What are the HIPAA Rules for Medical Billing?

by | Last updated Sep 6, 2023 | Published on Sep 5, 2023 | Specialty Billing

HIPAA Rules for Medical Billing
Share this:

HIPAA (Health Insurance Portability and Accountability Act) is a set of regulations in the United States that govern the privacy and security of protected health information (PHI). While HIPAA primarily focuses on healthcare providers, health plans, and other covered entities such that handle PHI also need to comply with certain HIPAA rules. Medical billing outsourcing companies are considered business associates under HIPAA when they handle PHI on behalf of covered entities. This makes it mandatory for them to ensure HIPAA compliance.

HIPAA Rules relevant to Medical Billing

The PHE that a medical billing company can access depends on the specific role and responsibilities assigned to the company and the agreements in place with the covered entity (such as healthcare providers) they are working for. The company can access patient information needed for billing care such as:

  • Patient demographics: Name, address, contact information, date of birth, and insurance information.
  • Medical codes: Diagnosis codes (ICD-10 codes) and procedure codes (CPT codes) used for billing purposes.
  • Treatment information: Relevant medical records and documentation supporting the services provided.
  • Insurance claims information: Details of insurance coverage, claims submitted, and payment information.

One of the most immediately noticeable effects of HIPAA is the establishment of standardized medical codes utilized by coders and billers. HIPAA formalized the utilization of ICD codes for diagnoses and CPT and HCPCS codes for procedural reporting. These codes are integral to daily billing routines as they are employed in generating claims.

Here are 9 HIPAA rules relevant to medical billing:

  1. Electronic medical transactions: HIPAA oversees and regulates electronic medical transactions. Title II of HIPAA mandates that all entities covered by its provisions, including providers and billers, must electronically submit claims using the sanctioned format, which is ASC X12 005010. This format is commonly referred to as “HIPAA 5010” in shorthand. Similar to how medical coders must employ the correct code set to depict a procedure or diagnosis accurately, medical billers also need to utilize the appropriate type of Electronic Data Interchange (EDI) to effectively carry out specific billing tasks.
  1. Privacy Rule: The HIPAA Privacy Rule outlines how PHI must be protected and limits its use and disclosure without patient authorization. A medical billing company should only access and use PHI as necessary for billing and payment purposes and must ensure that proper safeguards are in place to prevent unauthorized access.
  1. Security Rule: The HIPAA Security Rule mandates the implementation of administrative, physical, and technical safeguards to protect electronic PHI (ePHI):
    • Physical safeguards: Safeguard the physical security of your office spaces where PHI or ePHI might be stored or maintained. This encompasses employing security measures such as alarm and access control systems, as well as restricting access to areas housing PHI or ePHI.
    • Technical safeguards: Safeguard the cybersecurity of your enterprise. Technical cybersecurity measures must be implemented to protect the ePHI under your organization’s care. Examples of technical safeguards encompass firewalls, encryption protocols, and systematic data backup processes.
    • Administrative safeguards: Ensure your staff is adeptly trained to carry out the security protocols you’ve established. Administrative safeguards should encompass comprehensive policies and procedures outlining your security measures. Additionally, employee training on these policies and procedures is imperative to ensure their accurate execution.

    Medical billing companies should implement security measures such as encryption, access controls, and regular risk assessments to ensure the confidentiality, integrity, and availability of ePHI. Encrypting data at rest involves securing data stored in databases, files, and storage devices. They should utilize encryption algorithms to ensure that stored PHI remains unreadable and inaccessible to unauthorized individuals. This can include: Using secure protocols like HTTPS (SSL/TLS) when transmitting ePHI over networks; Full Disk Encryption (FDE) to encrypt entire storage devices, such as hard drives or solid-state drives; end-to-end encryption for any sensitive data shared so that only the intended recipients can access and decipher the information; encryption keys management secure cloud storage, and regular security audits and assessments.

  1. Business Associate Agreement (BAA): Covered entities must enter into a BAA to establish HIPAA-compliant terms. A BAA is a legal contract that outlines the responsibilities and requirements for protecting PHI and complying with HIPAA regulations.
  1. Minimum Necessary Rule: Medical billers should only access and disclose the minimum amount of PHI necessary to perform billing tasks. Unnecessary access to patient information should be avoided to limit potential privacy risks.
  1. Patient Rights: Patients have rights under HIPAA, including the right to access their medical records and request corrections. Companies handling billing should ensure that patient rights are respected and that any requests for access or amendments are appropriately handled. They must obtain appropriate consent or authorization from patients before using or disclosing their PHI for billing purposes. Patients should be provided with clear and understandable information about how their PHI will be used and shared during the billing process.
  1. Breach Notification Rule: In the event of a breach of unsecured PHI, billing entities are required to provide notification to affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media. The Breach Notification Rule specifies the timeline and content of the breach notification, ensuring that individuals are made aware of any unauthorized access or disclosure of their PHI.
  1. Training and Policies: Employees must be trained on HIPAA regulations, security practices, and privacy requirements. Having comprehensive policies and procedures in place helps ensure consistent adherence to HIPAA rules.
  1. Penalties: Non-compliance with HIPAA rules can result in significant penalties, ranging from monetary fines to legal actions. It’s essential for companies providing medical billing services to understand their obligations and responsibilities under HIPAA to avoid potential legal consequences.

HIPAA’s influence extends across almost every dimension of the medical billing process, ranging from the storage and accessibility of records to the utilization of codes in claim generation. Medical billing outsourcing companies manage sensitive patient data. By collaborating with a trustworthy company, healthcare providers can uphold adherence to HIPAA regulations. This is essential not just for legal and regulatory adherence but also for fostering patient confidence and safeguarding data integrity.

  • Natalie Tornese
    Natalie Tornese
    CPC: Director of Revenue Cycle Management

    Natalie joined MOS’ Revenue Cycle Management Division in October 2011. She brings twenty five years of hands on management experience to the company.

  • Meghann Drella
    Meghann Drella
    CPC: Senior Solutions Manager: Practice and RCM

    Meghann joined MOS’ Revenue Cycle Management Division in February of 2013. She is CPC certified with the American Academy of Professional Coders (AAPC).

  • Amber Darst
    Amber Darst
    Solutions Manager: Practice and RCM

    Hired for her dental expertise, Amber brings a wealth of knowledge and understanding of the dental revenue cycle management (RCM) services to MOS.

  • Loralee Kapp
    Loralee Kapp
    Solutions Manager: Practice and RCM

    Loralee joined MOS’ Revenue Cycle Management Division in October 2021. She has over five years of experience in medical coding and Health Information Management practices.