HIPAA-Compliant SNF Billing Services
SNF billing wrapped in a documented HIPAA program, not a slide deck. Signed BAA, role-based access, 45 CFR 164.514 18-identifier de-identification when claims data is repurposed, the 60-day breach notification rule, the minimum necessary standard, and SOC 2 Type II controls. Every biller works from a biometric-secured facility and logs into your system with audited credentials.
0:55
0:48Vendors claim HIPAA. Auditors find missing BAAs.
Three HIPAA gaps surface in nearly every SNF outsourcing audit. Vendors say "HIPAA compliant" on the sales call. Then the BAA is unsigned, the breach runbook is missing, and access logs are not retained.
Unsigned or boilerplate BAAs
45 CFR 164.504(e) sets explicit BAA content requirements. Many vendor BAAs miss subcontractor terms or the return-or-destroy clause. OCR enforcement penalties under 45 CFR 160.404 reach $68,928 per violation per tier in 2024 (annual cap $2,067,813).
No 60-day breach runbook
Under 45 CFR 164.404 and 164.410, individuals and the covered entity must be notified inside 60 calendar days from discovery. Without a documented runbook, the clock runs while the vendor's leadership tries to figure out what happened.
Over-scoped access
The minimum necessary standard under 45 CFR 164.502(b) requires limiting access to what each role actually needs. Many vendors hand every biller a blanket view of the resident chart, which fails the standard on its face.
Tell us about your agency.
Send us your situation and our team will scope the right setup, usually within one business day. No obligation.
What is a HIPAA-compliant SNF billing service ?
A HIPAA-compliant SNF billing service is a remote billing team that operates under a documented HIPAA program, not a marketing slide. That program covers the four pillars an auditor checks first: a signed Business Associate Agreement that meets 45 CFR 164.504(e), role-based access scoped to the minimum necessary under 45 CFR 164.502(b), a 60-day breach notification runbook per 45 CFR 164.404 and 164.410, and audit logging per 45 CFR 164.312(b). Stacked on top are SOC 2 Type II controls, HITRUST CSF aligned workflows, and ISO 27001 aligned practices.
What a HIPAA-aware SNF billing pod actually handles, day to day
The billing work is the same as any SNF billing pod. The difference is the controls underneath. Eight HIPAA-aware capabilities every Staffingly pod ships with.
Signed BAA under 164.504(e)
BAA executed before access is provisioned. Subcontractor terms, return-or-destroy, and breach reporting language included.
Role-based access
Each biller's PointClickCare or MatrixCare role is scoped to the modules and residents they actively work, per 164.502(b).
Biometric facility
Workstations sit in biometric-secured rooms. USB ports, printers, screenshots, and personal devices are blocked.
Audit log retention
System access logs are retained per 45 CFR 164.312(b). Logs are available to your compliance officer on request.
60-day breach runbook
Documented triage, scoping, and notice templates aligned with 45 CFR 164.404 and 164.410.
18-identifier de-identification
Safe Harbor de-identification under 45 CFR 164.514(b)(2) when claims data is repurposed for analytics.
SOC 2 Type II controls
Independent attestation against the Trust Services Criteria with a 6 to 12 month audit period.
HITRUST CSF aligned
Workflows mapped to HITRUST CSF v11 control set, with HIPAA and NIST cross-references.
A HIPAA program your auditor will accept, not a one-line marketing claim
Most outsourcing companies say "HIPAA compliant" and stop there. Ask for the BAA, the SOC 2 Type II report, the breach runbook, and the audit logs. Most cannot produce all four. We can.
Four-pillar HIPAA program
Signed BAA per 45 CFR 164.504(e). Role-based access per 164.502(b). 60-day breach runbook per 164.404 and 164.410. Audit logs per 164.312(b). All four documented and available on request.
Stacked compliance posture
HIPAA + SOC 2 Type II + ISO 27001 + HITRUST. Plus alignment with 42 CFR 424 conditions of payment and 45 CFR 164.514 de-identification rules. Four frameworks, not one.
2-Week Risk-Free Pilot
14 days of live billing work under signed BAA, role-based access, and audit logging. A HIPAA evidence packet is included at the end of the pilot. Cancel before day 14, owe nothing.
Staffingly vs DIY in-house vs generic offshore vs onshore BPO
The HIPAA-program math your compliance officer actually reads.
From "let's talk" to live in 1 to 2 weeks
Six steps. Each one is documented.
Discovery call (15 min)
Which compliance gap is loudest? Missing BAA? Pending audit? Recent breach? We map it on a shared call. We send the evidence packet you ask for.
BAA + platform access
Business associate agreement signed under 45 CFR 164.504(e). Role-based access provisioned in PointClickCare, MatrixCare, Net Health, Brightree, HCHB.
Workflow shadow (2 to 3 days)
Your billing pod shadows your business office. Role definitions documented. Access scoped to minimum necessary per 45 CFR 164.502(b).
Parallel pilot starts
Week 2 to 3. Pod runs alongside your team. Daily 15-minute sync. Every access event hits the audit log.
Decision point (end of week 2)
Pilot results plus HIPAA evidence packet (BAA copy, SOC 2 Type II report, role definitions, audit-log sample). Go or no-go.
Full handoff, cadence locked
Monthly QA audit. Annual HIPAA training renewal. Evidence packet refreshed for your compliance officer on request.
How a HIPAA-aware billing pod's day looks
A real shift, hour by hour. Times in your local time. Every action ties back to a HIPAA control.
How Staffingly works, in practice

Inside the workA trained Staffingly specialist works inside your existing platform, with clear escalation back to your team.
One Flat Weekly Rate. No Surprises.
Dedicated senior care schedulers at a fixed weekly cost. Per scheduler FTE, per week. No contracts, no minimums, no hidden fees.
Want to compare against an in-house hire? Use the savings calculator.
Frequently asked questions
What are the 18 HIPAA identifiers under 45 CFR 164.514?
The HIPAA Privacy Rule at 45 CFR 164.514(b)(2) lists 18 identifiers that must be removed for Safe Harbor de-identification. These include names, geographic subdivisions smaller than a state, all elements of dates directly related to an individual (except year), telephone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle identifiers and serial numbers, device identifiers and serial numbers, web URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number, characteristic, or code.
What does the BAA require under 45 CFR 164.504(e)?
A Business Associate Agreement under 45 CFR 164.504(e) must establish permitted and required uses and disclosures of PHI, prohibit further use or disclosure beyond the contract or law, require appropriate safeguards, require reporting of any use or disclosure not provided for, require subcontractor BAAs, make PHI available to the covered entity for individual access requests, return or destroy PHI at termination, and authorize termination if the business associate violates a material term. Staffingly signs the BAA before any access is provisioned.
What is the 60-day breach notification rule?
Under the HIPAA Breach Notification Rule at 45 CFR 164.404, a covered entity must notify affected individuals of a breach of unsecured PHI without unreasonable delay and no later than 60 calendar days from discovery. Business associates must notify the covered entity under 45 CFR 164.410 within the same 60-day window. Breaches affecting 500 or more individuals also require notification to HHS and the media. Our incident response runbook is built to meet the 60-day window with documented triage, scoping, and notice templates.
What is the minimum necessary standard?
Under 45 CFR 164.502(b) and 45 CFR 164.514(d), covered entities and business associates must make reasonable efforts to limit PHI use, disclosure, and access to the minimum necessary to accomplish the intended purpose. For SNF billing, this means each biller's role-based access is scoped to the residents and modules they actively work, not a blanket view of the entire facility chart. We document role definitions and review them at onboarding and on role changes.
How does SOC 2 Type II differ from HITRUST CSF?
SOC 2 Type II is an AICPA attestation report covering the design and operating effectiveness of controls against the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy) over a defined audit period, typically 6 to 12 months. HITRUST CSF is a certifiable framework that maps HIPAA, NIST, ISO 27001, and other standards into one prescriptive control set tested by an authorized external assessor. Staffingly maintains SOC 2 Type II controls and HITRUST CSF aligned workflows so SNF operators get both audit-ready evidence and prescriptive HIPAA mapping.
How do you safeguard PHI when work is performed offshore?
PHI is processed inside a controlled environment. Workstations are biometric-secured. Printing, USB ports, screenshots, and personal devices are blocked. Network egress runs through audited proxies. Each biller signs an individual confidentiality and PHI-handling acknowledgement that is renewed annually. Access logs are retained per 45 CFR 164.312(b) audit-control requirements. The BAA flows to the offshore entity under 45 CFR 164.314(a)(2) for subcontractor terms.
How does pricing work for HIPAA-compliant SNF billing?
Per biller, coder, or AR follow-up specialist FTE, per week. No setup fees. $399 Standard, $349 Volume (3 or more), $299 Enterprise (10 or more). The HIPAA program (BAA, SOC 2 Type II controls, biometric facility, audit logs) is included at every tier, not a paid add-on.
What is included in the 2-Week Risk-Free Pilot?
Two weeks of live billing work under signed BAA, role-based access, and audit logging. Full reporting on clean-claim rate, denial rate, DSO movement, AR over 90 reduction, plus a HIPAA evidence packet (BAA copy, SOC 2 Type II report, role definitions, audit-log sample). No setup fee. No penalty if you cancel before day 14.
