Home health agency executives spend significant time evaluating the clinical capabilities of their EHR, the credentials of their clinical staff, and the quality of their care delivery. They spend considerably less time evaluating the cybersecurity posture of their billing company.
This is a significant oversight. Your billing company has access to some of the most sensitive ePHI in your environment — patient names, Social Security numbers, Medicare and Medicaid numbers, diagnoses, service records, and financial information. They access this data from their own systems, on their own network, with their own security controls — over which you have no direct visibility.
A breach at your billing company is a breach of your patients' data. And under HIPAA, it is your breach.
What Your Billing Company Accesses
A typical home health billing company accesses:
- Patient demographic information (name, address, date of birth, Social Security number)
- Insurance information (Medicare/Medicaid numbers, payer IDs)
- Clinical documentation supporting claims (visit notes, physician orders, care plans)
- Diagnosis codes and service records
- Financial account information for payment processing
- Your agency's Medicare provider number and billing credentials
This is a complete package for medical identity theft, Medicare fraud, and regulatory exposure. When a billing company is compromised — whether by ransomware, phishing, or insider threat — all of this data is potentially in the hands of an attacker.
The HIPAA Obligation: Business Associate Agreements
Under HIPAA, your billing company is a business associate — a vendor who performs a service on your behalf that requires access to ePHI. The law requires you to have a signed Business Associate Agreement (BAA) with every business associate before they access any ePHI.
The BAA is not just a contract formality. It establishes:
- The billing company's obligation to protect ePHI using HIPAA-required safeguards
- Their obligation to notify you of any breach involving your patients' data within 60 days (or sooner under your agreement)
- Their agreement to return or destroy ePHI upon contract termination
- Their compliance with the same HIPAA requirements that apply to your agency
If your billing company experiences a breach and you do not have a signed BAA with them, you face additional OCR exposure for failing to execute required business associate agreements — on top of the breach notification obligations.
What to Ask Your Billing Company About Security
Most home health agencies sign a billing services agreement and assume security is handled. These five questions separate billing companies with genuine security programs from those with a compliance checkbox approach:
1. Do you have a signed HIPAA Security Rule compliance program, and can you provide evidence?
A billing company that handles ePHI must have the same foundational HIPAA documentation you do — risk analysis, written security program, staff training records. If they cannot produce these on request, they are non-compliant and you share that risk.
2. Do you have MFA enforced on all accounts accessing client ePHI?
This is the single most important technical control. A billing company whose staff access your patients' claims data without MFA is one phishing attack away from a breach that affects every one of their clients simultaneously.
3. Have you experienced any security incidents or data breaches in the past three years?
A billing company with a breach history is not automatically disqualifying — but the quality of their response and what they changed afterward matters. A company that cannot describe what they learned from a prior incident and what controls they implemented afterward has not processed the lesson.
4. Do you conduct annual security awareness training with documentation?
Billing staff are among the highest-risk targets for phishing and BEC attacks. A billing company without documented annual training is a company whose staff are statistically more susceptible to the attacks most commonly directed at billing operations.
5. Who do we contact immediately if you discover a breach affecting our patients' data?
The answer should be a named individual, a phone number, and a timeline — "you will be notified within [X] hours of discovery." If the answer is vague or refers only to legal obligations without an operational contact, the company has not operationalized its breach response.
Contractual Protections Beyond the BAA
Beyond the BAA, your billing services agreement should include:
Security standards clause: Specifies the minimum security controls the billing company must maintain — MFA, encryption, EDR, annual training, vulnerability scanning. This clause gives you contractual recourse if the company's security falls below the agreed standard.
Right to audit: Reserves your right to request evidence of security controls and compliance documentation annually. Billing companies that refuse audit rights are billing companies with something to hide.
Breach notification timeline: Specifies that you must be notified within 24–48 hours of a confirmed breach, not just within HIPAA's 60-day window. Earlier notification gives you more time to manage the patient notification process and protect your reputation.
Termination for cause: Specifies that a confirmed security breach or compliance failure is grounds for immediate contract termination — protecting you from being contractually locked into a billing company that has demonstrated it cannot protect your patients' data.
ShieldForce can assess your billing company relationship as part of your HIPAA vendor management review. Our business associate agreement review process confirms you have the contractual protections and compliance evidence you need.
Explore Home Healthcare Cybersecurity →
Start with a free HIPAA assessment that includes your vendor management posture.