Anesthesia Coding Alert

Follow this checklist to be prepared before the audit letter arrives.

As HIPAA audit frequency ramps up, it’s more important than ever for physicians and practices to be prepared for the inevitable visit. Use this checklist to get all your documents in place now – and save yourself from scrambling to collect everything at the last minute.

Auditors can ask for information that falls into four categories: HIPAA security, technical safeguards, HIPAA privacy, and HITECH. Here’s the specific documentation that auditors can ask for, according to an issue brief by Susan A. Miller, JD of Malvern, PA-based Malvern Group Incorporated.

HIPAA Security

• Security Officer contact information (name, email, phone, address, and admin contact info)
• Administrative Safeguards:
• Entity-Level Risk Assessment
• Organization Chart
• Information Security Policies, specifically those documenting security management practices and processes such as:

o Access control
o Data protection
o Acceptable use
o Workstation security
o Workforce/HR security
o Sanction procedures

• Security Incident Management Plan
• Business Continuity/Disaster Recovery Plan
• Data backup and recovery procedures
• Physical security policies and procedures
• Data destruction and media reuse procedures

Technical Safeguards:

• Encryption policies and procedures
• Management’s internal control/internal audit policies and procedures relative to monitoring IT safeguards
• System-generated user access listing of all individuals with access to systems housing ePHI
• System-generated listing of all New Hires within the past year
• User authentication policies and procedures

HIPAA Privacy

• Privacy Officer contact information (name, email, phone, address, and admin contact info)
• Privacy Policy and Notice of Privacy Practices
• Privacy practices documentation including:

o Use and Disclosure
o Rights to Request Privacy Information
o Right to Request Privacy Protection of PHI
o Access of Individuals to PHI
o Denial of Access to PHI procedures
o Amendment of PHI
o Accounting of Disclosures of PHI
o Administrative Requirements
o Transition Provisions

• Training documentation for employees over Privacy Practices and organization training policies
• Policies and procedures in place over administrative, technical and physical safeguards over all forms of PHI
• Complaint handling policies and procedures
• Population of complaints over Privacy Practices made within the past year (Complaint Log)
• Sanction and disciplinary policies and procedures over privacy violations
• Mitigation and disciplinary policies and procedures for when a breach occurs
• Anti-intimidation/anti-retaliation policies and procedures
• Policies and procedures over Uses and Disclosures of PHI, including:

o Deceased individuals
o Personal representatives
o Confidential communication
o Business associate contract requirements
o Health Plan documentation requirements
o Treatment, payment, and/or operation
o Consent and authorization requirements
o Judicial or administrative proceeding requirements
o Research requirements
o Approval or waiver requirements
o De-identification/re-identification of PHI procedures
o Restriction of PHI
o Minimum necessary requirements
o Limited information provided for fundraising purposes
o Healthcare underwriting requirements
o Identity verification procedures of individuals requesting PHI.

HITECH

• Breach notification processes and capabilities
• Entity-level risk assessment documentation

Source: Susan A. Miller, JD, Malvern Group: “Issue Brief: OCR Audit Documentation Requests — What We Know Now.” www.malverngroup.com/uploads/OCR_Audit_Document_Request_Brief_20120424_v_2.pdf.