Jump to:

• What is HIPAA?

  • What is Protected Health Information (PHI) and Electronic Protected Health Information (ePHI)?
  • Where can I learn more about HIPAA?

• Request HIPAA Controls with a Business Associate Agreement (BAA)

  • Do I need to sign a Business Associate Agreement (BAA)?
  • How do I enable HIPAA for my organization?

• Best Practices Overview

  • If you determine your ERP is HIPAA compliant
  • If you determine your ERP isn't HIPAA compliant

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law to protect electronic patient health information (ePHI), from being disclosed without the patient’s consent or knowledge.

What is Protected Health Information (PHI) and Electronic Protected Health Information (ePHI)?

Protected health information (PHI) is health information, including demographic information, collected from an individual that identifies the individual or is reasonably believed to be able to be used to identify the individual. Electronic Protected Health Information (ePHI) is PHI in electronic form.

Where can I learn more about HIPAA?

For more information about HIPAA and HIPAA compliance, please visit: US Department of Health and Human Services - Health Information Privacy

Request HIPAA Controls with a Business Associate Agreement (BAA)

Do I need to sign a Business Associate Agreement (BAA)?

If you plan to enter any PHI into Bill.com (including within documents uploaded to Bill.com), they need to sign a BAA with Bill.com. The BAA relates to entities that process PHI/ePHI. Our terms of service specifically prohibit customers entering PHI/ePHI into Bill.com unless a BAA has been entered into with Bill.com. Please see below for more from our current terms of service.

“Business Associate” under HIPAA. Bill.com may, upon request, operate as a “business associate” of certain Users of the Service, including You, for the purposes of The Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”). You agree that You will not send or transmit any electronic “Protected Health Information” (“ePHI”, as defined in HIPAA) to Bill.com or otherwise in any manner through the Service unless and until you have a Business Associates Agreement (“BAA”) with Bill.com. You are solely responsible for ensuring that Your use of the Service complies with all applicable laws and regulations, including HIPAA. If We become aware that You have sent or transmitted ePHI in any manner through the Service in violation of this Agreement or the BAA, We may delete the ePHI without notice to You and without Bill.com incurring any liability to You. You agree to pay any costs or fees associated with that ePHI deletion.

How do I enable HIPAA for my organization?

• If you’re a current Bill.com customer, please access the Business Associate Agreement (BAA) to enroll.
• If you’re a new Bill.com customer, please contact your account manager.

Best Practices Overview

Bill.com Accounts Payable (AP) and Accounts Receivable (AR) processes help customers stay compliant with HIPAA by providing protections and safeguards for the privacy and security of electronic Protected Health Information (ePHI) within Bill.com.

Once you have signed a BAA with Bill.com and HIPAA is enabled for your organization, please reference the following information to ensure you are using Bill.com in a manner compliant with HIPAA. You should only enter ePHI as instructed.

Please note, all syncable fields (including those containing ePHI) will automatically sync to your ERP. Bill.com hasn't reviewed and isn't responsible for the customer’s software provider's compliance with any applicable laws, including HIPAA. It is the customer's sole obligation to ensure any software providers are compliant with any applicable laws.

If you determine your ERP is HIPAA compliant:

Accounts Payable (AP)

• ePHI may only be entered into the following AP fields/areas:
  • Bill description
  • Expenses and Items table
  • Notes

• You may upload documents containing ePHI. Please note you should not email documents containing ePHI to Bill.com.
• All syncable fields (including those containing ePHI) will automatically sync to your ERP

Accounts Receivable (AR)

• ePHI may only be entered into the following AR fields/areas:
  • Items table
  • Message to Customer

• Invoices cannot be attached to emails sent through Bill.com. Your customers will need to log in to a Bill.com account to view and pay the invoice.
• All syncable fields (including those containing ePHI) will automatically sync to your ERP

If you determine your ERP isn't HIPAA compliant:

Accounts Payable (AP)

• If you aren't entering ePHI, you may make payments and sync as usual with your ERP.
• If you are entering ePHI, we recommend that you not utilize sync functionality. Instead, you may want to export data as a CSV from Bill.com and remove ePHI before importing data into your ERP.
• Documents containing ePHI may be uploaded, as documents aren't synced with your ERP.

Accounts Receivable (AR)

• If you aren't entering ePHI, no changes are required.
• If you need to generate invoices with ePHI, we recommend that you not utilize sync functionality. Instead, you may want to export data as a CSV from Bill.com and remove ePHI before importing data into your ERP.
• Invoices containing ePHI are viewed in the portal and cannot be emailed.