCM company begins handling their PHI. The BAA obligates the RCM company to:

• Use and disclose PHI only as permitted by the BAA and HIPAA
• Implement appropriate administrative, physical, and technical safeguards for the PHI it receives
• Report security incidents and breaches to the covered entity
• Ensure that subcontractors handling PHI sign BAAs with the RCM company
• Return or destroy PHI when the business relationship ends

Role 2: RCM Company's Own Subvendors

Under 45 CFR § 164.504(e)(2)(ii)(D), business associates must obtain BAAs from their own subcontractors that handle PHI. For RCM companies, this means executing BAAs with:

• Claims clearinghouses that transmit claims on behalf of the RCM company
• Medical coding services (internal or outsourced) accessing clinical records
• Collections agencies receiving patient account information
• Denial management software vendors accessing claim and clinical data
• Analytics and business intelligence platforms receiving claim and patient data
• Cloud infrastructure providers hosting RCM systems containing PHI

The Change Healthcare Breach: A Watershed Moment for RCM BAAs

In February 2024, Change Healthcare — a subsidiary of UnitedHealth Group that processes approximately 40% of US healthcare claims — suffered a ransomware attack that became the largest healthcare data breach in US history. The breach affected over 100 million individuals and disrupted claims processing for months, preventing thousands of healthcare providers and RCM companies from submitting claims or receiving payments.

The breach had direct HIPAA compliance implications for the RCM sector. The HHS Office for Civil Rights issued guidance following the breach emphasizing that: (1) provider organizations must have signed BAAs with all clearinghouses and RCM vendors handling their claims data; (2) BAAs must include appropriate security requirements, not just data handling terms; and (3) covered entities and business associates bear ongoing responsibility for monitoring vendor security practices.

The Change Healthcare situation also highlighted supply chain concentration risk in RCM: many organizations had indirect exposure through RCM companies that used Change Healthcare as their clearinghouse without the provider organization knowing the full downstream vendor chain. This is precisely why HIPAA's subcontractor BAA requirement (the chain from covered entity to BA to sub-BA) exists — and why it matters in practice.

Vendors RCM Companies Typically Need BAAs With

Claims Clearinghouses

Clearinghouses translate and route claims between providers and payers. RCM companies that use clearinghouses — Availity, Office Ally, and post-2024 alternatives to Change Healthcare — must execute BAAs with those clearinghouses. The clearinghouse receives comprehensive PHI in the claims: patient demographics, diagnosis codes, procedure codes, and dates of service.

Medical Coding Services

Many RCM companies outsource coding to specialized medical coding firms or use offshore coding services. These coding vendors access clinical documentation — physician notes, operative reports, discharge summaries — to assign billing codes. This access to clinical PHI makes coding vendors business associates of the RCM company, requiring BAAs.

Collections Agencies

When patient accounts reach collections status, RCM companies typically send those accounts to third-party collections agencies. Collections agencies receive patient names, addresses, account balances, and service information — PHI. They are business associates requiring BAAs. The BAA should specify permitted uses of PHI (collections activity only, not marketing) and retention limitations.

Analytics and Denial Management Platforms

RCM analytics platforms and denial management software that receive claim data with patient identifiers are business associates. Whether the analytics platform produces revenue cycle dashboards, denial pattern analyses, or predictive models for claims approval, if identifiable patient data flows into the analysis, a BAA is required.

Common Vendor BAA Table for RCM Companies

Common Compliance Gaps for RCM Companies

The most frequent BAA gaps in RCM: (1) onboarding provider clients without executing a BAA before claims processing begins — often because the contracting process focuses on service terms rather than HIPAA compliance; (2) using a clearinghouse without a signed BAA, treating the clearinghouse relationship as purely transactional; (3) outsourcing coding without BAAs because the coding relationship is managed operationally rather than by a compliance team; and (4) not maintaining a current inventory of subvendors as the RCM company's technology stack evolves.

The Change Healthcare breach has significantly raised awareness of these gaps, and provider organizations are now more likely to require BAAs as a condition of engagement with RCM vendors. For RCM companies, this means BAA execution should be a standard step in every new client onboarding process.

For guidance on subcontractor BAA chains, see our post on subcontractor BAAs under HIPAA. For an overview of vendor BAA evaluation, see does your vendor sign a HIPAA BAA.

Frequently Asked Questions

Does an RCM company need to sign a HIPAA BAA with each provider client?

Yes. RCM companies are business associates of the covered entities they serve. A separate BAA must be executed with each provider client before any PHI is shared. The BAA governs the permissible uses of PHI, security obligations, incident reporting, and subcontractor requirements. The Change Healthcare breach prompted OCR to emphasize that provider organizations must confirm BAAs are in place with all their RCM and clearinghouse vendors.

Do RCM companies need BAAs with their own vendors?

Yes. Business associates must ensure that subcontractors handling PHI sign BAAs with them. RCM companies must execute BAAs with clearinghouses, coding services, collections agencies, denial management platforms, analytics vendors, and cloud infrastructure providers that handle PHI in performing RCM functions. This subcontractor BAA obligation is explicit under 45 CFR § 164.504(e)(2)(ii)(D).

What was the Change Healthcare breach impact on RCM BAAs?

The Change Healthcare ransomware attack in February 2024 — the largest healthcare data breach in US history, affecting 100 million-plus individuals — disrupted claims processing industry-wide and prompted HHS OCR guidance on clearinghouse and RCM BAA requirements. It demonstrated that a single vendor's breach could cascade through the entire healthcare billing ecosystem, and underscored why complete BAA chains from covered entities through all downstream subcontractors are essential.

Does a medical coding company need a HIPAA BAA?

Yes. Medical coding companies access clinical documentation containing PHI to assign billing codes. They are business associates of the covered entities or RCM companies they serve. BAAs are required with both the direct client (covered entity or RCM company) and with any subcontractors the coding company uses to perform the coding work.