The Health Insurance Portability and Accountability Act (HIPAA) is a US law that establishes strict privacy regulations to keep patient information private. HIPAA applies to all forms of individuals' protected health information, including payment-related information. Under HIPAA, patient billing information qualifies as protected health information (PHI). This means that healthcare providers and any third-party companies they contract with are responsible for protecting personally identifiable information.
HIPAA violations are costly and becoming more common as hackers actively seek to steal PHI. Covered entities must protect PHI to prevent fines, possible imprisonment, and class-action lawsuits. This includes choosing third-party medical billing providers who understand HIPAA and taking steps to protect the data within their systems.
The HIPAA Privacy Rule permits a covered entity or its collection agency to communicate with parties other than the patient regarding payment of a bill. However, the Rule requires them to reasonably limit the amount of information disclosed for such purposes to the minimum necessary.
Characteristics | Values |
---|---|
Does HIPAA apply to billing information? | Yes |
What is billing information? | Patient billing information |
What is it short for? | Protected Health Information (PHI) |
What are some examples of PHI? | Information about an individual's mental or physical condition, the health care they receive, demographic information, health plan information, practice account numbers, and medical records |
What are the consequences of HIPAA violations? | Fines, possible imprisonment, and class-action lawsuits |
What You'll Learn
- The Privacy Rule permits a covered entity or its business associate to disclose protected health information to obtain payment for healthcare
- Protected health information includes billing and payment information
- Covered entities must reasonably limit the amount of information disclosed for such purposes to the minimum necessary
- Covered entities must have procedures in place to limit who can view and access your health information
- Business associates must also put in place safeguards to protect your health information
The Privacy Rule permits a covered entity or its business associate to disclose protected health information to obtain payment for healthcare
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established a set of national standards for the protection of certain health information. The HIPAA Privacy Rule, issued by the U.S. Department of Health and Human Services (HHS), sets out the permitted uses and disclosures of protected health information (PHI).
The Privacy Rule permits a covered entity or its business associate to disclose PHI to obtain payment for healthcare. PHI refers to "individually identifiable health information" held or transmitted by a covered entity or its business associate. This includes information such as an individual's past, present, or future physical or mental health condition, the provision of healthcare to the individual, and the payment for the provision of healthcare to the individual.
Covered entities include health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with certain transactions. Business associates are persons or organizations that perform functions or provide services to a covered entity that involve the use or disclosure of PHI.
When it comes to obtaining payment for healthcare, a covered entity or its business associate is permitted to disclose PHI to carry out "payment" activities. "Payment" is defined as the activities of healthcare providers to obtain payment or reimbursement for their services, and of health plans to obtain premiums, fulfil coverage responsibilities, and provide benefits under the plan.
Examples of common payment activities include:
- Determining eligibility or coverage under a plan and adjudicating claims
- Billing and collection activities
- Reviewing healthcare services for medical necessity, coverage, and justification of charges
- Utilization review activities
- Disclosures to consumer reporting agencies for specified identifying information about the individual, their payment history, and identifying information about the covered entity
The Privacy Rule allows covered entities and their business associates to disclose PHI for payment activities without the individual's authorization. However, the Rule requires them to reasonably limit the amount of information disclosed and to abide by any requests for confidential communications and agreed-upon restrictions on the use or disclosure of PHI.
US Territories: Exempt from Federal Drug Laws?
You may want to see also
Protected health information includes billing and payment information
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule establishes a set of national standards for the protection of certain health information. It requires the Department of Health and Human Services (HHS) to publicize standards for the electronic exchange, privacy, and security of health information.
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. This includes demographic data that relates to:
- An individual's past, present, or future physical or mental health or condition
- The provision of health care to an individual
- The past, present, or future payment for the provision of health care to an individual
Individually identifiable health information is defined as a subset of health information, including demographic information, that is created or received by a health care provider, health plan, employer, or health care clearinghouse and that identifies the individual or can be used to identify the individual.
Protected Health Information (PHI) is defined as "individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or media." This includes medical records and billing records about individuals maintained by or for a covered health care provider, as well as enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan.
PHI also includes any other records that are used, in whole or in part, by or for a covered entity to make decisions about individuals. This includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.
Therefore, billing and payment information is included in PHI if it can be used to identify an individual. This means that information such as an individual's name, address, birth date, and Social Security Number, when combined with health information, would be considered PHI.
Covered entities are required to provide individuals with access to their PHI upon request. This includes the right to inspect or obtain a copy of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual's choice. Covered entities may charge a reasonable, cost-based fee for providing individuals with a copy of their PHI.
California Auto-Renewal Law: B2B Businesses Included?
You may want to see also
Covered entities must reasonably limit the amount of information disclosed for such purposes to the minimum necessary
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule requires covered entities to reasonably limit the amount of information disclosed to the minimum necessary. This rule applies to covered entities such as health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. Covered entities must develop and implement policies and procedures to reasonably limit the use and disclosure of protected health information (PHI) to the minimum necessary. This includes restricting access to PHI based on the specific roles of the workforce members.
The minimum necessary requirement does not apply in certain circumstances, such as:
- Disclosure to or a request by a healthcare provider for treatment
- Disclosure to an individual who is the subject of the information or their personal representative
- Use or disclosure made pursuant to an authorization
- Disclosure to the Department of Health and Human Services (HHS) for complaint investigation, compliance review, or enforcement
- Use or disclosure required by law
- Use or disclosure required for compliance with the HIPAA Transactions Rule or other HIPAA Administrative Simplification Rules
Covered entities must also establish and implement policies and procedures for routine, recurring disclosures or requests for disclosures, limiting the PHI disclosed to the minimum amount reasonably necessary to achieve the purpose of the disclosure. For non-routine, non-recurring disclosures, covered entities must develop criteria to limit disclosures to the information reasonably necessary and review each request individually.
The Legal System: Unfair to the Less Fortunate?
You may want to see also
Covered entities must have procedures in place to limit who can view and access your health information
The Health Insurance Portability and Accountability Act (HIPAA) is a US law that establishes a set of national standards for the protection of certain health information. The US Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of HIPAA. The Privacy Rule standards address the use and disclosure of individuals' health information, which is referred to as "protected health information" (PHI).
Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with transactions. These covered entities must have procedures in place to limit who can view and access your health information.
Covered entities must implement training programs for employees about how to protect health information. They must also put in place safeguards to protect health information and ensure that they do not use or disclose health information improperly. This includes reasonably limiting the use and disclosure of health information to the minimum necessary to accomplish the intended purpose.
In addition, covered entities must have procedures in place to limit who can view and access health information. This includes establishing and implementing policies and procedures for routine, recurring disclosures, or requests for disclosures that limit the protected health information disclosed to the minimum amount reasonably necessary to achieve the purpose of the disclosure.
Covered entities must also have contracts in place with their business associates, which are entities that need access to health information when providing services to the covered entity. These contracts ensure that business associates use and disclose health information properly, safeguard it appropriately, and follow the Privacy Rule.
Understanding DC Truancy Laws for Preschoolers
You may want to see also
Business associates must also put in place safeguards to protect your health information
Business associates are required to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and accessibility of PHI. This includes the implementation of policies and procedures that comply with HIPAA rules, restricting access to authorised people, conducting regular risk analyses, documenting security measures, and appointing a privacy official.
Business associates must also enter into subcontractor agreements, and act when there is a material breach of that agreement. They must cooperate with the U.S. Department of Health and Human Services (HHS) investigations and reviews, and not retaliate against individuals for filing a complaint.
Business associates are also required to obtain "satisfactory assurances" that the PHI will only be used for the purposes for which the covered entity was engaged, will not be disclosed to other entities, and will be safeguarded from misuse. This must be in writing, in the form of a contract or other agreement.
Business associates are directly liable for compliance with certain provisions of the HIPAA Rules.
Understanding ADA Laws During Company Sales and Acquisitions
You may want to see also
Frequently asked questions
Yes, under HIPAA, patient billing information qualifies as protected health information (PHI). This includes billing and payment information that can be linked to an individual by one of 18 identifiers, such as name, address, date of birth, and Social Security number.
Other types of PHI include information about an individual's mental or physical condition, the health care they receive, health plan information, practice account numbers, and medical records. PHI can also include serial numbers and other identifiers on medical devices, photos, IP addresses, and fingerprints.
HIPAA violations can be costly, with covered entities facing fines, possible imprisonment, and class-action lawsuits. It is important to choose third-party medical billing providers who understand HIPAA and take steps to protect sensitive data.