HIPAA Rules for Medical Billing

Medical billing companies have to access protected health information (PHI) to perform their job duties. HIPAA rules for medical billing companies are the same as they would be for any other HIPAA business associate (BA). 

Title II: Preventing Medical Healthcare Fraud and Abuse, Administrative Simplification, and Medical Liability Reform

Title II of HIPAA applies directly to medical billing companies, as it dictates the proper uses and disclosures of protected health information (PHI), as well as simplifying processing of claims and billing. Title II also creates guidelines for keeping electronic records and the sharing of electronic records between healthcare entities. 

Additionally, Title II put the Office of the Inspector General (OIG), a division of the Department of Health and Human Services (HHS), in charge of investigating and prosecuting healthcare providers and insurance company fraud.

HIPAA Rules for Medical Billing: Privacy Rule

The Privacy Rule applies to medical billing companies in respect to how they are permitted to disclose PHI to other medical entities. 

The PHI a medical billing company may have access to includes: 

• Treatment information, including past and current medical conditions
• Fees that patients or their insurance companies paid for treatment
• The location of the treating healthcare provider

HIPAA Rules for Medical Billing: Security Rule

The Security Rule applies to medical billing companies in respect to how they are protecting the PHI that they have access to. As a business associate, medical billing companies must implement administrative, physical, and technical safeguards to maintain the confidentiality, availability, and integrity of PHI. 

The required safeguards are as follows:

• Physical Safeguards: protect the physical security of your offices where PHI or ePHI may be stored or maintained. Common examples of physical safeguards include alarm systems, security systems, and locking areas where PHI or ePHI is stored.
• Technical Safeguards: protect the cybersecurity of your business. Technical cybersecurity safeguards must be implemented in order to protect the ePHI that is maintained by your business. Examples of technical safeguards include firewalls, encryption, and data backup.
• Administrative Safeguards: ensure that staff members are properly trained in order to execute the security measures you have in place. Administrative safeguards should include policies and procedures that document the security safeguards you have in place, as well as employee training on those policies and procedures to ensure that they are being properly executed.

OIG Compliance

The Office of the Inspector General (OIG) is responsible for ensuring that medical billing and coding companies are not acting fraudulently. 

The most common ways medical billing and coding companies commit fraud are:

• Upcoding: occurs when providers try to get more money from insurance companies for billing patients for services they did not perform.
• Undercoding: occurs when providers intentionally leave out codes for services provided, with the intention of avoiding an OIG investigation.
• Unbundling codes: occurs when providers submit separate claims for services that can be submitted as one bill. This is done in an attempt to maximize payments received from insurance companies.
• Falsifying medical records: occurs when providers falsify patients’ medical records, by altering medical histories, payment histories, or descriptions of treatment.