Is Billing Information Protected Under HIPAA?

Medical billing in ambulatory surgery centers differs from regular physician billing or healthcare facility billing. ASC billing necessitates adherence to specialized guidelines for reimbursements. Furthermore, ASC coding and billing are also independent of medical facilities. As the ASCs cater to every specialty in one place, their coding systems do not center on any specific type of services, diagnoses, or procedures.
Moreover, it doesn’t mean that your team will have to re-learn a new set of codes for ASC billing, or even new billing techniques. At the same time, what makes ASC billing massively different from hospital billing is billing the hospital codes via a CMS-1500 claim form, which is not a facility claim form.

Electronic medical billing requires access to the PHI (protected health information) for accurately carrying out billing procedures. Accuracy of the medical billing services is vital to receiving proper payments for the treatment provided by healthcare practitioners. While healthcare billing companies are not covered entities, they are still contracted as business associates, which fall under HIPAA regulations.
So, is billing information protected under HIPAA? Yes, billing information is protected under HIPAA. But how does HIPAA compliance in medical billing work? -We will discuss more on that later; first, let’s elaborate more on:

Protected Health Information Under HIPAA

Title II of the HIPAA applies to healthcare billing companies. It directs proper usage and disclosure of PHI (protected health information), simplifying claims and billing processing.

HIPAA Compliance in Medical Billing

Under the HIPAA, the patient billing information does fall under the PHI. While the other types of PHI also include information regarding an individual’s mental or physical condition and the healthcare services/treatments they receive. Furthermore, payment and billing information becomes PHI when it is likely to link to a person/individual by any one of the known 18 identifiers. It is important to understand the importance of compliance in medical billing.

Note: The 18 identifiers are elaborated later in the article.

The Privacy Rule and Billing Information Protected under HIPAA

The HIPAA privacy rules ensure that a patient’s PHI remains covered – the rule creates parameters and terms for sharing or using such information without proper approvals from all stakeholders, mainly the patients.
So, is billing information protected under HIPAA? Indeed, it also applies to the following:

1. Health Plans

The health plans for the context of privacy include:

Employers
Church
Government health plans
Multi-employers health plans

2. Healthcare Practitioners

The healthcare providers are covered under HIPAA privacy rules regardless of their size. The rules apply to anyone who transfers PHI electronically. These include:

Referrals
Authorization
Insurance claims
Benefits of eligibility
Transactions

Who are considered healthcare providers?

The healthcare providers include:

Physicians
Institutional providers
Health or medical services
Dentists and other practitioners

3.Business Associates

The business associates are the contractors or non-workforce members who might require access to the PHI. If you are a healthcare organization that needs to outsource its IT services, in such a case, you will need a proper business associate agreement. Such agreements are between a contractor or vendor and a healthcare practice to allow them access to sensitive data, like the billing information protected under HIPAA.

What billing information is protected under HIPAA?

The protected health information is independently identifiable health information of a patient. It refers to a patient’s billing information protected under HIPAA and two other classes of data, including:
A patient’s mental or physical condition or health.
Past, present, and future provisioning of healthcare to a patient
The past, present, and future billing information for healthcare provisioning for a person is also protected under HIPAA.
The listed item number three answers the question is billing information protected under HIPAA. This also includes information on the following:

Insurance payments
Carriers
Payments
Billing statements
Receipts
Credit card numbers
Bank accounts
Other financial information, all of these are part of the billing information under HIPAA protection

The payment or billing information must be connected to an individual identifier to be classified as PHI. For instance, a medical bill with a patient’s address can be traced to a specific person. There are some instances where these identifiers are rather indirect.

18 Identifiers for a Patient

Any of these entities, when tied to healthcare payments, will constitute PHI:

Name
Address
All dates related to a person, including their:
Birth date
Admission date
Discharge date
Date of death
The exact age, if it is over 89
Contact number
Email address
Medical record number
Account number
Fax number
Social Security number
Health plan beneficiary number
Photographic images
Certificate or license numbers
Vehicle or device serial number
Serial numbers or device identifiers
Web URLs
IP (Internet Protocol) address numbers
Voice or fingerprints
Other characteristics that can uniquely identify a person

Implications – HIPAA Violations are Expensive

There is a reason why personal and billing information is protected under HIPAA, and as a healthcare practice, you must understand that HIPAA violations are a costly affair. HIPAA violations and data breaches are becoming increasingly common as hackers actively seek to steal PHI. Only between 2020 and 2021, healthcare data-related breaches have doubled. Such patient privacy violations are causing health plans, providers, and healthcare facilities millions of dollars yearly. This is in addition to the negative impacts on providers’ reputation and practice revenue.

Final Word - Outsourcing Medical Billing for Ensuring HIPAA Compliance

The covered entities must protect PHI to avoid fines, liabilities, possible imprisonment, and other class-action lawsuits. It means outsourcing the billing operations to third-party providers who are proficient with HIPAA regulations. Third-party medical billing companies, like the Physicians Revenue Group, Inc. understand the HIPAA regulations and take practical steps to protect data within their systems. By now, it is clear that billing information is protected under HIPAA, and therefore, it is important to understand your company’s data lifecycle. The lifecycle is a complete process that includes data collection and destruction and conducting assessments to identify vulnerabilities. Moreover, it also includes addressing such vulnerabilities and offering full HIPAA data protection training to your staff/employees to prevent violations effectively.