Tuesday, April 2, 2024

HIPPA and Medical Billing

Must read

Congress passed the HIPAA law in 1996 to safeguard workers and their families’ health insurance in the event of job loss. HIPAA also creates several rules for the electronic transfer of healthcare data and safeguards the privacy of children between the ages of 11 and 18. 

The Health Insurance Portability and Accountability Act (HIPAA) mandates the development of national standards to protect against the disclosure of sensitive patient health details without the patient’s knowledge or consent. 

The United States Department of Health and Human Services (HHS) established the HIPAA Privacy Rule to put HIPAA’s obligations into practice. A portion of the data covered by the Privacy Rule is protected under the HIPAA Security Rule.

HIPAA Privacy Rule

The Privacy Rule’s principles cover how organizations covered by the rule should use and disclose peoples’ protected health information (also known as PHI). The term “covered entities” refers to these people and businesses.

The Privacy Rule also establishes guidelines for people’s rights to know how their health information is used and to exercise that control. A primary objective of the Privacy Rule is to ensure that people’s health information is appropriately safeguarded while permitting the flow of health information required to deliver and promote high-quality healthcare, as well as to ensure the health and well-being of the general public. The Privacy Rule authorizes significant information uses while safeguarding the privacy of those seeking medical treatment and recovery.

Included Entities

The Privacy Rule applies to the following categories of people and businesses, which are known as covered entities:

Healthcare professionals Any healthcare professional, regardless of practice size, electronically transfer patient data in connection with certain transactions. Among these transactions are:

  • Claims
  • inquiries about benefit eligibility
  • petitions for referral authorization
  • other transactions for which the HIPAA Transactions Rule has established criteria by HHS.
  • health programs

Health plans consist of:

  • Insurance for health, dental, vision, and prescription drugs

upkeep of health organizations (HMOs)

  • Insurance companies for Medicare, Medicaid, Medicare+Choice, and Medicare Supplement
  • insurers for long-term care (excluding nursing home fixed-indemnity policies)
  • Plans for collective health funded by employers
  • Health plans provided by the government and churches
  • Health plans for several employers

Exception: An employer that formed and managed the group health plan alone is not a covered organization if the program has fewer than 50 participants.

Healthcare clearinghouses: Organizations that convert nonstandard data or format received from another organization into a standard form, or vice versa, are healthcare clearinghouses. Healthcare clearinghouses will often only get individually identifiable health information when acting as a business associate for a health plan or healthcare provider and offering these processing services.

Business associates: An individual or group that uses or discloses personally identifiable health information on behalf of a covered entity but is not a member of that entity’s staff is referred to as business associates. These jobs, duties, or services consist of:

  • Process of claiming
  • data evaluation
  • Utilization analysis
  • Billing

The HIPAA Security Rule 

The HIPAA Security Rule requires doctors to use suitable administrative, physical, and technical protections to maintain the confidentiality, integrity, and security of patients’ electronically stored, protected health information.

Who the Security Rule Protects

The “covered entities” (health plans, clearinghouses, and other healthcare providers) and their business partners who transmit health information electronically in conjunction with a transaction for which the Secretary of HHS has set HIPAA standards are subject to the Security Rule.

All personally identifiable health information that a covered entity generates acquires, retains, or transmits electronically is protected by the Security Rule as a subset of information covered by the Privacy Rule. This data is referred to as “electronically protected health information” in the Security Rule. The Security Rule does not cover PHI transmitted verbally or in writing.

Medical billing and HIPAA

Whether you realize it or not, you are already familiar with many of HIPAA’s regulations. The uniformity of the medical codes used by coders and billers is one of HIPAA’s most immediately noticeable effects.

ICD codes for diagnoses and CPT and HCPCS codes for procedure reporting were made official by HIPAA. To create claims for medical billing, we employ these codes daily.

Electronic medical transactions are established and managed by HIPAA. All providers and billers covered by Title II of HIPAA must submit claims electronically in the approved manner. The name of this format is ASC X12 005010. This form may also be referred to by its abbreviation, “HIPAA 5010.”

It’s critical to remember that HIPAA 5010 focuses more on the transfer of information than the style of a claim. HIPAA 5010 transactions can be compared to standardized automobiles. Although they must all have the same appearance, each vehicle may transport passengers in various configurations (in this case, medical information).

Each type of transaction has its code set number within ASC X12 005010. Now let’s take a closer look at these code set numbers and the kinds of transactions they relate to. You’ll notice an “X12” before each code set number. This is to notify you that the ASC X12 keeps an eye on and maintains the code set.

Each transaction adopts a specific Electronic Data Interchange format (EDI). Each of these transaction forms has its own set of guidelines and formats. We have concentrated on the health care claim out of convenience.



X12 837 is the code set number.

The health care claim is the most fundamental and typical electronic medical transaction. Billers submit claims to obtain payment on the providers’ behalf. Claims contain codes for the treatment and diagnosis and details about the patient, the provider, and the patient’s health insurance plan.

Medical billers must utilize the proper type of EDI to carry out a specific billing operation, much as medical coders must use the appropriate code set to describe a treatment or diagnosis.

The relationship between HIPAA and other healthcare regulations, such as the Affordable Care Act (ACA)

The HIPAA of 1996 is built upon the Administrative Simplification provisions of the Affordable Care Act of 2010 (ACA) (HIPAA). The Patient Protection and Affordable Care Act (PPACA) mandated that HHS create operational guidelines for HIPAA’s basic transactions to standardize information and transmission formats and minimize the need for plan-specific companion manuals.

As you can see, practically every part of the medical billing process is impacted by HIPAA, from how records are kept and accessible to the course codes applied when generating claims. You’ll learn more about HIPAA and how it affects medical billing as you continue your formal study.


More articles

I am a medical biller, a blogger and have 20 years of experience in medical billing, medical billing management, and medical assistant. My background includes positions as a clinical medical assistant, medical records technician, medical office manager, biller, and coder. I am certified by the American Academy of Professional Coders (AAPC) as a Certified Professional Coder (CPC) and by the Practice Management Institute (PMI) as a Certified Medical Office Manager (CMOM). As an office manager/biller/coder, I was a member of the Michigan Medical Group Managers, Michigan Medical Billers Association. I also served as a committee member of the Michigan Osteopathic Association of Practice Managers Education Committee.

Latest article