1.2 HIPAA (Privacy/Security/Breach Notification) & PHI handling

Key Takeaways

  • HIPAA protects PHI and applies to covered entities and to their business associates, who must sign a Business Associate Agreement (BAA).
  • The Privacy Rule allows PHI use without authorization for treatment, payment, and health care operations (TPO) and enforces the minimum-necessary standard.
  • The Security Rule protects electronic PHI (ePHI) through administrative, physical, and technical safeguards.
  • Patients have rights to access, amend, restrict, and receive an accounting of disclosures of their PHI.
  • The Breach Notification Rule requires notifying affected individuals within 60 days of discovery; properly encrypted PHI is considered 'secured.'
Last updated: July 2026

HIPAA and Why It Governs Everything a Biller Touches

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 sets the national rules for protecting patient health information. For a CBCS, HIPAA is not background trivia: every claim, remittance, eligibility check, and phone call to a patient involves protected information, and mishandling it carries civil and criminal penalties. HIPAA applies to covered entities (health plans, health care clearinghouses, and providers who transmit health information electronically) and to their business associates, the vendors such as billing companies, clearinghouses, and IT firms that handle information on a covered entity's behalf. A covered entity must have a signed Business Associate Agreement (BAA) in place before sharing PHI with such a vendor.

Protected Health Information (PHI)

PHI is individually identifiable health information tied to a person's past, present, or future physical or mental health, care, or payment for care. HIPAA lists 18 identifiers, including name, address, dates (birth, admission, discharge), phone and email, Social Security number, medical record and account numbers, health-plan beneficiary numbers, and full-face photographs. When PHI is created, stored, or transmitted electronically, it is called ePHI, and the Security Rule protects it specifically.

The Privacy Rule

The Privacy Rule governs how PHI may be used and disclosed. Its cornerstone is the minimum necessary standard: use or share only the smallest amount of PHI needed to accomplish a task. A biller verifying eligibility should transmit only the data the payer requires, not the entire chart. The rule permits use and disclosure without patient authorization for treatment, payment, and health care operations (TPO), the everyday activities that keep care and billing running. Coding a visit and submitting the claim fall under "payment," so no separate authorization is needed. Anything outside TPO, such as marketing or releasing records to an employer or attorney, generally requires a signed authorization from the patient.

The Privacy Rule also grants patients specific rights over their information:

  • Receive a Notice of Privacy Practices describing how their PHI is used.
  • Access and obtain a copy of their own records.
  • Request an amendment to correct their record.
  • Request an accounting of disclosures of their PHI.
  • Request restrictions on certain uses and disclosures.
  • Request confidential communications (for example, being contacted only at a work number).

A biller must recognize each of these requests and route it to the correct staff member rather than acting on it informally.

The Security Rule

While the Privacy Rule covers PHI in any form, the Security Rule applies specifically to ePHI and requires three categories of safeguards:

  • Administrative safeguards — policies and workforce controls: designating a security officer, conducting a risk analysis, workforce training, sanction policies, and access management.
  • Physical safeguards — protecting hardware and facilities: locked server rooms, careful workstation positioning, privacy screens, and controlled disposal of devices and media.
  • Technical safeguards — technology controls on the data itself: unique user IDs, automatic logoff, audit controls and logs, and encryption of data at rest and in transit.

For a biller, this translates into concrete habits: log in with your own credentials and never share passwords, lock your screen when you step away, avoid discussing patient accounts where others can overhear, and never email unencrypted PHI.

The Breach Notification Rule

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. The Breach Notification Rule requires covered entities to notify affected individuals without unreasonable delay and no later than 60 days after discovery. Breaches affecting 500 or more residents of a state or jurisdiction also require notice to prominent media and to the HHS Secretary without unreasonable delay (within 60 days); smaller breaches are logged and reported to HHS annually. Business associates must notify the covered entity of breaches they discover. Importantly, PHI that is properly encrypted to HHS standards is considered "secured," so its loss generally does not trigger breach notification, which is one of the strongest practical arguments for encryption.

Enforcement and the Transactions Standards

HIPAA is enforced by the HHS Office for Civil Rights (OCR), and penalties are tiered by culpability, ranging from unknowing violations at the low end up to willful neglect that is not corrected at the high end, with steep per-violation dollar amounts and possible criminal referral for knowing misuse of PHI. Beyond privacy and security, HIPAA also created the Transactions and Code Sets standards that billers use every day: standardized electronic formats such as the 837 electronic claim and the 835 electronic remittance advice, and standard code sets (ICD-10-CM, CPT, HCPCS). Using these standard transactions is what allows a clean claim to move electronically from provider to clearinghouse to payer, tying HIPAA directly to the revenue cycle.

Putting It Together at the Desk

Most HIPAA questions on the CBCS exam are scenario based: a caller asks for a family member's balance, a coworker looks up a neighbor's chart out of curiosity, or a fax is sent to the wrong number. The pattern to remember is simple. Disclose the minimum necessary, only for TPO or with a valid authorization, verify the requester's identity and right to the information, and report suspected breaches through your organization's process. "Snooping" in records without a legitimate work reason is itself a violation, even if nothing is disclosed externally. Getting this reflex right protects patients, protects your employer, and protects your certification, because HIPAA violations can lead to termination as well as regulatory penalties.

Test Your Knowledge

Under the HIPAA Privacy Rule, a provider may use or disclose PHI without a separate patient authorization for which purposes?

A
B
C
D
Test Your Knowledge

Encrypting ePHI and requiring unique user login IDs are examples of which HIPAA Security Rule safeguard category?

A
B
C
D
Test Your Knowledge

After discovering a breach of unsecured PHI, a covered entity must notify affected individuals without unreasonable delay and no later than which deadline?

A
B
C
D