Clarifying HIPAA and Medicare Claims: What Covered Entities Must Do Today

HIPAA Compliance for Medicare Claims

Protect Protected Health Information (PHI) end-to-end

You handle Protected Health Information every time you create, transmit, or store a Medicare claim. Apply the minimum necessary standard, restrict access with role-based controls, and maintain audit logs that show who viewed or changed claim data. Encrypt PHI in transit and at rest, and secure your remote and on‑premises environments with strong authentication and timeout policies.

Confirm Business Associate Agreements with billing services, clearinghouses, and other vendors that touch PHI. Train your workforce on privacy and security incidents, and keep written procedures for breach response, patient rights, and documentation retention that align with federal and state requirements.

Use standard transactions and standardized code sets

Submit the HIPAA-standard transactions (for example, the 837 claim and 835 remittance) through Electronic Data Interchange. Populate every claim with your NPI and use standardized code sets such as ICD-10-CM diagnoses, CPT/HCPCS procedure codes, and NDCs when applicable. Consistent use of Standardized Code Sets reduces front-end rejections and speeds payment.

Governance that stands up to audits

Perform periodic risk analyses, keep an inventory of systems that process PHI, and document technical safeguards. Align intake workflows so staff capture Medicare Secondary Payer information accurately, which prevents downstream overpayments and recovery actions. Keep evidence of policy reviews, training, and monitoring to demonstrate continuous compliance.

Electronic Data Interchange Enrollment

Who must enroll

If you submit or receive HIPAA transactions for Medicare, you or your billing partner must enroll with your Medicare Administrative Contractor’s EDI department. Enrollment typically covers claim submission (837), eligibility (270/271), claim status (276/277), and remittance advice (835).

How to enroll successfully

Complete the EDI enrollment and Trading Partner Agreement for each MAC you bill. Obtain submitter and receiver IDs, choose your connectivity method (for example, SFTP or AS2), and designate whether you or a clearinghouse will transmit. Test your files to confirm segment compliance and that you can interpret acknowledgments like 999 and 277CA.

Coordinate with your practice management or hospital information system so patient demographics, insurance, and authorization data map correctly into the EDI file. Validate that secondary payer data, referring provider NPIs, and service-level details flow without manual fixes.

Maintain credentials and readiness

Track revalidations, password rotations, and contact changes. Re-test when you change software, upgrade formats, or add locations and NPIs. Monitor rejection rates and build dashboards so you can intervene quickly when clearinghouse edits spike or payer acknowledgments indicate systemic issues.

Mandatory Electronic Claims Submission

What the rule requires in practice

Medicare generally requires you to submit claims electronically. Build your workflow around the HIPAA-standard 837 for professional, institutional, and DMEPOS claims, and reconcile payments with the 835. Electronic submissions shorten cycle times, reduce keying errors, and help you meet timely filing limits.

Operational controls that prevent denials

Validate insurance eligibility and benefits before service and again at claim creation. Use standardized code sets consistently and ensure attending, rendering, and ordering NPIs are present and correct. Resolve front-end edits, review payer-specific rules, and track each claim through acknowledgment, adjudication, and payment to closure.

Understanding the Indirect Payment Procedure

You must still file a Medicare claim even if you do not accept assignment. Under the Indirect Payment Procedure, Medicare typically pays the beneficiary, not you, while you may collect allowed amounts consistent with program rules. Submitting the claim electronically remains the default unless a valid exception applies.

Exceptions to Electronic Claims Requirement

Small provider or supplier status

Medicare permits a paper-claim exception for entities that meet CMS’s definition of a small provider or supplier. Confirm your status and keep documentation on file, since contractors can request evidence during reviews.

Unusual circumstances and system limitations

Temporary exceptions can apply when natural disasters, prolonged system outages, or payer system limitations prevent Electronic Data Interchange. Obtain written approval or follow your MAC’s waiver process, and resume electronic claims as soon as feasible.

Attachments and special documentation

Some claims may require documentation that is not supported in the standard claim transaction. Follow your MAC’s instructions for submitting requested attachments or additional records through approved channels, and reference the claim identifiers so adjudicators can match records promptly.

Requesting and managing waivers

When you seek an exception, file the request with your MAC, describe the reason and duration, and keep the approval letter with your compliance files. Calendar the expiration date so you return to electronic submissions on time.

Enforcement of MMSEA 111 Reporting Compliance

Why Section 111 matters to your claims

MMSEA 111 Reporting under the Medicare Secondary Payer framework ensures Medicare pays only after any primary coverage. Inaccurate or missing reports can lead to recovery demands, coordination-of-benefits delays, and claim rejections. Capture other coverage details during registration and update them whenever patients’ insurance changes.

Who reports and what is reported

Responsible Reporting Entities—group health plans and certain non-group health plans such as liability, no-fault, and workers’ compensation—must report coverage and payment events. Common data include active coverage, ongoing responsibility for medicals, and total payment obligations to claimants. Accurate identifiers and dates are essential for proper matching.

Penalties and risk management

CMS may impose Civil Monetary Penalties for failing to report, for untimely reporting, or for reporting with a reckless disregard for accuracy. Penalties are set by regulation and adjusted periodically, so you should review updates, align reporting calendars, and validate data quality to reduce exposure.

A practical compliance playbook

• Standardize your Medicare Secondary Payer questionnaire at intake and on each eligibility check.
• Integrate claims, EDI, and Section 111 systems so coverage changes automatically trigger updates.
• Monitor acknowledgments and error feeds, correct mismatches quickly, and keep an audit trail.
• Assign a single owner for MMSEA 111 Reporting, with backups, escalation paths, and board-level visibility.

Conclusion

To stay compliant today, protect PHI rigorously, use standardized transactions and code sets, complete and maintain EDI enrollment, and submit claims electronically unless you qualify for a documented exception. Build MSP and MMSEA 111 processes that synchronize with claims so Medicare pays in the right order and you avoid Civil Monetary Penalties. Strong governance and disciplined operations turn these obligations into faster, cleaner reimbursements.

FAQs

What are the HIPAA requirements for submitting Medicare claims?

You must safeguard Protected Health Information, use HIPAA-standard EDI transactions like the 837 and 835, and code services with Standardized Code Sets (ICD-10-CM, CPT/HCPCS, and when applicable NDC). Ensure NPIs and other identifiers are correct, limit access to PHI, log disclosures, and maintain BAAs and policies that support privacy, security, and breach response.

When must covered entities enroll for electronic data interchange?

Enroll before sending or receiving HIPAA transactions with Medicare. Complete your MAC’s EDI and Trading Partner forms, obtain submitter/receiver IDs, test files and acknowledgments, and keep credentials current—especially when you change software, locations, NPIs, or billing partners.

Are there exceptions to mandatory electronic Medicare claims submission?

Yes. CMS recognizes exceptions such as qualifying small providers or suppliers and certain unusual circumstances (for example, disasters or system limitations). You must request or document the exception with your MAC and return to Electronic Data Interchange as soon as conditions allow.

What penalties apply for non-compliance with MMSEA 111 reporting?

CMS may assess Civil Monetary Penalties for failing to submit accurate and timely MMSEA 111 Reporting. Penalty amounts and criteria are defined by regulation and updated periodically, so you should monitor CMS guidance, validate data quality, and keep complete records of reporting activity and corrections.