10 Things to Verify Before Signing Any Medical Billing Software Contract

Short answer

Most billing software contracts bite you in the same three places: the termination structure, data export rights, and year-two fees. The termination structure matters most — an annual non-cancelable clause means you could owe the remaining months even after a full migration, with documented cases where billing companies paid tens of thousands of dollars for a system they no longer used. Data export rights come second, because the contract often grants you access to your own data on a schedule and fee structure the vendor controls, not you. Third, year-two fees — AI add-ons, document storage overages, attachment fees, card processing markups — can push the real cost well above the advertised price before the first renewal. The other seven items below matter too, but those three are where the largest, most avoidable losses happen.

How billing-company software contracts go wrong

Billing companies evaluate software based on feature lists, pricing pages, and demos. They sign contracts based on the sales conversation. The contract itself — the document with the termination, data, and dispute clauses — often goes unread until something breaks.

The failure modes are well-documented. AdvancedMD's published Terms of Service state that subscription fees are non-cancelable during the term. BBB complaint filings against medical billing software vendors over the past five years include billing companies reporting four to six months of fees owed after they had already fully migrated to a replacement system. CollaborateMD's customer software agreement includes a data deletion window — fail to export within the specified period after termination and the data is gone. Tebra's migration documentation describes a thirty-day SLA for data services, but that SLA applies to Tebra acting as the receiving system, not as the exporter. The clause language that protects your trailing A/R and your data access is almost never on the pricing page.

This checklist covers the ten contract terms and vendor facts that matter most before you sign. The order tracks consequence: the items at the top do the most damage when they go wrong.

1. Termination notice period and renewal cliff

What to check before signing. Ask for the termination section by section number, not just a summary. The three variables that matter are: how many days of advance notice you must give before a renewal date to avoid auto-renewal, whether fees for the renewal term become non-cancelable the moment the notice window closes, and whether early termination carries a penalty beyond the remaining term balance. Some contracts require sixty to ninety days notice before the annual renewal date. Miss that window by a day and you are committed to another full year.

Real-world failure mode. AdvancedMD's published Terms of Service state that fees are non-cancelable during the subscription term. BBB complaint filings describe billing companies that completed a full migration to a new platform, stopped using AdvancedMD, and then received invoices for the remaining months on their annual contract — amounts ranging from several thousand to tens of thousands of dollars depending on provider count. At $429 per provider per month and forty providers, a six-month remainder on an annual term is $102,960. The contract was clear; the buyer did not read it before signing.

The contractual fix. Look for language that reads: "Either party may terminate this agreement at any time upon thirty days written notice, with no additional fees owed beyond the current billing period." If the contract requires annual commitment, negotiate for a pro-rated exit clause in the first year or a month-to-month conversion option after the initial term. If the vendor will not negotiate termination terms, treat that refusal as information about how the relationship will go when something breaks.

2. Data export rights — what you own and how you get it

What to check before signing. The data section should tell you three things: what data you can export, in what format, and within what time window after termination. Generic language like "we will provide data in a commercially reasonable format" is a red flag because it leaves the format, timeline, and fee structure entirely to the vendor. The specific questions: Can you export all claims, payments, ERAs, and patient records on demand, before termination, not just after? Is there a fee per export run? Is there a post-termination window during which export is available, and what happens to your data when that window closes?

Real-world failure mode. CollaborateMD's customer software agreement — specifically sections 3.1 and 3.3 — specifies conditions under which data access and export are provided after termination, including a deletion window after which customer data is removed from the system. AdvancedMD's data export service for PM and EHR data carries a fee that requires a direct quote; third-party analyses of migration projects flag the exit as a multi-thousand-dollar event depending on data volume. The billing company that assumed it owned its data and could pull it whenever it wanted often discovers the extraction has a price and a deadline attached.

The contractual fix. Negotiate for explicit export rights with no additional fee for standard export runs, a minimum ninety-day post-termination access window, and a clause that the vendor will not delete data without thirty days written notice and a confirmed export receipt. If the contract specifies a deletion window, put a calendar reminder ninety days before the termination date so you are not scrambling at the end.

3. Legacy A/R closeout clause for the outgoing arrangement

What to check before signing. This clause lives in the termination agreement with your current vendor, not in the contract with the new one. Before you sign anything with a new platform, the outgoing vendor's contract needs two explicit provisions: a commitment that they will continue working all claims with dates of service prior to cutover for at least sixty days, and a guarantee that you own the trailing A/R outright with documented access to claim history during and after the transition period.

Real-world failure mode. The Medical Billers and Coders 30-Day Transition Playbook documents that practices and billing companies that skip the legacy A/R closeout clause routinely pay four to eight weeks of unnecessary fees just to retrieve their own claim history. Tebra's migration documentation describes a sixty to ninety day legacy A/R parallel-run as the pattern that protects revenue — practices that rush the switch under twenty-one days typically lose eight to twelve percent of trailing A/R, because aged claims stop being worked the moment the outgoing vendor's obligation ends. Without the clause, that obligation never formally existed.

The contractual fix. The language that works: "The outgoing party will continue to actively work all claims with dates of service prior to [cutover date] for a minimum of sixty days following termination. The practice and billing company own all trailing A/R outright. The outgoing party will provide monthly aging reconciliation and performance reporting until the legacy A/R is closed or written off. Access to claim history will remain available for a minimum of twelve months post-termination at no additional charge." If the outgoing vendor will not agree to this, that refusal affects every dollar of your current trailing book.

4. Per-provider pricing scaling math at 2x and 3x your current provider count

What to check before signing. Ask the vendor for a specific dollar figure at your current provider count, at twice that count, and at three times that count. Get it in writing. Per-provider pricing looks manageable at ten providers and becomes the dominant operating cost at thirty. The pricing page often shows a base rate per provider without disclosing whether volume discounts apply automatically or require renegotiation at each tier.

Real-world failure mode. The arithmetic at thirty providers: AdvancedMD's published rate of $429 per provider per month produces a $12,870 monthly floor, before implementation fees, add-ons, or data migration. The same book on Medi runs $300 in platform fees plus EDI usage in the $800 to $1,100 range — roughly $1,100 to $1,400 per month total. The gap is not a marketing claim; it is the consequence of two different pricing structures applied to the same headcount. A billing company that signs at twelve providers and grows to thirty has a per-provider contract that compounds against every client they onboard. If the volume discount requires renegotiation, the vendor controls when and whether it happens.

The contractual fix. Either get a fixed per-provider rate locked in for a multi-year term with an explicit schedule for how discounts apply at each tier — and confirm it in writing — or choose a flat-fee structure where growth does not change the platform cost. If the contract says "rates subject to change," ask what the change notification requirement is and whether you can exit penalty-free when rates increase beyond a specified threshold. A 5% annual rate cap with a 30-day exit right is a reasonable floor to ask for.

5. Onboarding and implementation fees

What to check before signing. Implementation fees for medical billing software typically take three forms: a flat one-time fee, a per-provider fee, or a professional-services engagement billed by the hour. AdvancedMD cites standard implementation fees of $2,000 to $5,000, with enterprise implementations up to $6,000 documented in third-party analyses. CollaborateMD advertises a phased implementation approach with a dedicated enrollments specialist — ask whether that specialist's time is included in the contract or billed separately. Some vendors bundle implementation into year-one pricing and discount it; others list it as a non-waivable line item.

Real-world failure mode. A billing company that models the first-year cost based on the published per-provider rate and misses a $3,500 implementation fee has a $3,500 surprise on the first invoice. That is not catastrophic. The larger problem is when implementation timelines extend beyond what the contract guarantees and professional-services hours accumulate against a go-live that keeps moving. Ask specifically whether implementation is fixed-fee or time-and-materials, and whether there is a written go-live date commitment with a penalty if the vendor misses it.

The contractual fix. Confirm that implementation fees are itemized separately from subscription fees, fixed by scope rather than by hour, and tied to a written milestone schedule. If the contract says "implementation services at vendor's standard rates," that means the vendor controls the final number. Ask for a fixed-fee implementation SOW (statement of work) with milestone-based payment — pay half at contract signing, half at confirmed production access.

6. Hidden fees in year two

What to check before signing. The year-one contract price is rarely the year-two operating cost. The fee categories that commonly appear after initial pricing are AI add-ons charged per provider or per encounter, document storage overages measured in megabytes per tier, electronic attachment fees for claims requiring documentation, card processing markups on patient payments, and eligibility inquiry caps that trigger overage charges. All of these can be meaningful individually; together they can add 20 to 40 percent to the original quoted cost.

Real-world failure mode. CollaborateMD's document storage is measured in megabytes per tier — 75 MB on the Starter plan, 250 MB on the Unlimited plan. Capterra reviews from billing company users specifically flag per-megabyte storage charges as a friction point: "Still charge per MB to store documents like we are back in the early 2000's." For a billing company that routinely attaches EOBs, appeal letters, authorization records, and clinical documentation to claims, the storage model is not a minor footnote. AdvancedMD lists AI clinical notes at $100 per provider per month or $0.99 per encounter — on a book of thirty providers where the clients opt into that add-on, that is $3,000 per month in costs that did not appear on the original pricing page. Card processing on AdvancedMD Pay runs 2.0% to 3.0% per transaction; at meaningful patient-payment volume, that markup is a real fee.

The contractual fix. Ask the vendor for a year-two cost model that includes all add-ons, storage, attachments, card processing, and eligibility charges at your expected volume. Get it in writing. If the contract says add-on pricing is subject to change, ask for a price-lock period and a notification requirement before new fees are introduced. For document storage specifically, confirm whether the limit is a hard cap with overage charges or a soft cap with a conversation.

7. Clearinghouse vendor identity

What to check before signing. The billing software is not the clearinghouse. Every platform routes your EDI traffic — 837 claim submissions, 835 ERA downloads, 270/271 eligibility inquiries, 276/277 claim status requests, 278 authorizations — through a clearinghouse, and that clearinghouse is the actual moving part for payer connectivity. Some vendors name their clearinghouse publicly; others do not. CollaborateMD markets a "built-in clearinghouse" but does not publicly name the underlying clearinghouse vendor. AdvancedMD routes through its own clearinghouse infrastructure with Waystar as a preferred partner added in 2025. Medi routes through Stedi, which is publicly documented.

Real-world failure mode. A billing company that does not know which clearinghouse their software uses also does not know what happens to payer connectivity when the Change Healthcare-scale disruption hits — and that disruption already happened in 2024. The clearinghouse relationship also determines payer enrollment: when you switch billing software, you typically re-enroll with every payer because the submitter ID changes with the clearinghouse. If the vendor's clearinghouse does not cover all the payers in your client mix, you find out at cutover, not at the demo. The Anthem and Elevance family of payers route exclusively through Availity as their EDI gateway; a clearinghouse that does not connect through Availity breaks every Anthem claim from day one.

The contractual fix. Ask for the clearinghouse vendor by name before signing, and confirm it covers every payer your clients bill. Specifically verify Anthem/Elevance (via Availity), all active BCBS plans (which vary by state), Medicare (CMS EDI agreement), and your top-three commercial payers. Confirm whether clearinghouse failover exists and what the outage response SLA is. If the vendor will not name their clearinghouse, that is an answer.

8. Audit log retention and PHI access logging detail

What to check before signing. HIPAA Security Rule §164.312(b) requires audit controls that record and examine activity in systems containing electronic protected health information. The rule does not specify a retention period, but HHS guidance and billing record retention standards point to six to seven years in most circumstances. The questions to ask: Does the audit log capture individual user actions at the record level — who accessed which patient record, at what time, from which IP address? How long are audit logs retained? Can the billing company access the audit log directly, or only through a support ticket? Are audit logs exportable for compliance audits?

Real-world failure mode. Many billing platforms capture audit data for operational purposes — what claims were edited, what payments were posted — but do not retain that data at HIPAA audit depth for seven years, and do not expose it to the billing company directly. A billing company that discovers a potential breach or a payer audit request three years after an event needs to produce PHI access logs showing who accessed the relevant records. If the vendor's retention window was ninety days or one year, that production is impossible regardless of what the BAA says. The audit log is the paper trail for every PHI access your team makes; it is also your defense in a breach investigation.

The contractual fix. Confirm in writing that audit logs are retained for a minimum of seven years, that the billing company can access them directly (not only through vendor support), and that they are exportable in a standard format. If the vendor logs at the session level rather than the record level — meaning the log shows that a user logged in but not which patient records they accessed — push back. Session-level logging does not meet the intent of §164.312(b) for a HIPAA audit.

9. BAA scope and subprocessor list before any PHI goes live

What to check before signing. A Business Associate Agreement is a legal contract required by HIPAA before any vendor processes, transmits, or stores protected health information on your behalf. The BAA needs to be in place before your first real patient record touches the system — not concurrent with go-live, not thirty days after the contract is signed. The BAA scope question: does it cover all of the vendor's products you will use, or only the core platform? If the vendor uses AI features, cloud storage, analytics tools, or third-party subprocessors in the workflow, those subprocessors need to be covered by BAAs of their own, and the vendor should be able to name them.

Real-world failure mode. CMS BAA guidance and HHS HIPAA documentation are clear that a business associate's obligation extends to subcontractors who receive PHI in the course of the engagement. A vendor that says "our BAA covers our platform" but cannot name the subprocessors who touch PHI in the AI pipeline, the document storage layer, or the clearinghouse routing is leaving your HIPAA exposure open. The billing company that discovers after go-live that the AI note-extraction tool or the document storage provider was not under a BAA has a potential breach incident on its hands, not a vendor oversight.

The contractual fix. Ask for the signed BAA before any PHI touches the system — not at signing, at go-live. Ask for a subprocessor list as an exhibit to the BAA or as a separately maintained document the vendor will update and notify you of changes to. The subprocessor list should include the clearinghouse vendor, cloud infrastructure provider, and any AI or analytics tools that touch PHI. For reference, HHS HIPAA guidance on business associates describes the scope of BAA coverage. The CMS BAA guidance describes the transmission context.

10. The dispute and arbitration clause

What to check before signing. The dispute and arbitration clause determines what happens when you and the vendor disagree about billing, data rights, a system outage that caused revenue loss, or a breach. The four things to verify: Is arbitration mandatory and binding, removing your right to sue? Is the venue specified, and is it in the vendor's home state? Is there a class-action waiver, meaning you cannot join a group of affected customers in a collective proceeding? What is the notice and cure period — how long does the vendor have to fix a problem before you can exit the contract?

Real-world failure mode. BBB filings and review platforms surface a recurring pattern in medical billing software disputes: billing companies complain about billing errors, data export problems, or system failures; the vendor points to the contract's arbitration clause; the billing company discovers that mandatory binding arbitration in a state where they have no presence, with a class-action waiver, makes a collective action economically impractical for the size of their individual claim. The contracts are typically valid. The billing companies did not read the arbitration section before signing.

The contractual fix. Look for a clause that allows either party to terminate for cause after a notice and cure period — thirty days is standard — without triggering the arbitration requirement. If arbitration is mandatory, push for the venue to be the billing company's home state, or agree to virtual arbitration under AAA or JAMS rules. If there is a class-action waiver, understand what it means in practice: any dispute you have is yours alone, regardless of how many other customers share it. Whether you accept those terms is a business judgment, but it should be an informed one.

What a clean billing-software contract looks like

A clean contract for medical billing software is one where the vendor's interests and the customer's interests align on the exit. The vendor wants customers who succeed; the customer wants a platform they can leave if it stops working. Those interests only conflict when the contract is designed to lock in revenue regardless of value delivered.

The clean version: month-to-month or annual with a thirty-day exit, data export rights with no fee and no deletion window for a minimum of ninety days post-termination, a named clearinghouse, a BAA signed before go-live, audit logs retained for seven years and accessible to the billing company directly, and a dispute clause that allows termination for cause before arbitration kicks in. None of these terms are unusual. The vendors who resist them are telling you something about how they expect the relationship to go.

Implementation fees are reasonable. Per-provider pricing is a structural choice, not a red flag. AI add-ons have value. The problem is not the individual terms — it is when those terms combine with a non-cancelable annual commitment, opaque data export rights, and a dispute path that makes correction impractical. Review the contract section by section, not as a package, before signing.

How Medi handles these ten items

1. Termination. No annual contract required. Medi operates on a subscription model that does not require a minimum term commitment. There is no non-cancelable clause and no early termination fee.

2. Data export. Your data is yours. Export rights are not fee-gated or time-limited to a post-termination window. Contact the Medi team at any point for a data export; there is no per-export charge.

3. Legacy A/R closeout. Medi's migration tooling is built around the forward-only cutover model. For billing companies leaving any platform — Tebra, AdvancedMD, CollaborateMD, or others — the recommended pattern is sixty to ninety days of legacy A/R closeout in the outgoing system in parallel with Medi forward-only. The Tebra migration guide documents this pattern in detail.

4. Per-provider scaling. The platform fee is $300 per month for the billing company, regardless of provider count. Adding providers does not change the platform fee. EDI usage — claim lines, ERA lines, eligibility inquiries, claim status inquiries — scales with volume, and pricing is published at /pricing. The cost of growth is transparent and does not compound.

5. Implementation fees. There is no per-provider implementation fee. Medi requires an implementation review before production access for PHI workflows — this is a compliance requirement, not a professional-services engagement. It does not carry a separate charge.

6. Year-two fees. Medi does not have AI add-on modules, document storage caps, or card processing markups — Medi does not process patient card payments and you bring your own processor with its own BAA. EDI overage pricing follows the published rate schedule. No hidden fee categories appear after year one.

7. Clearinghouse. Stedi is the clearinghouse for all EDI traffic — 837 claim submission, 835 ERA download, 270/271 eligibility, 276/277 claim status, 278 authorization, and 277CA acknowledgment. Stedi is publicly documented; their payer network and enrollment requirements are not a black box. If you have payer-specific enrollment questions before signing, the Medi team can review your payer mix against Stedi's network before you commit.

8. Audit log retention. Audit logs are retained for seven years, aligned with HIPAA Security Rule §164.312(b). Logs capture individual user actions at the record level — not session-level. The billing company can access audit logs directly without a support ticket.

9. BAA timing. The BAA is signed before any PHI workflow goes live. This is a firm sequencing requirement, not a formality that happens at some point during onboarding. Subprocessors who touch PHI in Medi's infrastructure are documented; request the subprocessor list during your evaluation.

10. Disputes. Medi's agreement allows termination by either party with thirty days written notice. There is no class-action waiver that removes your ability to participate in a group proceeding. Dispute resolution follows standard commercial arbitration under AAA rules, with no mandatory vendor-home-state venue requirement.

For a full view of Medi's security posture and BAA terms, see /security. For pricing in detail, see /pricing. For a live walkthrough of these ten items against a real scenario, see /demo.

Frequently asked questions

Do billing software contracts typically allow month-to-month cancellation?

Many do not. Annual subscriptions are the standard for AdvancedMD, and multi-year discounts are common at CollaborateMD and PracticeSuite. Tebra's per-provider pricing has historically required annual commitments at most tiers. Month-to-month flexibility is possible to negotiate, usually at a premium — vendors charge more per month when they cannot count on annual revenue. The question is whether the premium for month-to-month is less than the cost of being locked in for a year with a system that is not working. For most billing companies with more than five providers, the math favors negotiating a clean annual contract with an explicit exit clause rather than paying month-to-month rates.

What happens to my data if I cancel and do not export it in time?

It depends on the contract. CollaborateMD's customer software agreement specifies a deletion window after termination — data that is not exported within that window is subject to deletion. AdvancedMD's data export service is available post-termination at a quoted fee, but the access period is not indefinitely open. The standard risk mitigation is to run a full data export before sending the termination notice, not after. Waiting until termination is confirmed to start the export introduces a window where something can go wrong — the export fails, the vendor delays, the deletion clock is shorter than expected. Export first, then terminate.

Is the BAA the same thing as a HIPAA compliance certification?

No. A BAA is a contractual agreement that the vendor will handle PHI in accordance with HIPAA requirements. It is a legal obligation, not a certification. A HIPAA compliance certification — like HITRUST CSF certification or a SOC 2 Type II report with HIPAA criteria — is a third-party audit that verifies the vendor's controls, not just their contractual commitment. Both matter, but they answer different questions. The BAA says the vendor has agreed to be responsible; the certification provides evidence that the underlying controls exist. For a billing company operating under HIPAA, ask for both. See HHS guidance on business associates for the legal framing.

How do I verify which clearinghouse a vendor actually uses?

Ask directly, by name, and get confirmation in writing. Some vendors describe their clearinghouse capability in functional terms ("real-time claim scrubbing," "built-in clearinghouse") without naming the third party whose infrastructure powers it. The contractual and operational reason this matters: if you sign a new contract, start payer enrollment work, and then discover the clearinghouse does not support a payer that covers thirty percent of your claims volume, you cannot submit those claims until you resolve the gap. Confirm the clearinghouse name, confirm your top-ten payers are on their network, and confirm the enrollment timeline for those payers before your go-live date is set.

What does a mandatory arbitration clause actually mean in practice?

Mandatory binding arbitration means that disputes between you and the vendor are resolved by a private arbitrator rather than a court. You give up the right to a jury trial and, if the contract includes a class-action waiver, the ability to join other affected customers in a collective action. Arbitration is often faster and cheaper than litigation for small disputes. For larger disputes — a system failure that caused significant A/R loss, a data export fee dispute, a wrongful early-termination charge — arbitration can be more favorable to the vendor because the process is private, the arbitrator is often chosen from a pool familiar to commercial disputes, and outcomes are binding with very limited appeal rights. If your contract has mandatory arbitration with a class-action waiver, know that going in. The American Arbitration Association and JAMS are the two common arbitration bodies named in commercial contracts; their rules and cost structures differ.

Should I have an attorney review a billing software contract before signing?

Yes, particularly for annual or multi-year commitments above $10,000 per year, contracts with non-cancelable fee provisions, and any agreement that includes a broad arbitration clause or class-action waiver. A healthcare attorney familiar with HIPAA business associate obligations can also verify that the BAA language meets current HHS requirements and that subprocessor obligations are correctly structured. The cost of a contract review is small relative to the cost of the wrong clause on exit.

How current is this guide?

Last reviewed 2026-05-18. Contract terms for AdvancedMD, CollaborateMD, Tebra, PracticeSuite, Office Ally, and other vendors change. This guide draws on published Terms of Service, publicly available customer software agreements, BBB complaint data, and documented industry migration playbooks. Specific contract terms cited are grounded in vendor-published documentation at the time of review. Always obtain and read the current version of any vendor contract before signing. See the billing company software evaluation guide for the pre-contract evaluation criteria that determine whether a vendor makes the shortlist at all. For the Tebra migration specifically, see migrating from Tebra. For head-to-head pricing context, see Medi vs AdvancedMD and Medi vs CollaborateMD.