HIPAA & BAA ยท AP/AR automation
Is Bill.com (BILL) HIPAA compliant?
Conditionally. BILL offers a BAA and protects ePHI entered into designated fields within its AP and AR solutions, but only after the BAA is in place; otherwise PHI is prohibited on the platform.
Key facts
- BAA available: Conditionally โ on specific plans
- What it takes: BILL Accounts Payable and/or Accounts Receivable with HIPAA enabled and a signed BAA; PHI only in designated fields
- Official source: BILL: HIPAA Guidelines and Compliance โ https://help.bill.com/direct/s/article/360033387752 (verified 2026-06)
How to use Bill.com (BILL) in a HIPAA-compliant way
- Confirm you are using BILL Accounts Payable and/or Accounts Receivable (the HIPAA-supported solutions).
- Request and execute BILL's Business Associate Agreement, which sets out both parties' PHI obligations.
- Only enter ePHI into the designated fields BILL identifies as protected; do not place PHI elsewhere.
- Apply role-based permissions to limit internal access to ePHI and complete required handling training.
- Verify current eligibility and any plan requirements directly with BILL before transmitting PHI.
Important caveats
- Without a signed BAA, BILL's terms prohibit storing or transmitting PHI on the platform.
- Protection is scoped to specific designated fields, not arbitrary uploads, notes, or attachments.
- Coverage applies to BILL's AP/AR solutions; verify whether your specific product/edition qualifies.
The bottom line
No software is "HIPAA compliant" on its own. HIPAA compliance is a property of your organization, not a tool. Even with a signed BAA, you remain responsible for configuring Bill.com (BILL) correctly, limiting access to PHI, training staff, and maintaining your own safeguards. This page is general information, not legal advice; confirm current terms with Bill.com (BILL).
Frequently asked questions
Does Bill.com (BILL) sign a BAA?
On specific plans. BILL Accounts Payable and/or Accounts Receivable with HIPAA enabled and a signed BAA; PHI only in designated fields A signed BAA is required before any PHI is involved.
Is Bill.com (BILL) HIPAA compliant out of the box?
No software is "HIPAA compliant" by itself. Even when Bill.com (BILL) offers a BAA, you are responsible for signing it, configuring the product correctly, restricting access, and maintaining your own administrative, physical, and technical safeguards.
What should I check before using Bill.com (BILL) with PHI?
Without a signed BAA, BILL's terms prohibit storing or transmitting PHI on the platform.