In this Article
By: Anna Giorgi
Every day, medical billers and coders are entrusted with patients’ protected health information (PHI). Their access to a person’s diagnoses, treatments, medical records and personal identifiers—including names, addresses, insurance information and service dates—is essential to their medical billing and coding responsibilities. However, legal and professional guidelines require that medical billers and coders take steps to keep this information private and secure. Understanding key legal requirements, best practices and practical safeguards can help you succeed in this profession while also avoiding patient privacy violations and potential penalties.
Legal and regulatory foundations
The law legally and ethically obligates every medical biller and coder to comply with the provisions of the Health Insurance Portability and Accountability Act, commonly known as HIPAA. This 1996 law established national standards for the security of electronic healthcare transactions, code sets and health identifiers unique to each person. Understanding this foundational law on patient privacy is an important aspect of medical billing and coding educational programs.
Since it became law, lawmakers have significantly expanded and modernized HIPAA to cover many aspects of healthcare. However, the following HIPAA rules and standards closely impact the way medical billers and coders meet their professional responsibilities. These standards include:
HIPAA Privacy Rule
The HIPAA Privacy Rule safeguards the use and disclosure of a person’s PHI by individuals and organizations called “covered entities.” Covered entities include healthcare providers, health plans and healthcare clearinghouses. Billing and coding companies, outsourced coding vendors and others, called “business associates,” who handle PHI on behalf of covered entities must also follow HIPAA rules and standards.
The HIPAA Privacy Rule applies to medical billers and coders by requiring them to protect patients’ PHI. They can only use or disclose this information for permitted purposes like treatment, payment and healthcare operations. Medical billers and coders must also follow the “minimum necessary” standard by accessing or sharing only the information essential to perform their professional duties.
HIPAA Security Rule
The HIPAA Security Rule requires covered entities and business associates to maintain physical, administrative and technical protections to safeguard the integrity and confidentiality of electronic PHI. It also requires covered entities and business associates to take precautions that secure the safe transmission and storage of electronic PHI. This involves using encryption, conducting risk assessments and training staff.
The HIPAA Security Rule applies to medical billers and coders by requiring them to safeguard electronic PHI through secure access, data encryption and password protection. They must also follow organizational policies for reporting security incidents and complete regular training on protecting electronic PHI from unauthorized access or breaches.
HIPAA Transaction and Codes Set Standards
The HIPAA Transaction and Code Set Standards standardizes the electronic exchange of healthcare-related data, such as claims, payment/remittance advice and referral authorizations. It requires covered entities to use specific code sets and transaction formats so they exchange electronic data uniformly and efficiently.
These standards apply to medical billers and coders by requiring them to use standardized electronic formats and code sets when submitting claims, verifying insurance or handling other bill-related transactions. This helps ensure consistency, streamlines communication and reduces errors.
HIPAA Breach Notification Rule
When a breach of unsecured PHI occurs, the HIPAA Breach Notification Rule mandates that covered entities and business associates must alert impacted individuals, the U.S. Department of Health and Human Services (HHS) and occasionally, the media. Covered entities must send this notification as soon as possible, without unreasonable delays, and within 60 days of discovering the breach.
The HIPAA Breach Notification Rule applies to medical billers and coders by requiring them to promptly report any suspected or confirmed breaches of unsecured PHI to their organization’s privacy or security officer. They may also be involved in documenting the breach details to support timely notifications to affected individuals and regulatory authorities.
Professional and ethical responsibilities
In addition to following the legal standards required by HIPAA, medical billers and coders have professional and ethical responsibilities regarding patient privacy. Due to the nature of their positions and their access to PHI, medical billers and coders are obligated to act with honesty and integrity when dealing with patient privacy issues.
Professional medical billing and coding organizations help members recognize and maintain their professional and ethical responsibilities by providing opportunities for continuing education, professional development and medical billing and coding certifications. This strengthens the profession, protects patient privacy and improves the overall quality of healthcare beyond legal requirements.
Professional medical billing and coding organizations typically provide members with a code of ethics as a guide to their behavior in the workplace. These include a framework for ethical decision-making, promote high professional standards and ensure professional accountability. Examples include:
- American Health Information Management Association (AHIMA) Code of Ethics
- American Academy of Professional Coders (AAPC) Code of Ethics
- Healthcare Financial Management Association (HFMA) Code of Ethics
Patient privacy violation examples
Despite legal requirements and professional guidelines, patient privacy violations occur. In 2024, HHS received almost 375,000 complaints related to the HIPAA Privacy Rule alone. These violations can lead to identity theft, discrimination and financial fraud. They can also damage the provider-patient relationship and result in a loss of patient trust.
HIPAA complaints are investigated with a multi-tiered approach involving federal enforcement by HHS, the Office for Civil Rights (OCR) for civil penalties and the Department of Justice (DOJ) for criminal penalties. The State Attorney General may also take state-level action. Whether because of human error, improper training or harmful intent, patient privacy violations can involve civil and/or criminal penalties, fines, imprisonment and/or corrective action, depending on the circumstances and severity.
Examples of ways medical billers and may violate patient privacy include:
- Using unsecure/unencrypted communication channels, such as emails, texts or third-party services, for transmitting PHI without ensuring security
- Violating the “minimum necessary” rule by disclosing more information than necessary when sending claims or when communicating with insurance companies or collection agencies
- Incorrect disposal of PHI, such as throwing paper billing records in the unsecured trash or disposing of hardware without wiping electronic PHI files
- Sending detailed medical information, such as billing/claims diagnosis codes, without appropriate privacy safeguards when communicating with collection agencies or third parties
- Accessing PHI or medical records information beyond your role
- Allowing unauthorized staff to overhear or access electronic PHI
- Using incorrect modifiers for claims, reimbursement or patient records
- Delaying or refusing to provide patient records upon request, charging unnecessary or excessive fees or insisting that patients physically retrieve records when they want a digital copy
Medical billing and coding best practices
As a medical biller or coder, you can support legal and ethical healthcare information management by understanding and applying HIPAA guidelines and established professional privacy principles. While you will be subject to the guidelines and protocols of your employer, you are also responsible for making sure your actions follow HIPAA criteria and meet regulatory obligations.
Medical billers and coders can protect patient privacy and reduce the risk of privacy violations by following these best practices:
Limit access to patient records.
In addition to following the legal standards required by HIPAA, medical billers and coders have professional and ethical responsibilities regarding patient privacy. Due to the nature of their positions and their access to PHI, medical billers and coders are obligated to act with honesty and integrity when dealing with patient privacy issues.
