The 'Big 2' HIPAA Rules Medical Billing Companies Must Follow

July 20th, 2022 - Find-A-Code Staff
Categories:   HIPAA|PHI  
0 Votes - Sign in to vote or comment.

Accurate coding is the key to your job - here's why
The 'Big 2' HIPAA rules that medical billing companies must adhere to revolve around privacy and security.

Medical billing does not seem that complicated on the surface. But if you have ever dealt with things like finding diagnosis codes and NPI lookup, you know that accurate billing is anything but easy. A billing specialist has to know an awful lot. So does their employer. There are rules to follow, too. Take HIPAA rules, for example.

HIPAA covers nearly every aspect of how medical and personal information is collected, utilized, shared, and stored within the healthcare industry. Title II of the rules is applied directly to medical billing companies and independent coders. The 'Big 2' rules that medical billing companies must adhere to revolve around privacy and security.

The Privacy Rule

Patients are required to give different types of information to their healthcare providers. Some of that information falls under the protected healthcare information (PHI) category. HIPAA's privacy rule directs how medical billing companies go about disclosing PHI to partner entities. They must protect the data so that it is not shared with entities that do not have a legitimate reason to collect said data.

Protected information includes, but is not limited to:

●    past and current treatment information
●    fees paid by either patients or their insurance companies
●    names and locations of a patient's treatment providers.

Ensuring privacy accomplishes two things. First, it prevents unnecessary sharing of PHI. Second, it can help reduce the likelihood of medical billing fraud.  

The Security Rule

Of the two rules, the security rule gets greater attention (even though both should be equally important). Medical billing companies are required by HIPAA regulations to safeguard the integrity and confidentiality of all PHI in their possession. Furthermore, they are required to implement:

●    Physical Security – Medical billing companies are required to physically secure any and all premises on which protected data is housed. This includes implementing solutions like security alarms, surveillance cameras, etc.

●    Technical Security – Medical billing companies must implement technology safeguards to maintain data security. Such safeguards run the gamut from software solutions to physical pieces of hardware, like firewalls.

●    Administrative Security – Medical billing companies must implement administrative policies and procedures that guarantee employees are properly trained in data security best practices. In addition, the policies and procedures must be put in writing and routinely updated to accommodate changes.

Where the privacy rule is intended to prevent sharing data with entities that do not need it, the security rule is designed to prevent illegal access to protected data by bad actors. There is obviously some overlap here.

Applying the Rules to Contract Workers

Medical billing companies must abide by the rules whether their coders are salaried employees or independent contractors. The good news for contractors is that they are only responsible for the data they work with. Most of the responsibility falls on the shoulders of the medical billing company.

In a practical sense, this sort of arrangement usually results in a medical billing company requiring independent contractors to use a specific software platform. Coders might also be issued company laptops. Regardless of the amount of responsibility put on each contract worker, the law sees the medical billing company as ultimately responsible.

Medical billing involves access to a ton of information protected by law. Companies involved in this business are compelled to follow the privacy and security rules found in Title II of the HIPAA regulations. Rest assured that the Office of the Inspector General does not look kindly on rule breakers. The agency is more than willing to prosecute medical billing companies that do not play by the rules.

###

Questions, comments?

If you have questions or comments about this article please contact us.  Comments that provide additional related information may be added here by our Editors.


Latest articles:  (any category)

Things to Consider Before Upgrading Medical Billing Software
August 11th, 2022 - Find-A-Code
Your practice has utilized the same medical billing software for years. The medical billing staff says it is time for a change. You don't necessarily disagree, but you also don't know where to begin your search for new software. There are so many vendors offering so many products that making sense of it all can be challenging.
Calendar Year 2023 Medicare Advantage and Part C & D Payment Policies
August 9th, 2022 - Aimee L. Wilcox, CPMA, CCS-P, CST, MA, MT
Each year CMS publishes an Advance Notice of the upcoming years Medicare Advantage (MA) Capitation Rates and Part C and Part D Payment Policies and asks for comments related to it. Each of the comments are carefully reviewed and responded to and often are impactful to changes seen between the Advance Notice and final publication referred to as the Rate Announcement. With health equity as a primary focus for 2023, CMS announced some policy changes that may impact your organization.
How CMS Determines Which Telehealth Services are Risk Adjustable
August 9th, 2022 - Aimee L. Wilcox, CPMA, CCS-P, CST, MA, MT
Medicare Advantage Organizations (MAOs) have gone back and forth on whether or not to use data collected from telehealth, virtual Care, and telephone (audio-only) encounters with Medicare beneficiaries for risk adjustment reporting, but the following published documents from CMS cleared that up once and for all by providing an answer to a question specifically related to this question.
OIG Investigates SCAN Health for Risk Adjustment Overpayments With Surprising Results
July 26th, 2022 - Aimee L. Wilcox, CPMA, CCS-P, CST, MA, MT
We’ve seen a number of OIG risk adjustment data validation (RADV) audits recently where the independent review contractor was simply looking for any codes the payer reported that were not supported by the documentation, in an effort to declare an overpayment was made and monies are due to be repaid. However, it was refreshing to read this RADV audit and discover that the independent review contractor actually identified HCCs the payer failed to report that, while still resulting in an overpayment, was able to reduce the overpayment by giving credit for these additional HCCs. What lessons are you learning from reading these RADV audit reports?
Addressing Trauma and Mass Violence
July 21st, 2022 - Amanda Ballif
After events of mass violence, it’s easy to feel helpless, like there is little we can do. In fact, we can help individuals, families, and communities build resilience and connect with others to cope together. The SAMHSA-funded National Child Traumatic Stress Network has developed a range of resources to help children, families, educators, and communities including the following which you can access via links in this article.
The 'Big 2' HIPAA Rules Medical Billing Companies Must Follow
July 20th, 2022 - Find-A-Code Staff
HIPAA covers nearly every aspect of how medical and personal information is collected, utilized, shared, and stored within the healthcare industry. Title II of the rules is applied directly to medical billing companies and independent coders. The 'Big 2' rules that medical billing companies must adhere to revolve around privacy and security.
The Beginning of the End of COVID-19-Related Emergency Blanket Waivers
July 19th, 2022 - Aimee L. Wilcox, CPMA, CCS-P, CST, MA, MT
It appears that the end of the 1135 waivers related to the COVID-19 public health emergency (PHE) has begun. According to CMS, the residents of skilled nursing facilities, long-term care facilities, and inpatient hospice centers have struggled due to the effects of some of the 1135 waivers. CMS is focusing primarily on removing the 1135 blanket waivers that pertain to certain aspects of care, training, and maintenance of these facilities to ensure the weakest of our citizens are guaranteed adequate care.



Home About Contact Terms Privacy

innoviHealth® - 62 E 300 North, Spanish Fork, UT 84660 - Phone 801-770-4203 (9-5 Mountain)

Copyright © 2000-2022 innoviHealth Systems®, Inc. - CPT® copyright American Medical Association