The HIPAA violations that actually result in enforcement actions and fines aren’t always dramatic data breaches. The most common billing-related violations are structural — arrangements that have been in place for months or years, creating ongoing exposure that nobody thought to address when they were set up.
If you’ve ever used Upwork or Fiverr for billing, shared EHR access with a contractor who hasn’t signed a BAA, or sent billing spreadsheets by unencrypted email, this applies to your practice.
The Most Common HIPAA Violations in Medical Billing
1. Missing Business Associate Agreement with Billing Vendor
Any third party that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate. Your billing company is a Business Associate. An Upwork freelancer doing your billing is a Business Associate. A billing software vendor that stores your claims data is a Business Associate.
Every Business Associate must have a signed BAA with your practice before accessing any PHI. A BAA is not a vendor’s general terms of service, not a confidentiality clause in a service contract, and not a verbal agreement. It is a specific document that meets HIPAA’s requirements for content and execution.
Billing vendors who don’t proactively provide a BAA should be asked for one explicitly. If they can’t produce one, the engagement creates compliance exposure from day one. Every claim processed, every patient record accessed, every AR report generated during that period is a potential violation.
OCR enforcement data: Failure to execute a BAA is one of the top five cited violations in OCR enforcement actions. Fines range from $100 per violation (no knowledge) to $50,000 per violation (willful neglect, uncorrected). At hundreds of patient records processed per month, the violation count accumulates quickly.
2. PHI on Unencrypted Devices
When a billing freelancer — from Upwork, Fiverr, or any platform that doesn’t enforce device security — accesses your EHR from their personal laptop, patient data may be stored in browser cache, downloaded to local storage, or accessed over an unsecured connection. None of this is visible to you. All of it creates exposure.
HIPAA requires covered entities to implement technical safeguards to protect PHI — including encryption of PHI on portable devices. The covered entity (your practice) is responsible for ensuring these safeguards exist for their Business Associates’ handling of PHI. “The vendor said they’re compliant” is not a documented safeguard.
The standard for a compliant offshore billing arrangement: full-disk encryption on the device used for billing, VPN with multi-factor authentication for all EHR access, zero local PHI storage after sessions end, and written documentation of each of these controls provided to the practice before access is granted.
3. Unencrypted Email with PHI
Sending billing spreadsheets, patient statements, EOBs, or claim data by unencrypted email is a HIPAA violation. Standard email (Gmail, Outlook without encryption, any email where neither party has encryption configured) is not a secure transmission method for PHI.
Most billing workflows involve some email — sending reports, sharing claim data, communicating about specific patient accounts. All of this requires either a HIPAA-compliant encrypted email service or a secure portal that doesn’t transmit PHI via email body or standard attachment.
4. EHR Access Without Audit Trail
HIPAA requires covered entities to implement hardware, software, and procedural mechanisms to record and examine access to information systems containing PHI. When a billing contractor accesses your EHR, that access should be traceable: who accessed what, when, and what actions were taken.
Most EHR platforms provide audit logging. The question is whether the audit log for your billing contractors has ever been reviewed — and whether you would know if a contractor accessed records they shouldn’t have.
5. Offshore Billing Without Proper Documentation
Offshore billing is not a HIPAA violation. But offshore billing without a properly executed BAA, without documented device security standards, and without a breach notification protocol is. The geography of your billing staff is irrelevant to HIPAA compliance. The documentation is not.
What Proper Compliance Documentation Looks Like
Before any billing vendor accesses your PHI, you should have in writing:
| Document | What It Must Cover |
|---|---|
| Business Associate Agreement | Permitted uses of PHI, safeguard requirements, breach notification obligations, return/destruction of PHI on termination |
| Device security confirmation | Full-disk encryption standard, VPN requirement, MFA for EHR access, prohibition on local PHI storage |
| HIPAA training documentation | Annual training completion records for all staff who access PHI |
| Breach notification protocol | Timeline (60 days for notification), notification procedure, who is notified |
| Subcontractor agreements | If the billing vendor uses subcontractors (common in offshore staffing), those subcontractors must also have BAAs |
How Dr. Billerz Handles Compliance
Every Dr. Billerz engagement provides all five documents before billing begins. The BAA is signed before EHR access is granted — not after a pilot period, not during onboarding. Device encryption, VPN policy, and local PHI storage prohibition are documented and provided in writing. HIPAA training certificates are available for every biller on your account. The breach notification protocol is in the BAA.
This is not a differentiator — it’s the baseline of what any billing vendor should provide. The fact that most don’t is why HIPAA compliance in billing is consistently cited as an enforcement problem.
Frequently Asked Questions
Is using Upwork for medical billing a HIPAA violation?
It depends on whether a Business Associate Agreement is in place and whether the device security requirements are met. Upwork does not provide BAAs as part of its platform. If you engage a billing freelancer on Upwork without executing a separate BAA and confirming their device security, the arrangement creates HIPAA exposure from the first patient record accessed.
What are the fines for HIPAA violations in medical billing?
OCR penalty tiers: $100–$50,000 per violation (up to $1.9M annually per violation category), depending on culpability. “No knowledge” violations carry lower fines. “Willful neglect, uncorrected” violations carry the maximum. A missing BAA covering a billing arrangement that processed hundreds of patient records represents hundreds of individual violations — each potentially subject to per-violation fines.
Does offshore billing require a HIPAA BAA?
Yes. Any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity must have a signed BAA — regardless of where that entity is located. HIPAA applies to the covered entity’s obligations for all PHI they control, including PHI handled by offshore vendors. The BAA requirement does not have a geographic exception.
Want to see the compliance documentation before deciding? Book a free call — we’ll provide the BAA and compliance documentation before any discussion of billing starts.
Related Resources
Is offshore medical billing HIPAA safe? | Upwork medical billing: HIPAA risks explained | Virtual medical biller compliance checklist