Every time you submit an insurance claim, you're transmitting protected health information. The client's name, diagnosis codes, procedure codes, dates of service—it's all PHI, and it's all governed by HIPAA.
This guide covers the intersection of HIPAA and billing: what's protected, how to transmit claims securely, documentation requirements, and how to handle billing-related PHI requests.
What Billing Information Is Protected?
When you submit a claim, this information is PHI:
| Data Element | HIPAA Status |
|---|---|
| Client name | PHI (identifier) |
| Date of birth | PHI (identifier) |
| Insurance ID number | PHI (identifier) |
| Address | PHI (identifier) |
| Date of service | PHI (when linked to client) |
| ICD-10 diagnosis codes | PHI (health information) |
| CPT procedure codes | PHI (treatment information) |
| Claim amounts | PHI (payment information) |
| Provider information | Not PHI (about you, not client) |
Bottom line: The entire claim is PHI.
HIPAA's Payment Exception
HIPAA permits disclosure of PHI for payment purposes without specific client authorization. This is what allows you to bill insurance.
What "Payment" Includes
- Submitting claims to insurance
- Billing clients directly
- Collecting copays/deductibles
- Working with clearinghouses
- Responding to payer requests for information
- Appeals and claim corrections
Limits on Payment Disclosure
Even under the payment exception:
- Minimum necessary applies—share only what's needed for billing
- Don't disclose more than required to process the claim
- Full session notes are rarely required for standard claims
Submitting Claims Securely
Electronic Claims
Most claims are submitted electronically. HIPAA requires:
Secure transmission:
- Claims transmitted through encrypted channels
- HIPAA-compliant clearinghouse (with BAA)
- Secure connections to payer portals
Access controls:
- Only authorized users submit claims
- Unique login credentials
- Audit trail of who submitted what
Paper Claims
If you still submit paper claims:
- Mail securely (no postcards with PHI visible)
- Keep copies in secure storage
- Track what was sent
Using a Clearinghouse
Most practices submit claims through a clearinghouse. Requirements:
- Signed Business Associate Agreement
- Secure data transmission
- Clearinghouse must meet HIPAA standards
Business Associate Agreements: Complete Guide →
Required Billing Documentation
What Must Be in the Record
Your clinical documentation must support every claim. For HIPAA and billing compliance, document:
For every session:
- Date of service
- Start and stop time (for time-based codes)
- Service provided (matching CPT code)
- Diagnosis (matching ICD-10 code)
- Clinical content supporting medical necessity
For the overall treatment:
- Treatment plan with measurable goals
- Progress toward goals
- Rationale for continued treatment
Connecting Documentation to Codes
| CPT Code | Documentation Must Show |
|---|---|
| 90832 | 16-37 minutes of psychotherapy |
| 90834 | 38-52 minutes of psychotherapy |
| 90837 | 53+ minutes of psychotherapy |
| 90846 | Family therapy without patient present |
| 90847 | Family therapy with patient present |
| 90791 | Comprehensive diagnostic evaluation |
ICD-10 Documentation
Your diagnosis code must be supported by your clinical assessment:
- Symptoms documented
- Diagnostic criteria addressed
- Severity level justified (when applicable)
ICD-10 Codes for Mental Health →
Responding to Payer Requests
Insurance companies may request additional information to process claims.
Common Requests
| Request Type | What They Want |
|---|---|
| Clinical summary | Brief overview of treatment |
| Treatment notes | Session documentation |
| Treatment plan | Goals and planned interventions |
| Medical necessity letter | Explanation of why treatment is needed |
| Prior authorization | Pre-approval for services |
HIPAA Considerations
You may respond to legitimate payer requests under the payment exception.
Minimum necessary applies:
- Send what's requested, not the entire file
- Redact information not relevant to the request
- Question overly broad requests
Verify the request:
- Confirm request is from actual payer
- Ensure it relates to your client's claim
- Watch for phishing attempts
Documentation Requests for Audits
If you receive an audit request:
- Verify legitimacy of the request
- Provide only what's specifically requested
- Keep records of what you provided
- Consult with a billing specialist or attorney if extensive
Billing Records Retention
HIPAA Requirements
HIPAA requires retention of documentation related to billing:
- Records supporting claims
- Explanation of Benefits (EOBs)
- Payment records
- Claim submissions
Minimum 6 years for HIPAA-related documentation.
Practical Retention
Many experts recommend retaining billing records as long as clinical records (7-10 years depending on state law, longer for minors).
What to retain:
- Claims submitted
- Payments received
- Adjustments and denials
- Appeal documentation
- Correspondence with payers
Privacy in Billing Communications
Client Communications About Billing
When communicating with clients about billing:
- Use secure methods for detailed information
- Limit PHI on statements mailed to home
- Consider client preferences for billing communication
EOBs and Privacy
Explanation of Benefits sent to policyholders can reveal information about dependents' care. Consider:
- Discussing with clients (especially adolescents)
- Understanding how the client's plan handles EOBs
- Confidential communication requests when available
Using Billing Services
If you outsource billing, HIPAA requirements apply.
Billing Service Requirements
- Business Associate Agreement required
- Service must maintain HIPAA compliance
- You're responsible for ensuring their compliance
- They can only use PHI for billing purposes
What to Verify
Before engaging a billing service:
- Do they provide a BAA?
- What security measures do they use?
- How do they train staff on HIPAA?
- What happens to data if you end the relationship?
Business Associate Agreements: Complete Guide →
Common Billing-Related HIPAA Issues
Issue 1: Sending Claims Through Personal Email
Problem: Emailing claims or billing info via standard email
Solution: Use encrypted email, secure portal, or compliant clearinghouse
Issue 2: Storing Billing Records on Personal Computer
Problem: Unencrypted billing records on home computer
Solution: Encrypt device, use secure practice management software
Issue 3: Discussing Client Billing in Shared Spaces
Problem: Talking about client accounts where others can hear
Solution: Private space for all billing discussions, even phone calls
Issue 4: No BAA with Billing Software
Problem: Using QuickBooks or other software without BAA for billing
Solution: Use HIPAA-compliant practice management software with BAA, or ensure no PHI is in general accounting software
Issue 5: Sharing More Than Necessary with Payers
Problem: Sending full clinical notes when summary would suffice
Solution: Send minimum necessary; question overly broad requests
Frequently Asked Questions
- Can insurance companies see my full session notes?
- They can request them, but you're not required to send full notes for routine claims. Send minimum necessary—often a clinical summary suffices. For audits or specific medical necessity reviews, more may be required.
- Do I need client authorization to bill insurance?
- No. Billing is covered under HIPAA's payment exception. However, client consent for treatment generally includes acknowledgment that you'll bill their insurance.
- What if a client asks me not to bill insurance?
- They can pay privately, but if you've already billed, you generally can't take it back. Discuss billing preferences before treatment begins.
- Can I use Venmo/PayPal for client payments?
- Not for payments containing PHI (like including 'therapy session' in description). If you use them, payments should be generic ('services') with no PHI in transaction details. Better to use HIPAA-compliant payment processors.
- Do I need a BAA with my payment processor?
- If the processor handles PHI (sees diagnosis, service type, etc.), yes. If they only process dollar amounts with no PHI, it's less clear. When in doubt, use processors that offer BAAs.
Billing and HIPAA are inseparable. Every claim transmits PHI, every billing record is protected, and every interaction with payers involves privacy considerations. Secure your billing processes, document appropriately, and remember that minimum necessary applies even when payment exceptions allow disclosure.