Book A Strategy Call
15-minute discovery call. No commitment required.
4.9 ★★★★★ Google Rating
Top-Rated Medical Coding Services

How HIPAA Regulations Impact Medical Coding: A Practical Guide for NY, NJ, and CA Practices

Medical billing is the process of translating clinical work into standardized codes, submitting those codes to a health plan, and collecting payment. It covers everything from the scheduling call through final payment posting.

Calculate Savings

Get a Free Coding Assessment

See how the right HIPAA-compliant coding partner protects PHI and keeps your claims clean.

Trusted 800+ Providers
HIPAA
SOC 2 Type II
BAA Signed
$5M Insured
MGMA 2026 Corporate Member
Ask AI About This Page

99.2%Clean Claim Rate Across All Clients
70%Cost Savings vs. In-House Billing
800+U.S. Providers Served by Staffingly
$399Per Week Starting Rate for Coding Staff
72 hrsAverage Time to Full RCM Go-Live
Written for Practice Managers, Billing Directors, and Revenue Cycle Leaders managing HIPAA-compliant medical coding
Written By
25+ Years Healthcare Outsourcing. CEO, Staffingly

Dan Nandan is the CEO of Staffingly, Inc. With 25+ years in IT consulting and a decade leading healthcare BPO operations across India, Latin America, and Pakistan, his team now serves 800+ U.S. healthcare providers across medical, dental, pharmacy, and post-acute care verticals.

2026 Compliance Verified: HIPAA, SOC 2 Type II, ISO 27001, HITRUST-aligned workflows.

Featured in Computerworld →
Clinically Reviewed By
Clinical Content Reviewer. IL RN License #041.577729

State of Illinois. Registered Professional Nurse

Bincy Shiiju Kuriakose is a U.S.-licensed Registered Nurse (MSN, RN), NCLEX-RN certified, with expertise in hospital nursing, telehealth, and nursing education. She reviews every publication for medical accuracy, YMYL compliance, and evidence-based clinical context.

What Is Hipaa in medical coding?

Medical billing is the process of translating clinical work into standardized codes, submitting those codes to a health plan, and collecting payment. It covers everything from the scheduling call through final payment posting. Every step generates data, and every piece of that data is subject to federal and state privacy protections.

Chart Review Code Selection Compliance Check CPT/ICD-10 Audit Submitted
Key Takeaways for Healthcare Leaders
18
HIPAA identifiers that turn a code into PHI once attached
30 days
Breach notification window under 2025 updates (was 60)
Oct / Jan
ICD-10-CM updates annually; CPT codes update every January
BAA
Required before any PHI is shared with an outsourced coder
$2.1M
Tier 4 willful-neglect annual cap ($2,134,831)
$1K-$3K
Per-violation CMIA damages in California, no harm required
$9.9M
Collected by OCR across 22 settlements in 2024
40%
Coding-error reduction from properly configured AI (AAPC)

The Role of HIPAA in Healthcare and Medical Coding

The Privacy Rule governs use and disclosure of PHI. Coders can only access data necessary for their task (Minimum Necessary Rule).

The Security Rule governs ePHI. Encryption, role-based access, audit logs, and multi-factor authentication are requirements coding systems must meet.

Additional rules: Breach Notification Rule (notification within 60 days, shortened to 30 days under 2025 updates) and Transaction and Code Set Rule (standardized electronic formats for claims). Outsourced coding vendors must have a signed Business Associate Agreement (BAA) before any PHI is shared.

What Is PHI in Medical Coding? ICD and CPT Codes Explained

This is a common point of confusion for coding teams. ICD-10 and CPT codes standing alone are not PHI. The code F41.1 (generalized anxiety disorder) by itself does not identify any individual. But the moment that code is linked to any of the 18 HIPAA-defined identifiers, such as a patient name, DOB, insurance ID, date of service, or medical record number, the entire record becomes PHI.

In practice, virtually every coded record qualifies as PHI because codes are never processed in isolation. They are always attached to a patient record with demographic and insurance information. A coder reviewing a chart to assign codes is accessing PHI. A coder transmitting a coded claim to a clearinghouse is transmitting PHI. A coder storing a coded worksheet on their desktop is storing PHI.

The practical implication is that every tool, device, and communication channel a coder uses must meet HIPAA standards. There is no such thing as a “non-PHI” coding workflow in a real clinical environment. Coding managers should audit every step in the coding workflow, from chart access through code assignment through claim transmission, and verify that PHI protections apply at each point.

Step-by-Step Process for HIPAA-Compliant Medical Coding

Step 1: Access Only What You Need. The Minimum Necessary Rule requires that coders access only the information needed for the specific coding task. Use coding-specific documentation extracts, not full patient charts. Configure role-based access controls so coders see the clinical note, procedure report, and relevant labs for their assigned cases, not the entire patient medical history. Many EHR systems allow creation of “coder views” that present only the relevant documentation. If your EHR auto-populates full records when a coder opens a chart, work with your IT team to restrict the default view. Software that exposes more information than necessary creates a compliance risk even if the coder never looks at the extra data.

Step 2: Ensure Secure Transmission. Encrypt all ePHI in transit and at rest. Use secure logins, multi-factor authentication, and VPN for remote coders. Never send records via personal email, consumer file-sharing services, or unencrypted messaging platforms. For practices in NY, NJ, and CA, state breach notification requirements are stricter than federal HIPAA standards. A single unencrypted email containing coded patient records can trigger both federal and state notification obligations. Clearinghouse submissions, ERA/EOB file transfers, and claim corrections all involve PHI transmission and must use encrypted channels.

Step 3: Regularly Review Policies. ICD-10-CM updates annually every October. CPT codes update every January. State laws change on their own cycles. Documented review cycles should occur at minimum annually, with interim updates when significant regulatory changes occur. Assign a compliance officer or lead coder responsibility for tracking code updates, payer policy changes, and state law amendments that affect coding workflows. A policy review that only happens during annual training leaves 11 months of exposure to outdated practices.

Step 4: Audit and Monitor. Internal audits serve dual purposes: catching billing errors and identifying HIPAA compliance gaps. Watch for records accessed outside assigned panels, PHI exported to unsecured drives, shared credentials between coders, and unusual access patterns like a coder opening 200 records in a single session. Audit logs should be reviewed monthly at minimum. For practices billing Medicare and Medicaid, coding audits also serve as False Claims Act protection. Documented internal audits showing proactive error detection and correction demonstrate compliance intent if an external audit occurs.

Step 5: Safeguard Your Work Environment. Remote coding must meet the same security standards as on-site coding: locked screens when stepping away, approved devices only, VPN connections to the practice network, and clean-desk protocols that prevent printed PHI from being visible to household members or visitors. For practices with remote coders in NY, NJ, or CA, verify that the coder’s home setup meets both HIPAA and state-specific data protection requirements. Some practices conduct virtual workspace inspections to confirm compliance.

Step 6: Train Every Team Member. Generic HIPAA training that covers the basics without connecting them to daily tasks is ineffective for coding teams. Coders need training that covers their specific workflows: how the Minimum Necessary Rule applies to chart access, what constitutes PHI in a coded record, how to handle queries from providers without exposing unnecessary patient information, and how to report a suspected breach. Training should occur at onboarding and at least annually, with documented completion records.

Cut medical coding turnaround time

Save 40-70% with dedicated Coding specialists

Book a 15-minute call. We will map your current medical coding workflow, denial rates, and staff hours against what a dedicated team typically delivers in the first 30 days.

Request Information
HIPAA . SOC 2 Type II . HITRUST-aligned . 800+ U.S. providers served

Common HIPAA Violations in Medical Coding

Improper Documentation Sharing. Emailing patient records to a personal account violates the Security Rule regardless of intent. This includes forwarding a chart to a personal Gmail address “to finish coding at home,” sending a coded worksheet to a colleague via unencrypted text message, or using a consumer file-sharing service to transfer documentation between locations. Each instance creates a potential breach notification obligation under both federal HIPAA and state laws.

Unauthorized Access. Accessing records outside an assigned case queue is a violation regardless of harm. Audit logs create traceable records. A coder who opens a neighbor’s chart out of curiosity, or who looks up a coworker’s medical records, faces personal liability even if no information is shared. EHR audit reports that flag access to records outside the coder’s assigned panel should be reviewed monthly.

Using Consumer AI Tools. Staff using general-purpose AI chatbots for coding queries may transmit PHI to systems without BAAs. OCR has flagged this as a growing risk. When a coder copies a patient’s diagnosis narrative into an AI tool to get coding suggestions, that patient’s PHI has been transmitted to a third party without a BAA, without encryption guarantees, and without any assurance that the data will be deleted. This applies to any AI tool not explicitly covered by a signed BAA.

Neglecting Physical Security. Printed worksheets left in break rooms, coding reference sheets with patient names visible on desks, and unshredded documents in recycling bins all constitute PHI exposure. Remote coders face additional physical security challenges when household members or visitors can see printed records or computer screens displaying patient data.

Missing BAA with Outsourced Coders. Any third party touching PHI requires a signed BAA. This includes contract coders, offshore coding teams, coding auditors, and any software vendor whose platform processes or stores coded records. The BAA must be executed before any PHI is shared, not retroactively.

HIPAA Penalties and What They Mean for Coding Teams

  • Tier 1 (unknowing): $141 to $71,162 per violation
  • Tier 2 (reasonable cause): $1,424 to $71,162; annual cap $142,355
  • Tier 3 (willful neglect, corrected): $14,232 to $71,162; annual cap $355,878
  • Tier 4 (willful neglect, uncorrected): Up to $71,162; annual cap $2,134,831
  • Criminal: Up to $250,000 and 10 years for intentional disclosure

In 2024, OCR collected over $9.9 million across 22 settlements. Individual coders can face personal liability under both civil and criminal provisions. A coder who knowingly accesses records outside their assigned panel, or who shares PHI with unauthorized parties, faces penalties separate from those imposed on the practice.

State-Specific HIPAA Considerations for NY, NJ, and CA Practices

Each of these three states adds requirements beyond the federal HIPAA floor that directly affect coding operations.

New York: NY’s SHIELD Act (2019) already expanded data breach notification requirements beyond HIPAA. The 2025 amendment added personal health information specifically, closing a gap that previously existed for certain health data types. For coding teams, this means any breach involving coded patient records triggers both federal HIPAA notification and NY state notification requirements. AG enforcement has resulted in penalties averaging $450,000 per settlement for healthcare entities (NY OAG enforcement records).

New Jersey: NJ’s privacy law adds consent requirements for geolocation data, which affects practices using location-based tools for remote coder management. P.L. 2024 extends breach notification obligations and adds provisions specific to health data. NJ Medicaid requires specific data handling procedures for outsourced coding, and practices must verify that any third-party coder meets both HIPAA and NJ-specific data protection requirements.

California: The CMIA gives patients a private right to sue for $1,000-$3,000 per violation without proving actual harm. This is significantly stricter than HIPAA, where individual lawsuits require demonstrating harm. For coding teams, a single unauthorized access incident involving 100 patient records could expose the practice to $100,000-$300,000 in CMIA liability alone, separate from HIPAA penalties. California also requires that outsourced coding vendors meet CCPA/CPRA requirements when processing California resident data. The average cost of HIPAA compliance for California healthcare entities runs approximately $11.76 per patient record annually (HealthAffairs compliance cost analysis).

How an AI Receptionist for Medical Office Connects to Coding Compliance

An AI receptionist handles calls, schedules appointments, collects demographics, and performs eligibility verification. All front-end data is PHI from the moment it is collected. When properly integrated into an EHR, data flows directly into the record coders access. Errors at the AI receptionist stage create downstream coding problems that are expensive to fix.

Consider the workflow: an AI receptionist collects a patient’s insurance information during a scheduling call. That data populates the demographic fields in the EHR. The coder later uses those fields to verify coverage and select appropriate codes. If the AI receptionist captured the wrong member ID, the claim will be denied for eligibility reasons even though the coding was correct. If the AI receptionist recorded the wrong date of birth, the payer’s system may reject the claim at the clearinghouse level.

AI receptionists that comply with HIPAA must operate under a signed BAA, use encrypted data transmission, store all collected data in HIPAA-compliant infrastructure, and integrate with approved EHR systems. For practices in NY, NJ, and CA, verify that the AI receptionist vendor meets state-specific data protection requirements in addition to federal HIPAA standards. The coding compliance chain runs from the first patient interaction through final claim adjudication, and every link in that chain must maintain PHI protections.

Outsourced Medical Coding and HIPAA: What to Look For

Every outsourced medical coding vendor must meet these baselines before sharing a single patient record:

  1. Signed BAA. Legally required before any PHI sharing.
  2. Documented security controls. Encryption, MFA, access logs. Ask for SOC 2 Type II or HITRUST certification.
  3. HIPAA-specific workforce training. All staff accessing PHI trained within the last 12 months.
  4. Incident response procedures. Notification timelines tightened to 30 days under 2025 rules.
  5. Coding accuracy rates. Inaccurate codes create unnecessary PHI exposure through correction workflows.

Staffingly serves 800+ providers with a 99.2% clean claim rate. Every engagement includes a BAA and SOC 2 Type II/HIPAA-compliant infrastructure. All coders complete HIPAA-specific training before accessing any client data, with annual refreshers and documented completion records available for audit. For practices in NY, NJ, and CA, Staffingly’s compliance framework covers both federal HIPAA requirements and each state’s additional data protection standards, including CMIA for California clients and SHIELD Act obligations for New York clients.

How AI Is Changing HIPAA-Compliant Medical Coding in 2026

Risk: Staff using non-approved AI tools likely transmit PHI to systems without HIPAA controls.

Benefit: Properly configured AI reduces coding errors by up to 40% and improves productivity by 30-65% (AAPC). Fewer errors mean fewer PHI corrections and fewer unauthorized access opportunities.

The 2026 model: AI handles first pass on routine CPT and ICD-10 assignment. A credentialed human coder reviews output, resolves complex cases, and conducts audits. CMS is expected to release draft guidance on autonomous coding systems in FY 2026 IPPS. For practices implementing AI coding tools, the HIPAA compliance checklist includes: a signed BAA with the AI vendor, confirmation that the AI processes PHI in a HIPAA-compliant environment, documentation that all data transmitted to the AI is encrypted in transit and at rest, a policy defining which AI tools are approved for coding use and which are prohibited, and training for all coders on the difference between approved AI platforms and consumer tools that lack HIPAA protections.

FAQ Section

Q: What is medical billing, and why does HIPAA apply? A: Medical billing is submitting claims and collecting reimbursement. HIPAA applies because billing involves transmitting PHI electronically between providers and payers.

Q: Can medical coders be held personally responsible? A: Yes. Individual coders face personal civil and criminal penalties for violations within their control.

Q: Do ICD-10 and CPT codes count as PHI? A: Alone, no. But once linked to any of the 18 HIPAA-defined identifiers, the entire record is PHI.

Q: Are outsourced coding services HIPAA-compliant? A: Reputable vendors operate with full compliance. Verify: signed BAA, documented security controls, evidence of HIPAA workforce training. SOC 2 Type II or HITRUST provides independent validation.

Q: What happens if a HIPAA breach occurs in coding? A: Notify affected individuals in writing, report to HHS OCR, and for breaches affecting 500+, notify media. Penalties range from $141 per violation to $2.1 million annually for uncorrected willful neglect.

Q: How do NY, NJ, and CA add to HIPAA requirements? A: NY’s 2025 amendment added personal health information to breach notification. CA’s CMIA gives patients a private right to sue without proving harm. NJ’s privacy law adds consent requirements for geolocation data.

Q: Can an AI receptionist create HIPAA risks in coding? A: Yes, if it lacks a BAA or uses non-compliant storage. A properly integrated, HIPAA-compliant AI receptionist improves data accuracy at intake, reducing coding errors downstream.

Frequently Asked Questions

Medical billing is the process of translating clinical work into standardized codes, submitting those codes to a health plan, and collecting payment. It covers everything from the scheduling call through final payment posting.
The Privacy Rule governs use and disclosure of PHI. Coders can only access data necessary for their task (Minimum Necessary Rule).
This is a common point of confusion for coding teams. ICD-10 and CPT codes standing alone are not PHI.
Step 1: Access Only What You Need. The Minimum Necessary Rule requires that coders access only the information needed for the specific coding task.
Ready to See Results?

Find Your Coding Partner. Risk-Free.

Book a strategy call with our medical coding team. We will review your current coding workflow, HIPAA safeguards, and vendor BAA requirements, then scope a 15-day pilot to your practice.

  • 99.2% clean claim rate across 800+ active U.S. providers
  • Starting at $399/week. 40-70% savings vs. in-house coding staff cost
  • Direct access to your existing EHR. 50+ platforms supported
  • Full compliance: HIPAA, SOC 2 Type II, ISO 27001, HITRUST
  • Dedicated Team Leader + Process Manager + CSM
  • 72-hour go-live. 15-Day Risk-Free Pilot. No contracts.

Book A Strategy Call

15-minute walk-through of how dedicated RCM teams cut denial rates and billing costs.

99.2% clean claims 70% cost savings 72-hour go-live
Book A Strategy Call
HIPAASOC 2 Type IIISO 27001HITRUST

Connect With Our Coding Team

Speak directly with a Staffingly specialist

LIVE Monica
Meet Monica AI
Online · Agent ready