HIPAA Compliance and Medical Billing

Posted By Steve Alder on Dec 15, 2025

The phrase HIPAA compliance and medical billing relates to Part 162 transactions such as eligibility checks, authorization requests, claims, and remittances, and there are different HIPAA compliance requirements depending on whether billing is performed inhouse or outsourced.

Medical billing is often described as the process of submitting a claim to a health plan in order to obtain payment for healthcare services provided to a health plan member. However, it can be far more than that, with many stages before, during, and after a claim has been submitted involving the transmission of electronic Protected Health Information (ePHI).

Indeed, medical “billing” often begins with the registration of a patient at a healthcare facility. The patient provides their demographic and insurance information, and this information is checked by the billing office with the health plan to ensure the patient is eligible for benefits. The eligibility process can also include establishing copays, coinsurance, and deductibles.

Thereafter, it may be necessary to generate encounter forms, record payments made by the patient, and code medical information into billable information before a claim is submitted. When a claim is submitted, it needs to be tracked, corrected if necessary, and reviewed if denied. Rather than being a single transaction, medical billing can involve multiple transactions over many months.

HIPAA Compliance and Medical Billing

During the many stages of medical billing, it is necessary to comply with the requirements of HIPAA in respect of the privacy of individually identifiable health information and the confidentiality, integrity, and availability of ePHI. In many cases, this means complying with the Privacy Rule for oral and written communications as well as with the Security Rule for electronic transactions.

With regards to Privacy Rule HIPAA compliance and medical billing, at different stages of the billing process various parties will need to be familiar with the General Principals of Uses and Disclosures for PHI, the Minimum Necessary Standard, and the rights of individuals to access – or request a copy of – any information maintained about them and request corrections when errors exist.

With regards to Security Rule HIPAA compliance and medical billing, all parties involved in the billing process need to comply with the Administrative, Physical, and Technical Safeguards of the Security Rule. Most will also have to comply with the General Requirements of the Security Rule relating to Business Associate Agreements, HIPAA-compliant policies, and document retention periods.

Finally, all parties need to develop policies and procedures to comply with the requirements of the Breach Notification Rule – notwithstanding that some state privacy laws have shorter notification requirements than HIPAA. When state laws preempt HIPAA, the application of policies to process medical billing operations in compliance with HIPAA could be influenced by local privacy laws.

Inhouse Medical Billing and HIPAA Compliance

Many larger healthcare organizations operate inhouse medical billing teams. The teams are directly under the control of the healthcare organization (the covered entity) and are members of the covered entity´s workforce under HIPAA rather than a separate entity. In such circumstances, there are no requirements relating to business associates and Business Associate Agreements.

Inhouse medical billing enables team members to communicate directly with physicians to clarify diagnoses and treatments, thus accelerating the medical billing process. However, even though billing/physician communications take place inhouse, it is still necessary to comply with the Minimum Necessary Standard and implement a secure communication system.

Outsourced Medical Billing and HIPAA Compliance

Smaller healthcare organizations and physicians´ offices tend to outsource the medical billing process (beyond the patient registration stage) to a third party to avoid the cost of employing an inhouse team. In many cases, the outsourced third party will generate a claim on a covered entity´s behalf, ensure it complies with payer policies, and submit, correct, and review it as necessary.

Although all outsourced medical billing services are considered business associates under HIPAA, it can sometimes be the case that a covered entity provides a medical billing service on behalf of another covered entity (i.e., when a health care clearinghouse provides a service on behalf of a physician). In such cases, the covered entity providing the service is still considered to be a business associate, and a Business Associate Agreement needs to be in place before PHI is disclosed.

Other Medical Billing Compliance Issues

While most medical billing transactions take place between healthcare organizations and payers, there are millions each year that take place between healthcare organizations and individuals receiving treatment. However, in 2021, the Census Bureau’s Survey of Income and Program Participation reported that more than 20 million individuals owed healthcare organizations a total of $220 billion in medical debt. More than 3 million of those each had medical debts in excess of $10,000

To reduce the scale of the medical debt problem, Congress allocated funds in the American Rescue Plan Act to states, counties, and cities with populations experiencing significant levels of debts. As a result, a range of measures have been introduced at local level that can impact medical billing (i.e., medical bills capped at multipliers of the Federal Poverty Level). Compliance with these measures is equally as important as HIPAA compliance for medical billing.

Healthcare organizations requiring further advice about HIPAA compliance and medical billing, or the changes to regulations that are happening at state and local level, are advised to seek independent compliance advice.

HIPAA Training for Medical Billing Employees

Why Medical Billing Teams Need Business Associate Focused HIPAA Training

HIPAA training for medical billing employees should be designed for the realities of billing work and, in many cases, for Business Associate responsibilities. Medical billing is frequently performed by third-party billing companies, revenue cycle vendors, clearinghouses, and outsourced teams that create, receive, maintain, or transmit PHI on behalf of covered entities. In this context, training must do more than explain HIPAA at a high level. It needs to reinforce what it means to operate under a Business Associate Agreement, how permitted uses and disclosures are constrained by contract and purpose, and how to prevent over-sharing when handling claims, denials, coding queries, and account follow-up.

Core Curriculum for Medical Billing in Business Associate Environments

A comprehensive program should cover the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule through a billing lens. Privacy topics should include what constitutes PHI in billing records, applying the minimum necessary standard to claims and supporting documentation, verifying identities before discussing accounts, and handling routine requests from patients, providers, payers, and vendors without disclosing more than is required. It should also clarify when and how information can be shared for payment activities, how disclosures should be documented according to organizational procedure, and how to recognize requests that fall outside permitted billing purposes.

Safeguarding ePHI in High-Volume Billing Operations

Billing operations rely heavily on electronic systems, spreadsheets, file transfers, and frequent communications, which makes security awareness essential. Training should reinforce secure credential practices, role-appropriate access, workstation and session controls, and safe handling of downloaded files, printed statements, and scanned documents. It should address phishing and social engineering attempts that target billing staff, as well as the risks created by unapproved tools for sharing or processing information, including consumer file-sharing apps and AI tools used for drafting messages or summarizing account notes. Practical guidance should focus on preventing misdirected emails, incorrect attachments, exposed shared folders, and accidental disclosures during phone calls or voicemail messages.

Incident Reporting and Breach Response Expectations for Business Associates

Business Associate focused training should place strong emphasis on early identification and escalation of potential incidents. Billing teams are often among the first to notice anomalies such as suspicious account access, unexpected exports, misrouted EDI files, or requests that indicate compromised credentials. Training should clarify what counts as a potential privacy or security incident, what immediate containment steps are expected, and how to report issues promptly through internal channels so the organization can meet contractual and regulatory breach response obligations.

Choosing Training That Supports Business Associate Compliance and Audit Readiness

Medical billing teams benefit from training that is competency-based rather than passive. Programs that rely on minimal effort completion often fail to build judgment in the situations where billing errors and disclosures occur. Strong training includes knowledge checks and realistic billing scenarios and provides defensible documentation of completion, including dates and assessment outcomes. Since Business Associates are often asked to demonstrate compliance to covered entity clients, training should also support practical oversight through completion tracking and reporting that makes it easy to prove training was assigned, completed, and maintained over time.