Round 5 — Compliance and the Changing Environment
Module 3: HIPAA and the Revenue Cycle
When your revenue cycle can't afford to stop.
HIPAA touches the revenue cycle at every step. Every time a claim is submitted electronically, every time a billing record is accessed, every time a vendor handles patient data on behalf of the practice — HIPAA governs how that information is created, used, shared, and protected.
This module covers three components of HIPAA that directly affect billing operations: the transactions and code set standards that govern how claims move electronically, the privacy and security rules that protect patient health information, and the Business Associate Agreement requirement that extends those obligations to every vendor with access to patient data.
Before HIPAA, payers used hundreds of different proprietary formats for electronic transactions. A practice submitting claims to five different payers might be managing five different formats. HIPAA standardized all of that, replacing the patchwork with uniform standards that every provider, payer, and clearinghouse is required to use.
The practical result for the revenue cycle: electronic claim submission, eligibility verification, remittance advice, and other standard transactions all follow the same rules regardless of payer. That consistency is what allows clearinghouses to function as intermediaries and what makes electronic data interchange (EDI) possible at scale.
HIPAA-Required Identifiers and Code Sets
National Provider Identifier (NPI): A unique 10-digit number assigned to each healthcare provider. Type 1 NPIs are for individual providers; Type 2 NPIs are for organizations. The NPI stays with the provider regardless of where they work and must appear on all electronic transactions.
Code sets: HIPAA mandates the use of specific code sets for all electronic transactions — ICD-10-CM for diagnoses, CPT for physician procedures, HCPCS for ancillary services. Using the correct code set is not optional; it is a HIPAA requirement, not just a billing best practice.
HIPAA's privacy rule sets a national standard for how protected health information (PHI) can be used and disclosed. Before HIPAA, privacy protections for health information varied by state. Now every covered entity — providers, payers, clearinghouses — must meet the same minimum federal standard.
The privacy rule has three core elements: it defines who may see or use PHI and what they can do with it; it limits disclosures to the minimum necessary for the task at hand; and it establishes patient rights over their own health information.
Patient Rights Under HIPAA Privacy
What Patients Are Entitled ToReceive the Notice of Privacy Practices — access, review, and receive a copy of medical and billing records — request an amendment to a record — understand the accounting of certain PHI disclosures — request restrictions on uses and disclosures — request alternative communication channels — file a complaint with the Office for Civil Rights.
The Security Rule
Protecting Electronic PHIThe HIPAA Security Rule applies specifically to electronic PHI (ePHI). It requires covered entities to conduct a formal risk assessment, identify vulnerabilities, and implement reasonable safeguards to protect ePHI from threats. This includes administrative safeguards (policies and training), physical safeguards (access controls, workstation placement), and technical safeguards (passwords, encryption, audit controls).
Any vendor or outside entity that handles PHI on behalf of a practice is a business associate under HIPAA. This includes clearinghouses, billing services, practice management system vendors, collection agencies, and IT vendors with access to systems that contain patient data. The 2013 Omnibus Rule expanded this definition and made business associates directly liable for compliance with HIPAA privacy and security requirements — not just the practice that hired them.
Before any business associate can access PHI, a signed Business Associate Agreement (BAA) must be in place. The BAA specifies how the associate will safeguard patient information, what they can and cannot do with it, and what happens if there is a breach. A practice that shares PHI with a vendor without a signed BAA is in violation of HIPAA regardless of what the vendor does or doesn't do with the data.
Why This Matters in Practice
HIPAA compliance in the revenue cycle isn't a one-time setup. It requires ongoing attention: annual privacy audits, updated BAAs when vendors change, staff training on minimum necessary use, and a functioning process for responding when something goes wrong. A breach involving billing data — a misdirected fax, an unencrypted laptop, a vendor that doesn't have a signed BAA — carries significant financial and reputational consequences. The revenue cycle touches PHI constantly. Treating HIPAA as background noise rather than an active compliance obligation is how practices end up in enforcement situations.