The Security Bar Every Billing Operation Must Clear

Whether billing stays in-house or goes to a partner, PHI security is non-negotiable. This page documents the standards any practice should demand — use it as an evaluation checklist. It also explains how this website handles your data.

Eight Standards to Demand From Any Billing Operation

Before any billing team — internal or external — touches a patient record, these controls should be verifiably in place. Ask for evidence, not assurances.

📄

1. Business Associate Agreement (BAA)

  • Signed before any PHI access — no exceptions, no "trial periods"
  • Covers all subcontractors who may touch PHI downstream
  • Specifies breach notification timelines and responsibilities
🔑

2. Role-Based Access Controls

  • Each biller accesses only the systems and accounts they work
  • Unique named logins — never shared credentials
  • Access revoked same-day when a team member leaves
🔒

3. Encryption In Transit and At Rest

  • TLS for every connection to your EHR/PM system
  • No PHI in plain email — secure portals or encrypted channels only
  • Encrypted storage for any exported reports or work files
📋

4. Complete Audit Trails

  • Every account touched, claim viewed, and change made is logged
  • Logs are reviewable by the practice on request
  • Activity tracking covers remote and offshore team members equally
🖥️

5. Controlled Work Environments

  • PHI accessed only from managed devices — no personal laptops
  • No local downloads or screenshots of patient data
  • Physical workspace controls where teams operate on-site
🎓

6. Documented HIPAA Training

  • Initial and annual refresher training for every team member
  • Training records available for your compliance file
  • Applies to every role that touches PHI, including QA and management
🌐

7. Offshore-Specific Safeguards (If Applicable)

  • Same BAA coverage, training, and audit standards as onshore
  • Clear disclosure of where work is performed
  • See our full HIPAA & Offshore Billing guide for the complete evaluation checklist
🔄

8. Business Continuity Planning

  • Documented backup staffing so one departure doesn't stall your AR
  • Disaster recovery plan for system outages
  • Defined escalation paths and response-time commitments

How to Use This Checklist

Send these eight items to any current or prospective billing partner and ask for written evidence of each. A quality operation will answer within days without hedging. Evasive answers on items 1, 2, or 4 are disqualifying — those controls are the difference between a compliance program and a compliance promise.

How This Site Handles Your Data

This website is an educational resource. We do not collect, store, or process Protected Health Information (PHI) through this site. Please do not include patient information in any form submission.

When you download a resource or request an assessment, we collect only what the form shows: your name, work email, practice name, specialty, and optionally a phone number. That information is used to deliver what you requested and, if you opt in, to send our newsletter. It is never sold or shared with third parties for marketing. Full details are in our Privacy Policy.

Evaluating a Billing Partner?

The HIPAA & Offshore guide expands this checklist into a complete due-diligence framework.