Med Bills logoMed Bills

HIPAA Compliance

How we handle protected health information when providing revenue cycle management services on behalf of healthcare practices.

Last updated: June 2026

1. Our role under HIPAA

When Med Bills LLC performs billing, claims submission, denial management, or related revenue cycle services on behalf of a healthcare practice, we act as a Business Associate under HIPAA. The practice remains the Covered Entity and owner of patient data; we process protected health information (PHI) strictly to perform the services defined in the signed service agreement.

2. Business Associate Agreements

Where a client engagement involves access to PHI, we execute a Business Associate Agreement (BAA) before that access begins. The BAA defines permitted uses of PHI, required safeguards, breach notification obligations, and data return or destruction terms at the end of the engagement.

3. Minimum necessary access

  • Access to PHI is limited to the specific team members performing services for that client, eligibility staff, coders, denial specialists, and reporting staff, based on their role.
  • Team members are not given blanket access across all client accounts; access is scoped per engagement.
  • We don't use PHI for any purpose beyond what's described in the applicable service agreement, including no use for marketing or unrelated analysis.

4. Working inside your existing systems

Wherever an engagement is structured this way, claims and PHI are processed through the client's own clearinghouse and practice management system rather than duplicated into separate Med Bills infrastructure. This limits the number of systems PHI passes through and keeps the client's existing access controls in place.

5. Safeguards

Our operating practices include role-based access controls, secure handling of any documentation shared for billing or claims review, and internal procedures for reporting and responding to any suspected security incident involving PHI, consistent with our obligations under each client's BAA.

6. Breach notification

If we become aware of a breach involving PHI we're processing on a client's behalf, we will notify that client without unreasonable delay, consistent with the timelines and procedures set out in the applicable BAA and HIPAA's Breach Notification Rule.

7. Patient inquiries

Because Med Bills acts as a service provider to the practice rather than the owner of patient records, patients with questions about their own PHI, or requests to access, amend, or restrict use of their records, should contact the practice directly. We support our client practices in fulfilling those obligations as part of the engagement.

8. Sharing claim data with us for an initial review

If you're considering working with us and want to share a sample claim, denial report, or EOB for review before any agreement is signed, please redact or limit full patient identifiers where possible. For a deeper review involving PHI, we'll set up an appropriate secure channel and execute a BAA first, rather than handling PHI over standard email.

9. Questions

Questions about our HIPAA practices or a specific engagement's BAA can be sent to info@medbills.io or sales@medbills.io.