HIPAA Compliant Mon–Fri 9am–6pm ET 98% clean-claim rate
Compliance & Regulation

HIPAA: Privacy, Security, and Transaction Rules for Billing

Reviewed by the ImmediCare RCM team Updated 4 min read
Quick answer

HIPAA (the Health Insurance Portability and Accountability Act of 1996) sets national standards for protecting patient health information and standardizing electronic transactions. For billers it mandates the X12 transaction formats (837, 835, 270/271), protects PHI under the Privacy and Security Rules, and is enforced by HHS Office for Civil Rights with civil penalties up to millions per year.

Enforced by
HHS Office for Civil Rights (OCR)
Applies to
Covered entities and business associates
Penalty
Tiered civil penalties + possible criminal

What is HIPAA?

HIPAA is the 1996 federal law that did two big things for billing: it protected patient health information, and it forced the industry onto standard electronic formats. The privacy and security pieces get the headlines, but the "Administrative Simplification" provisions are what created the X12 transactions billers use every day — the 837 claim, the 835 remittance, the 270/271 eligibility exchange.

So HIPAA is not only a privacy law. It is also the reason your clearinghouse, payer, and PM system all speak the same EDI dialect.

What are HIPAA\'s main rules?

  • Privacy Rule — governs uses and disclosures of PHI, patient rights, and the minimum-necessary standard.
  • Security Rule — requires administrative, physical, and technical safeguards for electronic PHI (access controls, encryption, audit logs).
  • Transactions and Code Sets Rule — mandates standard EDI formats and code sets (ICD-10, CPT, HCPCS) for covered transactions.
  • Breach Notification Rule — requires notifying affected individuals, HHS, and sometimes the media after a breach of unsecured PHI.

What does HIPAA mean for a billing operation?

A billing company is a business associate: it must sign a Business Associate Agreement (BAA) with each covered-entity client and comply with the Security and Privacy Rules directly. Practical example: emailing a spreadsheet of unpaid claims with patient names and diagnoses to a client's personal Gmail, unencrypted, is a reportable exposure of PHI even if no one outside ever sees it.

Working tip: Apply minimum necessary to appeals. When you submit records to support medical necessity, send only the notes for the dates at issue, not the entire chart. Over-disclosure is both a privacy risk and a way to hand payers unrelated material to deny on.

How is HIPAA enforced?

The HHS Office for Civil Rights (OCR) investigates complaints and breaches and imposes tiered civil monetary penalties that scale with culpability, up to substantial annual caps; willful neglect and knowing misuse can carry criminal charges. The HITECH Act strengthened enforcement and extended direct liability to business associates. Document your safeguards, train staff, and keep BAAs current — enforcement often turns on whether you had reasonable policies in place.

Frequently asked questions

Covered entities — health plans, health-care clearinghouses, and providers who transmit health information electronically — plus their business associates, meaning vendors that handle PHI on their behalf (billing companies, clearinghouses, EHR hosts). A billing company is almost always a business associate and must sign a Business Associate Agreement and follow the Security and Privacy Rules directly.

PHI is individually identifiable health information tied to a patient — name, dates, medical record number, diagnoses, claim data, and 15+ other identifiers when linked to health information. A claim file, a remittance, an eligibility response, and a denial worklist all contain PHI. Anything that could identify the patient and relates to their care or payment is protected.

The Privacy Rule requires that uses and disclosures of PHI be limited to the minimum necessary to accomplish the purpose. For billing, that means staff should access only the records needed to work a claim, and disclosures to payers should include only what the transaction requires — not the entire chart when a single date of service is at issue.

IC

Reviewed by the ImmediCare Solutions RCM team

Certified billers and coders handling claims across 50+ specialties nationwide. This entry is reviewed against current payer policy and CMS rules. Last review: Jul 5, 2026.

Stop losing revenue to problems like this.

A free billing audit shows exactly where your practice is leaking money — no cost, no commitment.

Get a free billing audit