How medical billing companies can practice cybersecurity (and prepare for proposed HIPAA changes) on a budget

For medical billing companies and other business associates, a cyberattack can be devastating, with financial and reputational consequences. Understanding and complying with the Health Insurance Portability and Accountability Act (HIPAA)’s cybersecurity requirements — including proposed changes — is therefore critical.

But while protecting patient data must be a top priority for business associates, HIPAA compliance comes with costs that aren’t always easy to absorb. The good news is that many widely available HIPAA cybersecurity resources and cost-effective methods can help your organization promote cybersecurity even on a tight budget. 

Under proposed HIPAA changes, business associates must annually verify and certify to covered entities that they’ve implemented technical safeguards to protect electronic patient health information (ePHI). Thankfully, many free HIPAA cybersecurity resources can help meet this requirement. 

For example, the Office of the National Coordinator for Health Information Technology (ONC) provides a free Security Risk Assessment Tool designed to help business associates (and covered entities) comply with HIPAA’s administrative, physical, and technical safeguards and identify areas where ePHI could be at risk. ONC also provides countless other free cybersecurity training tools, templates, and educational materials.

Proposed HIPAA changes also require business associates to notify covered entities within 24 hours of activating contingency plans during significant security incidents. One efficient and cost-effective strategy is to predefine email groups (e.g., [email protected]) to send alerts quickly without wasting time or resources. 

Consider creating pre-recorded messages and leveraging free or low-cost automated phone calls. Regardless of how you do it, proactively establishing communication protocols for notifying stakeholders is essential.

Proposed HIPAA changes further require business associates to conduct vulnerability scans every 6 months and penetration testing annually to proactively identify and address security weaknesses. Numerous free HIPAA cybersecurity resources and tools can help. Using these tools, business associates can scan internal and external networks for known vulnerabilities, scan web servers for outdated software and insecure files, perform hands-on penetration testing and exploit testing, and more.

Business associates should also implement these other free or low-cost ways to promote cybersecurity: 

Business associates can contain costs while providing staff with high-quality cybersecurity education. For example, with memberships to certain industry associations and trade groups, business associates can take advantage of member discounts on reputable training and resources. You may also be able to leverage bulk licensing for team training. 

Take advantage of free cybersecurity training resources from health IT vendors, consultants, and industry experts, including webinars, podcasts, newsletters, and blog content that can be curated and shared with staff and clients. For example, Infosec offers 133 free cybersecurity training courses that you can check out here.

Consider partnering with other business associates and covered entities to pool HIPAA cybersecurity resources. Look into shared security training, cybersecurity audits, and development of cybersecurity policies and procedures. 

You could even share consultant costs to help develop up-to-date technology asset inventories and network maps showing ePHI movement (also required under proposed HIPAA changes) among multiple organizations. 

Learning key lessons from others’ costly mistakes can provide valuable insights. Reviewing resolution agreements and civil monetary penalties can help you identify and mitigate vulnerabilities in cost-effective ways. 

Beyond the Change Healthcare cyberattack of February 2024, recent headlines offer critical lessons:

As the Office for Civil Rights (OCR) conducts its 2025–2025 HIPAA audits of business associates and covered entities, additional best practices will surface. OCR will publish a comprehensive industry report summarizing its findings after completing these audits, as it did after its most recent audits.

The low-cost or free cybersecurity resources highlighted above can significantly impact your compliance, risk mitigation, and ability to safeguard ePHI. By implementing these cost-effective solutions, business associates not only fulfill HIPAA obligations — they also protect patients and providers.

With numerous HIPAA cybersecurity resources available, the time to prepare for both current and proposed requirements is now. Getting a head start will position your organization for success in an increasingly complex regulatory environment.