A billing clerk receives a phone call. Someone claims to be a patient’s daughter asking about her mother’s recent hospital bill. The clerk pulls up the account and starts discussing the charges. The caller asks what the patient was treated for. The clerk explains the diagnoses and procedures. The caller thanks her and hangs up. Three days later, the police arrive. The caller was not the patient’s daughter. She was a private investigator hired by an insurance company looking for reasons to deny disability benefits. The clerk just violated HIPAA. The practice faces a $50,000 fine. The clerk loses her job.
This happened. This happens regularly. HIPAA violations in medical billing destroy careers, bankrupt practices, and expose patient information to people who should never see it. The violations often stem from staff not understanding what information they can share, who they can share it with, and when patient authorization is required. A well-meaning employee trying to be helpful creates a massive compliance problem.
HIPAA is the Health Insurance Portability and Accountability Act. This federal law protects patient health information privacy. HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and their business associates. Everyone involved in medical billing must comply with HIPAA rules. Violations carry civil penalties up to $50,000 per violation and criminal penalties including prison time.
Medical billing involves handling enormous amounts of protected health information. Claims include patient names, dates of birth, Social Security numbers, diagnoses, procedures, and medical histories. This information flows between providers, clearinghouses, insurance companies, and patients. At every point in this flow, HIPAA rules apply. Understanding what HIPAA requires, what information is protected, who can access it, how to secure it, and what to do when breaches occur is required for everyone in medical billing.
This guide explains what HIPAA is, what information it protects, who must comply, what the Privacy Rule and Security Rule require, how HIPAA applies specifically to medical billing, how to prevent violations, what happens when violations occur, and how to implement effective HIPAA compliance programs.
What HIPAA Is?
HIPAA is federal legislation passed in 1996 with multiple purposes including insurance portability, fraud prevention, and administrative simplification. The law is best known for its privacy and security requirements protecting patient health information.
HIPAA created national standards for protecting patient health information. Before HIPAA, health information privacy rules varied by state. Some states had strong protections. Other states had minimal protections. Patients had inconsistent privacy rights depending on where they lived. HIPAA established a federal floor of protections applying everywhere.
The law applies to covered entities including healthcare providers who transmit health information electronically, health plans that pay for healthcare, and healthcare clearinghouses that process health information. Most medical practices are covered entities because they submit electronic claims to insurance companies.
HIPAA also applies to business associates. Business associates are entities that perform services for covered entities involving protected health information. Billing companies, collection agencies, practice management software vendors, and other service providers are business associates. They must comply with HIPAA and have written agreements with covered entities.
The Privacy Rule
The HIPAA Privacy Rule establishes standards for protecting patient health information. This rule took effect in 2003 and has been modified several times since. The Privacy Rule controls how protected health information can be used and disclosed.
The Privacy Rule gives patients rights over their health information including the right to access their own records, the right to request amendments to records, the right to receive an accounting of disclosures, and the right to request restrictions on uses and disclosures.
The rule requires covered entities to provide patients with a Notice of Privacy Practices explaining how their information will be used. This notice must be given at the first service encounter. Patients must acknowledge receiving the notice.
Covered entities must obtain patient authorization before using or disclosing protected health information for most purposes beyond treatment, payment, and healthcare operations.
Marketing, research, sale of information, and many other uses require written authorization.
The Privacy Rule establishes the minimum necessary standard. When using or disclosing protected health information, covered entities should use or disclose only the minimum information necessary to accomplish the purpose. Staff should access only information needed for their jobs. Claims should include only information necessary for payment.
The Security Rule
The HIPAA Security Rule establishes standards for protecting electronic protected health information. This rule took effect in 2005 and applies specifically to information stored or transmitted electronically.
The Security Rule requires administrative safeguards including risk assessments, workforce training, security management processes, and incident response procedures. Covered entities must evaluate risks to electronic information and implement measures to address those risks.
Physical safeguards protect electronic systems and equipment from unauthorized access. This includes facility access controls, workstation security, device and media controls, and policies about where sensitive information can be accessed.
Technical safeguards involve technology protecting electronic information. Access controls limit who can view information. Audit controls track who accessed what information. Integrity controls ensure information is not improperly altered. Transmission security protects information sent over networks.
The Security Rule is flexible and scalable. Small practices can meet requirements with simpler and less expensive measures than large hospital systems. The rule requires reasonable and appropriate safeguards based on the entity’s size, complexity, and resources.
The Breach Notification Rule
The HIPAA Breach Notification Rule requires covered entities to notify patients, the Department of Health and Human Services, and sometimes the media when breaches of unsecured protected health information occur.
A breach is unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of the information. Not every incident is a breach. The covered entity must assess whether the information was actually compromised.
When breaches affect fewer than 500 people, covered entities must notify affected individuals within 60 days and must notify HHS annually. When breaches affect 500 or more people, covered entities must notify affected individuals within 60 days, notify HHS within 60 days, and notify prominent media outlets.
Breach notifications must describe what happened, what information was involved, steps individuals should take to protect themselves, what the covered entity is doing to investigate and mitigate harm, and contact information for questions.
Penalties for breach notification failures are severe. Failing to report breaches on time or failing to conduct proper breach assessments can result in substantial fines on top of penalties for the underlying privacy or security violations.
| HIPAA Component | What It Covers | Key Requirements |
| Privacy Rule | Use and disclosure of protected health information | Patient rights, minimum necessary, authorization requirements |
| Security Rule | Electronic protected health information security | Administrative, physical, and technical safeguards |
| Breach Notification Rule | Response to privacy and security incidents | Notification to patients, HHS, and media when breaches occur |
| Enforcement Rule | Investigation and penalties for violations | Civil penalties up to $50,000 per violation, criminal penalties possible |
What Protected Health Information Includes
Protected health information (PHI) is individually identifiable health information held or transmitted by covered entities or business associates. Understanding what constitutes PHI is required for proper handling.
PHI includes any information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual. This broad definition covers most information handled in medical billing.
Identifiers That Make Information PHI
Health information becomes protected when combined with identifiers that make it possible to identify the individual. HIPAA specifies 18 identifiers that make information PHI when combined with health information.
Names are obvious identifiers. Full names, last names with first initials, and any other name variations that could identify someone make information PHI. Claims include patient names, making the entire claim PHI.
Geographic information smaller than state level is an identifier. Street addresses, cities, counties, ZIP codes (except first three digits), and any geographic subdivision smaller than state makes information PHI. Claims include patient addresses.
Dates related to the individual are identifiers. Birth dates, admission dates, discharge dates, dates of death, and exact ages over 89 years are identifiers. Claims include dates of service making them PHI.
Telephone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate or license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full face photos, and any other unique identifying number or code are all identifiers.
When health information includes any of these identifiers, it is PHI and must be protected according to HIPAA rules. Billing information almost always includes multiple identifiers combined with health information, making it clearly PHI.
Types of Information Protected
The health information combined with identifiers to create PHI includes anything related to the individual’s past, present, or future physical or mental health, the provision of healthcare to the individual, or the past, present, or future payment for healthcare.
Diagnoses are PHI. ICD-10 codes on claims describe what conditions the patient has. This is sensitive health information that must be protected. A person’s medical conditions are private information that should not be shared without proper authorization.
Treatments and procedures are PHI. CPT codes describe what services were provided. Knowing someone had surgery, therapy, testing, or other procedures is health information. The specific procedures reveal information about the person’s medical situation.
Medications are PHI. Knowing what medications someone takes reveals information about their health conditions. Billing for medication administration or medication management includes PHI about what drugs the patient is taking.
Test results are PHI. Lab values, imaging findings, and other test results are obvious health information. Even just knowing tests were performed reveals health information because it shows what the provider was investigating.
Payment information combined with health information is PHI. Bills showing what services were billed and how much they cost include PHI because they reveal what healthcare the person received. Explanation of benefits statements are PHI because they show services provided and amounts paid.
Communication about healthcare is PHI. Phone calls about appointments, emails about treatment plans, and messages about care coordination all contain PHI. The fact that someone is receiving care from a particular provider is itself PHI.
De-Identified Information
Information that does not identify individuals and where there is no reasonable basis to believe it could be used to identify individuals is not PHI. De-identified information can be used without HIPAA restrictions.
There are two methods to de-identify information. The expert determination method involves having a qualified statistician determine that the risk of identification is very small. The safe harbor method requires removing all 18 identifiers.
Under safe harbor de-identification, all identifiers must be removed and the covered entity cannot have actual knowledge that remaining information could identify individuals. This means not just removing names but removing dates, ZIP codes, telephone numbers, medical record numbers, and all other identifiers.
De-identified information is useful for research, public health, and analytics where individual identification is not necessary. However, truly de-identifying information is difficult. If any way to re-identify individuals remains, the information is still PHI.
Limited data sets are a middle ground between identified PHI and fully de-identified information. Limited data sets can include dates and geographic information but must remove direct identifiers like names and Social Security numbers. Limited data sets can be used for research, public health, and healthcare operations under data use agreements.
Most billing information cannot be de-identified because identifiers are necessary for payment. Claims must include patient names, dates, and other identifiers to process. Billing staff work with fully identified PHI almost exclusively.
Who Must Comply with HIPAA
HIPAA applies to covered entities and business associates. Understanding who must comply determines what obligations exist.
Covered Entities
Covered entities are the organizations and individuals that must comply directly with all HIPAA rules. Three types of covered entities exist.
Healthcare providers are covered entities if they transmit health information electronically in connection with transactions for which HHS has adopted standards. This includes billing insurance electronically. Almost all healthcare providers who bill insurance are covered entities.
Physicians, therapists, hospitals, clinics, pharmacies, nursing homes, and other providers who submit electronic claims are covered entities. Solo practitioners are covered entities. Small group practices are covered entities. Large hospital systems are covered entities. If the provider bills insurance electronically, HIPAA applies.
Health plans are covered entities. This includes health insurance companies, HMOs, employer group health plans, government health programs like Medicare and Medicaid, and other entities that pay for healthcare. Health plans receive and handle PHI when processing claims and must protect that information.
Healthcare clearinghouses are covered entities. Clearinghouses process health information between providers and plans, often reformatting or translating data. Clearinghouses handle large volumes of PHI from many sources and must protect all of it.
Each covered entity is responsible for its own HIPAA compliance. A medical practice cannot blame its billing company for violations. The practice is responsible for ensuring all aspects of its operations comply with HIPAA, including operations performed by others on its behalf.
Business Associates
Business associates are entities that perform services for covered entities involving creation, receipt, maintenance, or transmission of PHI. Business associates must comply with HIPAA and must have written agreements with covered entities.
Billing companies are business associates. When a medical practice hires an external billing company to submit claims and post payments, that billing company accesses PHI and is a business associate. The billing company must comply with HIPAA Security Rule, must report breaches, and must have a written business associate agreement with the practice.
Collection agencies are business associates when they collect on behalf of covered entities. The agency receives PHI about what services were provided and payment information. They must protect this information and have business associate agreements.
Practice management software vendors are business associates if they can access PHI. Cloud-based systems where the vendor hosts data and could access it require business associate agreements. The vendor must implement appropriate safeguards protecting the PHI they could access.
Shredding companies, IT consultants, lawyers, accountants, and other service providers can be business associates depending on whether they access PHI. The determining factor is whether they create, receive, maintain, or transmit PHI on behalf of the covered entity.
Business associates are directly liable for HIPAA violations. HHS can investigate and penalize business associates without involving the covered entity. Both the covered entity and the business associate can be penalized for the same incident if both failed in their obligations.
Business associates can have subcontractors who also access PHI. These subcontractors are also business associates and must have written agreements. The chain of responsibility extends through all entities that access PHI.
Business Associate Agreements
Covered entities must have written business associate agreements with all business associates before PHI can be disclosed to them. The agreement establishes what the business associate can do with PHI and what safeguards they must maintain.
Business associate agreements must include required terms specified by HIPAA. The agreement must describe permitted and required uses of PHI, require the business associate to implement appropriate safeguards, require the business associate to report breaches and
security incidents, require return or destruction of PHI when the relationship ends, and allow the covered entity to audit the business associate’s compliance.
The covered entity cannot simply use a business associate agreement template without ensuring it includes all required terms. HHS publishes sample language, but agreements must be tailored to the specific relationship and services involved.
Business associate agreements should be signed before PHI is disclosed. Covered entities that share PHI with service providers before agreements are in place violate HIPAA. The agreements establish the legal framework for the disclosure.
If a business associate violates the agreement, the covered entity must take reasonable steps to cure the violation or terminate the relationship. A covered entity that knows about violations and does nothing becomes liable for the business associate’s violations.
HIPAA Privacy Requirements in Billing
Medical billing involves numerous privacy considerations. Every step of the billing process must comply with HIPAA Privacy Rule requirements.
Permitted Uses and Disclosures
HIPAA allows certain uses and disclosures of PHI without patient authorization. Treatment, payment, and healthcare operations are the primary permitted purposes.
Payment includes activities to obtain or provide reimbursement for healthcare. This encompasses billing, claims management, collection activities, utilization review, and determining eligibility and coverage. Because billing falls under payment, most billing activities can proceed without specific patient authorization.
Submitting claims to insurance companies is permitted for payment. Claims include extensive PHI including diagnoses, procedures, provider information, and dates of service. This disclosure is permitted because it is necessary for payment.
Communicating with patients about their bills is permitted. Sending statements, calling about balances, and explaining charges are payment activities that can occur without separate authorization.
Reporting to collection agencies is permitted for payment purposes. When accounts are sent to collections, the PHI necessary for collection can be disclosed. However, only the minimum necessary information should be shared.
Disclosing information to insurance companies to appeal denials is permitted. The appeal is part of the payment process. Documentation supporting medical necessity can be sent to insurers during appeals without patient authorization.
Even though these uses are permitted, the minimum necessary standard applies. Claims should include only diagnoses and procedures relevant to the services billed. Statements to patients should show charges and payments but should not include unnecessary clinical details.
Collection agencies should receive only information necessary for collection, not full medical records.
When Authorization Is Required
Patient authorization is required for uses and disclosures beyond treatment, payment, and healthcare operations. Authorization is a written document signed by the patient allowing specific uses of their information.
Marketing requires authorization. If a billing company wants to use patient information to market its services to those patients, authorization is required. Sending newsletters about billing services would require authorization unless the communication also includes information about treatment or healthcare operations.
Sale of PHI requires authorization. If information is being disclosed in exchange for payment, authorization is required. There are limited exceptions, but generally selling patient lists or information for commercial purposes requires authorization.
Most research requires authorization unless the research meets specific exceptions. Using billing data for research studies typically requires authorization or institutional review board approval with waiver of authorization.
Disclosures to employers generally require authorization. If an employer calls asking about an employee’s medical information, authorization is required even though the employer provides the insurance. The exceptions are limited to workers’ compensation and similar programs.
Disclosures to family members require authorization or patient agreement unless the patient is present and does not object or the disclosure relates to notification of family about the patient’s condition. A family member calling to ask about another adult family member’s bill should not receive information without authorization.
Psychotherapy notes have special protection and almost always require authorization. However, billing records are not psychotherapy notes. Billing information falls under regular PHI rules, not the heightened psychotherapy notes protections.
Minimum Necessary Standard
When using or disclosing PHI for payment, covered entities must limit the information to the minimum necessary to accomplish the purpose. This means not including more information than needed.
Claims should include only relevant diagnoses. If a patient has 15 conditions but only three are relevant to the service being billed, only those three should be on the claim. Including unrelated diagnoses violates minimum necessary.
Patient statements should not include detailed clinical information. The statement needs to show charges, payments, and balance. It does not need to include procedure descriptions that reveal sensitive information. A statement showing “office visit” is sufficient without specifying it was for mental health or substance abuse.
Communications with collection agencies should include minimum information. The agency needs to know the patient owes money and contact information. They do not need full medical records. Sending complete records to collectors violates minimum necessary.
Internal access should be limited to minimum necessary. Billing staff should have access to billing information but not to clinical notes unless specifically needed for appeals or documentation reviews. Receptionists should see scheduling information but not necessarily full medical records.
The minimum necessary standard does not apply to treatment uses and disclosures, disclosures to the patient, disclosures authorized by the patient, or disclosures required by law. When sharing information between providers for treatment, all relevant information can be shared without minimum necessary restrictions.
Patient Rights
Patients have specific rights under HIPAA that affect billing operations. Covered entities must honor these rights and have procedures for patients to exercise them.
Patients have the right to access their own PHI. This includes billing information. If a patient requests copies of their bills, EOBs, or other billing records, the request must be honored within 30 days. Reasonable fees for copying can be charged.
Patients have the right to request amendments to their records. If a patient believes billing information is incorrect, they can request an amendment. The covered entity can deny the request if the information is accurate, but the patient can submit a statement of disagreement.
Patients have the right to an accounting of disclosures. This is a list of times PHI was disclosed for purposes other than treatment, payment, and healthcare operations. Most billing disclosures are for payment and do not require accounting. But if PHI was disclosed to a collection agency, that disclosure should be tracked for potential accounting requests.
Patients have the right to request restrictions on uses and disclosures. They can ask that certain information not be shared with insurance companies or that bills not be sent to a specific address. Covered entities must agree to restrictions on disclosures to health plans for payment when the patient paid out of pocket in full for the service.
Patients have the right to request confidential communications. They can ask to receive bills at an alternative address or by alternative means if they believe normal communication would endanger them. These requests must be accommodated if reasonable.
Patients have the right to a Notice of Privacy Practices. They must receive the notice at first service encounter and must acknowledge receipt. The notice explains how their information will be used and what rights they have.
HIPAA Security Requirements in Billing
The Security Rule requires safeguards protecting electronic PHI. Billing operations involve extensive electronic PHI that must be secured.
Administrative Safeguards
Administrative safeguards are policies, procedures, and processes managing security. These are the foundation of a security program.
A security official must be designated. Someone must be responsible for developing and implementing security policies and procedures. In small practices, this might be the office manager or owner. The security official oversees the security program.
Risk assessments must be conducted. The covered entity must evaluate threats and vulnerabilities to electronic PHI and implement measures addressing identified risks. Risk assessments should be repeated periodically as operations change.
Workforce security procedures must exist. This includes authorization and supervision of employees accessing PHI, termination procedures ensuring access is removed when employment ends, and sanctions for employees who violate security policies.
Information access management controls limit who can access electronic PHI. Users should have access only to information necessary for their jobs. Billing staff might access billing information but not clinical notes. Receptionists might access scheduling but not detailed medical records.
Security training must be provided to all workforce members. Training should occur at hire and periodically thereafter. Staff must understand their security responsibilities and what to do if they suspect security incidents.
Incident response procedures must exist. When security incidents occur, there must be a process for identifying, responding to, documenting, and mitigating them. Staff must know how to report potential incidents.
Contingency planning ensures that electronic PHI is protected during emergencies. Backup procedures, disaster recovery plans, and emergency mode operations are required. If systems go down, there must be plans for maintaining security while continuing operations.
Physical Safeguards
Physical safeguards protect electronic systems and the facilities where they are located. These controls prevent unauthorized physical access to PHI.
Facility access controls limit who can physically access areas where electronic PHI is stored or accessed. Locked doors, ID badges, visitor logs, and security cameras are examples. Areas with servers or workstations accessing PHI should have access restrictions.
Workstation security policies establish how workstations are used and where they can be located. Workstations should not be in areas where unauthorized people can view screens. Monitors should be positioned away from public view. Privacy screens can prevent viewing from angles.
Device and media controls address how electronic devices and storage media containing PHI are handled. This includes secure disposal when devices are retired, removing PHI before devices are reused, and maintaining accountability for hardware movement.
Laptops, tablets, smartphones, USB drives, and portable hard drives containing PHI must be encrypted or otherwise protected. If a device is lost or stolen, encryption prevents unauthorized access to PHI on the device.
Printers, fax machines, and copiers used for PHI must be in secure locations. Documents should not sit in printer trays where unauthorized people can see them. Fax machines should not be in public areas where anyone can read incoming faxes.
Physical records containing PHI must be secured even though Security Rule technically applies only to electronic PHI. Most covered entities apply similar physical security to paper records as a matter of good practice and to meet Privacy Rule requirements.
Technical Safeguards
Technical safeguards involve technology controls protecting electronic PHI and controlling access to it. These are the computer security measures that prevent unauthorized access.
Access controls limit who can use systems containing PHI. Each user should have a unique username and password. Shared accounts violate HIPAA because activity cannot be traced to specific users. Passwords should meet complexity requirements and be changed periodically.
Automatic logoff closes systems after periods of inactivity. If a user walks away from a logged-in workstation, the system should automatically log out after a set time. This prevents unauthorized access if someone sits at an unattended workstation.
Encryption protects PHI stored on devices and transmitted over networks. Laptops should have hard drive encryption. Emails containing PHI should be encrypted. Websites transmitting PHI should use SSL/TLS encryption. Encryption renders PHI unreadable if intercepted or accessed by unauthorized persons.
Audit controls track who accesses electronic PHI. Systems should log when users access information, what information they accessed, and what actions they took. These audit logs help detect unauthorized access and investigate security incidents.
Integrity controls ensure electronic PHI is not improperly altered or destroyed. Checksums, digital signatures, or other mechanisms verify information has not been tampered with. Regular backups protect against data loss.
Transmission security protects PHI sent over electronic networks. This includes encryption of emails, secure file transfer protocols, and VPNs for remote access. PHI should never be transmitted over unsecured networks.
Two-factor authentication adds security beyond passwords. Users must provide something they know (password) and something they have (phone for text code or security token). Two-factor authentication significantly reduces risk of unauthorized access.
Common HIPAA Violations in Billing
Understanding common violations helps practices avoid them. Many violations stem from lack of awareness about what is permitted.
Improper Disclosures to Third Parties
One of the most common violations is sharing PHI with people who should not have it. This includes family members, friends, employers, and others who call asking about patients.
A family member calls asking about a patient’s bill. The billing staff member assumes the family member is involved in the patient’s care and discusses the account. Unless the patient authorized this disclosure or was present and agreed, this violates HIPAA.
An employer calls asking if an employee came to an appointment. Even confirming the appointment discloses PHI. The fact that someone is receiving care is protected information. Employers do not have automatic rights to patient information even though they may provide the insurance.
A patient’s lawyer calls requesting billing records. Unless the patient provided written authorization, these records cannot be released. Even though the lawyer represents the patient, authorization is still required. Subpoenas alone do not authorize HIPAA disclosures without patient authorization or court orders.
Collection agencies receive unnecessary PHI. Sending full medical records to collection agencies violates minimum necessary. Collectors need to know the amount owed and contact information. They do not need detailed medical records.
Private investigators, insurance companies investigating claims, disability determination services, and others frequently call providers requesting information. Unless the request falls under a HIPAA exception or includes proper authorization, information cannot be released.
Lack of Business Associate Agreements
Using vendors who access PHI without written business associate agreements in place violates HIPAA. This violation is common because practices do not always recognize which vendors are business associates.
Hiring a billing company without a business associate agreement is a violation. The billing company will access extensive PHI when submitting claims and posting payments. Before any PHI is shared, the agreement must be signed.
Using collection agencies without agreements violates HIPAA. When accounts are sent to collection, PHI is disclosed. The agency is a business associate and requires an agreement before receiving PHI.
Cloud-based software vendors who could access PHI need agreements. If patient data is stored on the vendor’s servers and the vendor employees could potentially view it, the vendor is a business associate. The agreement should be in place before uploading any PHI.
Shredding services that destroy documents containing PHI are business associates. Paper records with PHI require secure destruction. The shredding company must have an agreement before destroying PHI.
The covered entity is liable for using service providers without proper agreements. HHS can penalize the covered entity for failing to have required agreements in place even if no actual breach of information occurred.
Inadequate Access Controls
Allowing too many people to access PHI or failing to restrict access to minimum necessary violates HIPAA. This is particularly common in small practices where everyone can see everything.
Receptionists having full access to all medical records when they only need scheduling information violates minimum necessary. Access should be limited to what is needed for job functions.
Former employees retaining access after termination is a serious violation. When employment ends, all system access must be terminated immediately. Former employees remaining in systems creates risk of unauthorized access.
Shared passwords violate HIPAA. Each user must have unique credentials. Sharing usernames and passwords means activity cannot be traced to specific individuals. If unauthorized access occurs, the responsible person cannot be identified.
Passwords written on notes stuck to monitors or keyboards make passwords meaningless. Physical security of passwords is part of access control. Passwords should be memorized or stored securely, not displayed where anyone can see them.
Failing to log out of systems when leaving workstations allows unauthorized access. Walking away from a logged-in system means anyone who approaches can access PHI. Users must log out or lock screens when stepping away.
Accessing records of family members, friends, or celebrities without business need violates HIPAA. Users can only access PHI when necessary for job duties. Snooping in records out of curiosity is a violation even for staff with legitimate access to systems.
Unencrypted Devices and Communications
Storing or transmitting PHI without encryption creates breach risks. When devices are lost or communications are intercepted, unencrypted PHI is exposed.
Laptops without encryption that are lost or stolen constitute breaches. If the hard drive is not encrypted, whoever finds the laptop can access all PHI stored on it. Encryption makes the data unreadable without the password.
Sending PHI by regular email without encryption risks interception. Email travels through multiple servers and can be accessed by system administrators and potentially by hackers. Unencrypted email containing PHI can be read if intercepted.
Texting PHI without secure messaging platforms violates HIPAA. Regular text messages are not secure. They can be intercepted, accidentally sent to wrong numbers, and stored on phone systems. Secure messaging systems designed for healthcare should be used.
Faxing to wrong numbers discloses PHI to unintended recipients. While fax is an acceptable transmission method under HIPAA, confirming fax numbers and using cover sheets indicating confidential information are important safeguards.
Discussing PHI in public areas where others can overhear is a disclosure violation. Billing staff should not discuss patient accounts in hallways, waiting rooms, or other areas where conversations can be overheard. Private spaces should be used for conversations involving PHI.
Improper Disposal of PHI
Throwing PHI in regular trash or recycling instead of shredding it violates HIPAA. This is one of the easiest violations to commit and one of the easiest to prevent.
Paper records, EOBs, patient statements, and other documents containing PHI must be shredded or otherwise destroyed so information cannot be reconstructed. Simply throwing documents in trash allows anyone accessing the trash to read PHI.
Computer hard drives must be properly sanitized before disposal or reuse. Deleting files does not actually remove data from hard drives. Special software must be used to overwrite data multiple times, or hard drives must be physically destroyed.
Copiers and printers with hard drives contain images of everything copied or printed. When retiring these devices, hard drives must be removed and destroyed or the devices must be returned to vendors who certify proper data destruction.
CDs, DVDs, USB drives, and other media containing PHI must be physically destroyed. Breaking them is not sufficient. They should be shredded or incinerated so data cannot be recovered.
Disposal of PHI is often overlooked because documents and devices are being discarded. But discarded items still contain PHI that must be protected. Proper disposal prevents dumpster diving and protects PHI even after it is no longer needed.
Responding to HIPAA Incidents
Despite best efforts, security incidents and breaches occur. How an organization responds determines the ultimate impact and potential penalties.
Identifying Potential Breaches
Not every incident is a breach. A breach is an impermissible use or disclosure of PHI that compromises the security or privacy of the information. The covered entity must evaluate incidents to determine if they constitute breaches.
A risk assessment must be performed for every potential breach. This assessment considers the nature and extent of PHI involved, who accessed the information, whether PHI was actually acquired or viewed, and the extent to which risk to PHI has been mitigated.
Low-risk incidents may not be breaches. If an employee accidentally accesses the wrong patient’s record but immediately closes it without viewing details, this may not compromise security or privacy. The minimal exposure and immediate correction mitigate risk.
Accidental disclosures to people authorized to access PHI generally are not breaches. If billing information is accidentally sent to the wrong doctor in the practice but both doctors are treating the patient, this may not be a breach because both are authorized to access the information.
Disclosures where information cannot be retained are not breaches. If someone sees PHI momentarily but cannot retain it, this may not compromise security. For example, someone glimpsing information on a screen as they walk past is different from someone reading and photographing documents.
If the risk assessment determines a breach occurred, breach notification obligations are triggered. If the assessment determines no breach occurred, the incident should still be documented along with the reasoning for the determination.
Breach Notification Requirements
When breaches occur, specific notification requirements apply. The timing and recipients depend on the size and nature of the breach.
Individual notification must occur within 60 days of breach discovery. Affected individuals must be notified by first-class mail or email if the individual agreed to electronic notice. The notification must describe what happened, what information was involved, what the individual should do, what the covered entity is doing, and contact information for questions.
HHS notification timing depends on breach size. Breaches affecting fewer than 500 people are reported annually. Breaches affecting 500 or more people must be reported within 60 days of breach discovery. HHS posts breaches of 500+ people publicly on their “Wall of Shame” website.
Media notification is required for breaches affecting more than 500 people in a state or jurisdiction. Prominent media outlets must be notified within 60 days. This requirement ensures the public is informed of large breaches.
Business associate notification to covered entities must occur without unreasonable delay and no later than 60 days from breach discovery. Business associates must report breaches to the covered entities they work for so the covered entities can fulfill their notification obligations.
Notification content must include specific elements. The notification must identify the breach, describe types of information involved, provide steps individuals should take, describe what the organization is doing, and provide contact information. The notification should be in plain language understandable by the affected individuals.
Mitigating Harm
After a breach, covered entities must take steps to mitigate harm to affected individuals. Mitigation demonstrates the organization is taking responsibility and trying to limit damage.
Offering credit monitoring services is common mitigation when breaches involve Social Security numbers or financial information. Credit monitoring helps individuals detect identity theft early. While not required by HIPAA, many organizations offer this as mitigation.
Investigating how the breach occurred prevents recurrence. If the breach resulted from lack of encryption, implementing encryption prevents similar future breaches. If the breach resulted from inadequate training, additional training is mitigation.
Sanctioning employees responsible for breaches is required when violations resulted from employee misconduct. Discipline ranging from additional training to termination depending on severity shows the organization takes compliance seriously.
Changing policies and procedures to prevent similar incidents is mitigation. If a breach revealed a gap in procedures, updating procedures fixes the gap. For example, if a breach occurred because there was no process for verifying identity before disclosing information, implementing a verification process is mitigation.
Communication with affected individuals beyond the legally required notice can be mitigation. Offering to answer questions, providing resources, and showing concern for those affected demonstrates the organization cares about minimizing impact.
Penalties and Enforcement
HIPAA violations can result in civil monetary penalties, criminal prosecution in extreme cases, and corrective action plans requiring specific compliance improvements.
Civil monetary penalties range from $100 to $50,000 per violation depending on the level of culpability. If the covered entity did not know and could not have known about the violation, penalties start at $100. If the violation was due to willful neglect that was corrected, penalties are $10,000 minimum. If the violation was due to willful neglect that was not corrected, penalties are $50,000 per violation.
The annual maximum penalty for identical violations is $1.5 million. However, penalties can quickly exceed this when violations are not identical. Each patient’s information improperly disclosed is a separate violation with separate penalties.
Criminal penalties apply when violations are knowingly committed. Obtaining or disclosing PHI can result in fines up to $50,000 and up to one year in prison. If the violation is committed under false pretenses, penalties increase to fines up to $100,000 and up to five years in prison. If the violation is committed with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm, penalties increase to fines up to $250,000 and up to 10 years in prison.
Corrective action plans require organizations to implement specific improvements to prevent future violations. These plans are monitored by HHS Office for Civil Rights. Organizations must regularly report on implementation progress. Failure to comply with corrective action plans can result in additional penalties.
State attorneys general can bring enforcement actions for HIPAA violations affecting state residents. State enforcement creates additional legal exposure beyond federal penalties.
Implementing HIPAA Compliance Programs
Effective HIPAA compliance requires comprehensive programs with policies, training, monitoring, and accountability.
Written Policies and Procedures
Every covered entity must have written privacy and security policies and procedures. These documents guide staff on how to comply with HIPAA requirements.
Privacy policies should address patient rights, uses and disclosures of PHI, minimum necessary determinations, authorization requirements, complaint procedures, mitigation procedures, sanctions for violations, and training requirements.
Security policies should address access controls, audit procedures, encryption requirements, device security, breach response, business associate management, and physical security measures.
Policies must be specific to the organization’s operations. Generic template policies are a starting point but must be customized. A solo practitioner’s policies will differ from a large hospital system’s policies even though both must comply with HIPAA.
Procedures should be detailed enough that staff can follow them. A policy stating “access controls will be implemented” is insufficient. Procedures should specify who grants access, how access is documented, when access is reviewed, and how access is terminated.
Policies and procedures must be reviewed and updated periodically. When operations change, policies should be updated to reflect changes. When regulations change, policies must be revised to maintain compliance.
Documentation that policies were implemented is important. If HHS investigates, they want to see not just written policies but evidence that policies were actually followed. Activity logs, training records, and compliance audits provide this evidence.
Staff Training
All workforce members must receive HIPAA training. Training should occur at hire, periodically (at least annually), and when significant changes occur.
Training should cover what HIPAA is, what PHI includes, how to handle PHI, when authorization is required, patient rights, security requirements, incident reporting, and consequences of violations.
Role-specific training addresses the HIPAA requirements relevant to each person’s job. Billing staff need in-depth training on payment disclosures and minimum necessary. IT staff need detailed security training. Receptionists need training on patient rights and privacy practices.
Training should be documented. Sign-in sheets, completion certificates, and training records prove training occurred. If violations occur and HHS investigates, training records demonstrate the organization made good faith efforts to educate staff.
Training should be engaging and practical. Reading policies aloud is not effective training. Scenarios, examples, and discussions help staff understand how HIPAA applies to their daily work. Quiz questions test comprehension.
Training should address actual incidents that have occurred. If an employee violated HIPAA, use it as a training opportunity (without identifying the person). Explain what happened, why it was wrong, and how to handle the situation correctly.
New employees should complete HIPAA training before accessing PHI. Do not grant system access until training is complete. This ensures everyone has baseline knowledge before handling protected information.
Compliance Monitoring
Regular monitoring detects compliance problems before they become violations. Monitoring also provides evidence of good faith compliance efforts.
Audit logs should be reviewed periodically. System logs showing who accessed what information can reveal inappropriate access. Unusual access patterns like accessing records at odd hours or accessing large numbers of records should be investigated.
Periodic compliance audits evaluate whether policies are being followed. Sample transactions can be reviewed to verify minimum necessary is followed. Authorization forms can be reviewed to ensure they meet requirements.
Patient complaints should be tracked and analyzed. Patterns in complaints may reveal systemic problems. Each complaint should be investigated to determine if a violation occurred.
Breach reports should be reviewed for patterns. If similar types of incidents keep occurring, this indicates training gaps or procedure problems. Corrective action should address root causes, not just individual incidents.
Employee surveys can identify compliance concerns. Anonymous surveys allow staff to report potential problems without fear of retaliation. Questions about awareness of policies, comfort with procedures, and observation of violations provide valuable feedback.
Monitoring results should be reported to management. Leadership needs to know about compliance status, identified problems, and corrective actions taken. HIPAA compliance should be a regular management agenda item.
Conclusion
HIPAA protects patient health information privacy and security. The law applies to covered entities including healthcare providers, health plans, and clearinghouses, and to business associates that perform services involving PHI. HIPAA requirements include the Privacy Rule controlling use and disclosure of PHI, the Security Rule requiring safeguards for electronic PHI, and the Breach Notification Rule requiring response when breaches occur.
Protected health information includes individually identifiable health information held by covered entities. In medical billing, nearly all information is PHI because it combines health information with patient identifiers. Claims, statements, remittances, and communications about accounts all contain PHI requiring protection.
The Privacy Rule allows PHI use and disclosure for treatment, payment, and healthcare operations without patient authorization. Most billing activities fall under payment and can proceed without authorization. However, minimum necessary standards require limiting disclosures to information needed for the purpose. Marketing, research, and many other uses require patient authorization.
The Security Rule requires administrative safeguards including policies, training, access management, and incident response; physical safeguards protecting systems and facilities; and technical safeguards including access controls, encryption, audit controls, and transmission security. All electronic PHI must be protected with appropriate safeguards based on risk assessment.
Common HIPAA violations in billing include improper disclosures to family members or employers, lack of business associate agreements with vendors, inadequate access controls allowing unauthorized viewing, unencrypted devices and communications creating breach risks, and improper disposal of PHI in regular trash.
When incidents occur, risk assessments determine whether breaches happened. Breaches require notification to affected individuals within 60 days, notification to HHS, and media notification for large breaches. Penalties for violations range from $100 to $50,000 per violation with annual maximums up to $1.5 million. Criminal penalties including prison apply to knowing violations.
Compliance requires written policies and procedures, comprehensive staff training at hire and periodically, regular monitoring through audit log reviews and compliance audits, designated privacy and security officials, business associate agreements with all vendors accessing PHI, breach response procedures, and ongoing commitment to protecting patient information.
HIPAA compliance is not optional for anyone involved in medical billing. Understanding requirements, implementing appropriate safeguards, training staff properly, and taking compliance seriously protects both patients and the organization. The investment in compliance is far less than the cost of violations.
