HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliance and Medical Billing

The situation regarding HIPAA compliance and medical billing can depend on whether billing is performed inhouse by a Covered Entity or outsourced by a Covered Entity to a third party.

Medical billing is often described as the process of submitting a claim to a health plan in order to obtain payment for healthcare services provided to a health plan member. However, it can be far more than that, with many stages before, during, and after a claim has been submitted involving the transmission of electronic Protected Health Information (ePHI).

Indeed, medical “billing” often begins with the registration of a patient at a healthcare facility. The patient provides their demographic and insurance information, and this information is checked by the billing office with the health plan to ensure the patient is eligible for benefits. The eligibility process can also include establishing copays, coinsurance, and deductibles.

Thereafter, it may be necessary to generate encounter forms, record payments made by the patient, and code medical information into billable information before a claim is submitted. When a claim is submitted, it needs to be tracked, corrected if necessary, and reviewed if denied. Therefore, rather than being a single transaction, medical billing can involve multiple transactions over many months.

HIPAA Compliance and Medical Billing

During the many stages of medical billing, it is necessary to comply with the requirements of HIPAA in respect of the privacy of individually identifiable health information and the confidentiality, integrity, and availability of ePHI. In many cases, this means complying with the Privacy Rule for oral and written communications as well as with the Security Rule for electronic transactions.

With regards to Privacy Rule HIPAA compliance and medical billing, at various stages of the billing process, various parties will need to be familiar with the General Principals of Uses and Disclosures for PHI, the Minimum Necessary Standard, and the rights of individuals to access – or request a copy of – any information maintained about them and request corrections when errors exist.

With regards to Security Rule HIPAA compliance and medical billing, all parties involved in the billing process need to comply with the Administrative, Physical, and Technical Safeguards of the Security Rule. Most will also have to comply with the General Requirements of the Security Rule relating to Business Associate Agreements, HIPAA-compliant policies, and document retention periods.

Finally, all parties need to develop policies and procedures to comply with the requirements of the Breach Notification Rule – notwithstanding that some state privacy laws have shorter notification requirements than HIPAA. Consequently, the application of policies to process medical billing operations in compliance with HIPAA could be influenced by local privacy laws.

Inhouse Medical Billing and HIPAA Compliance

Many larger healthcare organizations operate inhouse medical billing teams. The teams are directly under the control of the healthcare organization (the Covered Entity) and are therefore members of the Covered Entity´s workforce under HIPAA rather than a separate entity. Consequently, there are no requirements relating to Business Associates and Business Associate Agreements.

Inhouse medical billing enables team members to communicate directly with physicians to clarify diagnoses and treatments, thus accelerating the medical billing process. However, even though billing/physician communications take place inhouse, it is still necessary to comply with the Minimum Necessary Standard and implement a secure communication system.

Outsourced Medical Billing and HIPAA Compliance

Smaller healthcare organizations and physicians´ offices tend to outsource the medical billing process (beyond the patient registration stage) to a third party to avoid the cost of employing an inhouse team. In many cases, the outsourced third party will generate a claim on a Covered Entity´s behalf, ensure it complies with payer policies, and submit, correct, and review it as necessary.

Although all outsourced medical billing services are considered Business Associates under HIPAA, it can sometimes be the case that a Covered Entity provides a medical billing service on behalf of another Covered Entity (i.e., when a health care clearinghouse provides a service on behalf of a physician). In such cases, the Covered Entity providing the service is still considered to be a Business Associate, and a Business Associate Agreement needs to be in place before PHI is disclosed.