How medical billing companies can protect patient data as HIPAA requirements evolve

As one of many types of business associates (BA), medical billing companies use and disclose protected health information (PHI) all the time. And as cybersecurity threats continue to increase (with some industry experts estimating that 2024 was the worst year ever for breached healthcare records), billing companies must be extra diligent in protecting patient data in the year ahead. Why? Cyber thieves are smarter and savvier than ever. 

If there’s anything the Change Healthcare breach taught us, it’s that medical billing companies and other types of BAs are vulnerable to large-scale attacks. Data confirms this. Countless attacks resulting in data breaches reported to the Office for Civil Rights (OCR) in 2024 involved BAs, with many of these attacks originating in the BA’s own network server.

As Health Insurance Portability and Accountability Act (HIPAA) regulations continue to evolve to address these emerging threats, medical billing companies must stay ahead of compliance requirements while implementing robust cybersecurity measures. Here's what medical billing companies need to know to build a HIPAA audit checklist.

Looking ahead, medical billing companies and their provider clients should be aware of 2 potential developments on the horizon: 

For example, if finalized, BAs must have a subject matter expert verify to covered entities at least once every 12 months that they have deployed technical safeguards. BAs must also notify covered entities upon activation of their contingency plans without unreasonable delay, but no later than 24 hours after activation. In addition, the security rule will no longer distinguish between "required" and "addressable" implementation specifications. Instead, it will make all implementation specifications "required" with specific, limited exceptions. Here's an overview of proposed requirements.

Here are 5 steps medical billing companies (and the medical providers on whose behalf they work) can take to enhance cybersecurity in 2025 and beyond.

Even during times of sophisticated cyberthreats, basic steps provide important protection. For example, using a firewall, requiring multi-factor authentication, installing and maintaining anti-virus software, and using strong passwords that employees must change frequently are all important. None of these steps require significant effort, yet they all have significant impact on protecting patient data. 

A security risk assessment helps medical billing companies identify and address specific cybersecurity threats that may vary from company to company depending on a variety of factors such as whether a medical billing company employs remote workers, leverages offshore talent, accesses the medical practice’s network directly, and more. Past cybersecurity risk assessments can also inform current and future risk analysis and mitigation efforts. 

Medical billing companies must be particularly mindful of physical and technical safeguards that OCR may begin to monitor more closely. These safeguards should be on every HIPAA cybersecurity checklist. Also note that proposed changes to the HIPAA security rule require greater specificity for conducting a risk analysis. In addition, ongoing HIPAA security audits are important. Medical billing companies can create a HIPAA audit checklist to ensure all bases are covered. Note: Proposed changes to the HIPAA security rule would require HIPAA-regulated entities to conduct a HIPAA security rule compliance audit at least every 12 months.

Medical billing companies must ensure all wireless routers are set to operate only in encrypted mode. When configuring the network, they should identify all devices prior to permitting access. They should also prohibit staff from installing software without prior approval. This includes installing peer-to-peer applications such as file sharing, instant messaging, and others. Here’s a HIPAA audit checklist that can help medical billing companies ensure proper network access. 

Effective cybersecurity training should be role-based training that addresses the specific responsibilities of different healthcare staff members. Training should also involve simulated phishing exercises and cover topics related to the most recent HIPAA updates, password security, social engineering tactics, and safe computing practices. Finally, cybersecurity training should address incident response procedures, including incident detection, containment, eradication, and recovery, so staff know what to do in the event an actual cybersecurity or breach occurs. None of this is one-and-done training. Training should be an ongoing effort that incorporates new and emerging threats, statistics, and other insights.

Medical billing companies prevent cyberattacks most effectively when they partner with their provider clients to share best practices, analyze most recent HIPAA updates, and co-develop cybersecurity strategies that protect both parties. Developing this partnership should be on every HIPAA business associate compliance checklist.

While today’s medical billing companies work diligently to protect patient data, cybersecurity threats continue to evolve at a rapid pace. Complacency creates vulnerabilities that cyberthieves can easily exploit, making organized resilience more important than ever. The new year is a great time for medical billing companies to not only reassess their HIPAA business associate compliance checklist, but also refocus on creating a culture of cybersecurity.