HIPAA Privacy Rules Billing

What Are HIPAA Privacy Rules for Billing?

HIPAA requires providers to use standard electronic transactions (837 claims, 835 remittance advice, 276/277 status inquiry) for all billing. Standard code sets (ICD-10-CM, CPT, HCPCS) must be used. Protected health information must follow the minimum necessary standard: only information required for billing is shared. Privacy violations trigger civil penalties up to $100 per violation, capped at $1.5 million annually per violation type.

Who Do HIPAA Billing Rules Affect?

All covered entities billing Medicare, Medicaid, or commercial insurance must comply. Small practices and large health systems both face requirements. EHR vendors must support standard transactions. Medical records staff manage patient information access. Billing staff handle patient data daily. Privacy breaches affecting 500+ patients trigger notification requirements, media alerts, and OCR investigation.

Key Requirements

  1. Standard electronic transactions (837 claims) must be used for all claims. Paper claims to payers are prohibited except for small providers with exemptions.
  2. Standard code sets: ICD-10-CM diagnoses, CPT/HCPCS procedures. Updated annually: ICD-10 effective October 1, CPT effective January 1. Using outdated codes triggers denials.
  3. Minimum necessary principle: Include only diagnoses related to the billed service. Exclude psychiatric, substance abuse, and HIV diagnoses unless directly related to the procedure.
  4. Payer response must be in standard 835 (remittance advice) format. Status inquiries (276) must receive 277 responses in standard format.
  5. Access controls: Billing staff access to patient information must be logged and restricted. Unauthorized access triggers breach notification requirements.

Timeline & Enforcement

OCR (Office for Civil Rights) enforces HIPAA compliance. Audits typically occur in response to patient complaints. CMS identifies non-standard transactions through claims processing. Providers using non-standard formats receive rejection notices. Breach notification triggered by 500+ patient exposure. Enforcement actions average 1-2 years from investigation to penalty assessment.

How to Comply

  1. Verify billing software supports standard 837 format. Test claim submission with payers to confirm acceptance.
  2. Update code sets annually before October 1 (ICD-10) and January 1 (CPT). Train billing staff on new codes and updated rules.
  3. Review diagnosis codes on claims for minimum necessary. Audit 50+ claims monthly to identify sensitive diagnoses included unnecessarily.
  4. Implement access controls on billing systems. Log all staff access to patient information. Restrict access to authorized billing personnel only.
  5. Conduct annual HIPAA privacy training for all staff. Document training attendance and content.

Common Questions

What are standard electronic transactions?

HIPAA mandates standard formats for claims (837i/p/d), remittance advice (835), and status inquiry/response (276/277). Providers must submit 837 claims in standard format. Payers must respond with 835 remittance advice in standard format.

What code sets are required?

ICD-10-CM for diagnoses, CPT-4/HCPCS for procedures. Updates effective annually: ICD-10 on October 1, CPT on January 1. Providers must use current-year codes. Using outdated codes triggers denials and compliance violations.

What is the minimum necessary standard?

Providers must limit protected health information shared to only what is necessary for billing purposes. Don't include mental health diagnoses, substance abuse treatment, or HIV status on claims unless directly related to the billed service.

Related Resources

Altair checks compliance rules before you submit. See how pre-submit claim scoring works.

Learn about Altair

CMS regulations change. This reference is current as of 2026-03-30. Always verify against current CMS documentation.