The 'Big 2' HIPAA Rules Medical Billing Companies Must Follow

by  Find-A-Code™
Jul 20th, 2022

Medical billing does not seem that complicated on the surface. But if you have ever dealt with things like finding diagnosis codes and NPI lookup, you know that accurate billing is anything but easy. A billing specialist has to know an awful lot. So does their employer. There are rules to follow, too. Take HIPAA rules, for example.

HIPAA covers nearly every aspect of how medical and personal information is collected, utilized, shared, and stored within the healthcare industry. Title II of the rules is applied directly to medical billing companies and independent coders. The 'Big 2' rules that medical billing companies must adhere to revolve around privacy and security.

The Privacy Rule

Patients are required to give different types of information to their healthcare providers. Some of that information falls under the protected healthcare information (PHI) category. HIPAA's privacy rule directs how medical billing companies go about disclosing PHI to partner entities. They must protect the data so that it is not shared with entities that do not have a legitimate reason to collect said data.

Protected information includes, but is not limited to:

●    past and current treatment information
●    fees paid by either patients or their insurance companies
●    names and locations of a patient's treatment providers.

Ensuring privacy accomplishes two things. First, it prevents unnecessary sharing of PHI. Second, it can help reduce the likelihood of medical billing fraud.  

The Security Rule

Of the two rules, the security rule gets greater attention (even though both should be equally important). Medical billing companies are required by HIPAA regulations to safeguard the integrity and confidentiality of all PHI in their possession. Furthermore, they are required to implement:

●    Physical Security – Medical billing companies are required to physically secure any and all premises on which protected data is housed. This includes implementing solutions like security alarms, surveillance cameras, etc.

●    Technical Security – Medical billing companies must implement technology safeguards to maintain data security. Such safeguards run the gamut from software solutions to physical pieces of hardware, like firewalls.

●    Administrative Security – Medical billing companies must implement administrative policies and procedures that guarantee employees are properly trained in data security best practices. In addition, the policies and procedures must be put in writing and routinely updated to accommodate changes.

Where the privacy rule is intended to prevent sharing data with entities that do not need it, the security rule is designed to prevent illegal access to protected data by bad actors. There is obviously some overlap here.

Applying the Rules to Contract Workers

Medical billing companies must abide by the rules whether their coders are salaried employees or independent contractors. The good news for contractors is that they are only responsible for the data they work with. Most of the responsibility falls on the shoulders of the medical billing company.

In a practical sense, this sort of arrangement usually results in a medical billing company requiring independent contractors to use a specific software platform. Coders might also be issued company laptops. Regardless of the amount of responsibility put on each contract worker, the law sees the medical billing company as ultimately responsible.

Medical billing involves access to a ton of information protected by law. Companies involved in this business are compelled to follow the privacy and security rules found in Title II of the HIPAA regulations. Rest assured that the Office of the Inspector General does not look kindly on rule breakers. The agency is more than willing to prosecute medical billing companies that do not play by the rules.