How HIPAA Affects Business Transactions

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 in response to the numerous incidents of breach of the privacy and confidentiality of the personal health information (PHI) of some patients. The HIPAA sets out rules to secure the confidentiality and security of PHI. These rules require that only HIPAA-compliant entities are allowed to handle PHI for their business transactions. 

These rules have sweeping effects and implications on business transactions. If you want to understand how HIPAA rules and regulations affect your transactions with your business associates and clients, you might want to read more on how HIPAA plays out in real life. 

Here are some ways HIPAA affects business transactions.

1. Covered Entities Transact Only With HIPAA-Compliant

HIPAA affects business transactions in that covered entities and institutions will transact business only with third-party suppliers and service vendors who comply with HIPAA rules. Covered entities would no longer sign contracts with remote vendors and service providers that aren’t HIPAA-compliant if the scope involves handling the PHI. 

For example, an insurance provider may have accredited a clinic or pharmacy where patients can go for medical consultation or buy medicines. But if the clinic or pharmacy isn’t HIPAA-compliant, the insurance provider would most likely stop dealing with them. They’ll have to stop sharing or even just showing any PHI in their database, even if they need to compare some information with the clinic or pharmacy for purposes of reimbursement documentation.

Hospitals and healthcare institutions will also stop sharing their PHI with insurance providers that haven’t complied with HIPAA rules. An insurance provider that hasn’t complied with HIPAA will most likely be turned down if it asks for copies of the patient’s medical billing information. 

2. Requires Review Of Billing Systems And Procedures

HIPAA compliance standards and requirements will affect how businesses prepare, document, process, and store the billing information and statements of their patients or customers. There’s a lot of data in billing information covered by HIPAA rules on privacy and security. Any covered entity and its business associates must comply with HIPAA regulations and standards. 

Covered entities now have to ensure that their database and billing information management systems comply with HIPAA rules and standards. Similarly, they should grant access only to HIPAA-compliant business associates.

An example is when a healthcare institution needs to hire an accounting firm to conduct periodic reviews of its billing systems, ledgers, and journal records. They now have to be mindful to hire a HIPAA-compliant accounting firm. 

In addition, the covered entity would now have to conduct a periodic risk review and audit of their existing billing information management systems and processes. This is especially true if they use Enterprise Resource Planning (ERP) systems and software applications and grant some level of access to their consultants and business associates. 

That said, any potential vulnerabilities and threats to the privacy and security of their IT network infrastructure and cybersecurity systems should be identified and promptly addressed. 

3. Requires Review Of Granting Requests For Access

Patients have the right to access their PHI. The HIPAA Privacy Rule spells out the right of patients to ask their providers to give them access to their PHI. The HIPAA Privacy Rule states that covered entities and service providers should provide their patients access to their PHI in a timely manner and for a reasonable fee. 

Some examples of information and records which are subject to the patients’ Right of Access under the Privacy Rule are the following: 

  • Medical records from hospitals or clinics
  • Billing records from a medical office
  • Health plan information
  • Records of confinement in a hospital
  • Records of medical and imaging tests administered to a patient
  • Results of pre-employment testing and medical examinations
  • Medical prognosis and diagnosis issued by doctors
  • Documentation and information on surgical procedures performed 

Most of the data in a patient’s PHI are subject to the patient’s right of access. However, some information isn’t covered by the patient’s right of access. Here are possible reasons why some records won’t come under the coverage of the PHI:

  • The information will only be used for business planning.
  • The data is part of the patient’s safety and activity records.
  • The information is being used as part of quality assessment and business improvement

4. Identifiers and Coding System

Aside from the Privacy Rule, HIPAA regulations also mandate a coding and identifier system for transactions subject to the HIPAA rules, standards, and regulations. 

HIPAA’s Transaction Rule has a set of codes to be used for transactions that are covered by HIPAA regulations. These codes, such as ICD-9, ICD-10, HCPCS, CPT-3, and NDC, are required to maintain the accuracy, safety, and security of PHI and other medical records. They must be used accurately whenever covered entities and their business associates conduct HIPAA-related transactions.

The HIPAA also created an identifier system. Covered entities are required to use three unique identifiers of the system whenever they conduct financial transactions and administrative tasks subject to HIPAA rules and regulations. The three unique identifiers are as follows:

  • National Provider Identifier (NPI): This 10-digit number is used in every HIPAA financial and administrative transaction. Covered healthcare providers are required to use their NPI for covered transactions.
  • National Health Plan Identifier (NHI): This number is used as part of the identification system for health plans. It’s also used by those who pay their fees to the Center for Medicare and Medicaid Services (CMS).
  • Standard Unique Employer Identifier: This is assigned to covered entities and business associates. It’s used to identify them as an employer involved in HIPAA transactions. It’s considered the counterpart of the Employer Identification Number (EIN) assigned by the federal government for employment-related transactions.


The HIPAA sets out several rules, standards, requirements, and regulations. These rules govern all HIPAA-related financial and administrative transactions of covered entities and their business associates. They have to observe these rules and regulations whenever they conduct related transactions. The fine for a serious breach of the privacy and security of PHI could run up to millions of dollars.

All opinions expressed on USDR are those of the author and not necessarily those of US Daily Review.