HIPAA

HIPAA (Health Insurance Portability and Accountability Act of 1996) is the federal law setting national standards for protecting patient health information. Every entity handling Protected Health Information (PHI) — providers, payers, clearinghouses, billing companies, EHR vendors, and any business associate — must comply. HIPAA has two operational pillars relevant to billing: the Privacy Rule (governs how PHI is used and disclosed) and the Security Rule (governs administrative, physical, and technical safeguards on electronic PHI). Every billing partner must sign a Business Associate Agreement (BAA) before receiving PHI; without a signed BAA, sharing PHI is itself a HIPAA violation. The 2009 HITECH Act added breach notification requirements and increased penalties — willful neglect violations can reach $1.5M per violation per year. Common HIPAA failures in billing operations include staff accessing PHI for non-treatment-non-payment-non-operations purposes, unencrypted PHI sharing via email, lost or stolen devices containing PHI, and inadequate audit logging of PHI access. The 837/835/270/271 transaction sets that drive electronic claim submission, payment, and eligibility verification are themselves HIPAA-governed standards. Compliant billing operations maintain encrypted data at rest and in transit, role-based PHI access controls, audit trails for every PHI view, mandatory annual HIPAA training, signed BAAs with every business associate, and quarterly internal access audits to catch issues before a payer or auditor does.