Pediatric Coding Alert
Will HIPAA Audits Focus on Risk Management?
Question: We read your article on the upcoming HIPAA audits with great interest, but we have a follow-up question. We’ve heard that the audits will focus a lot on risk assessments. Is this true?
Answer: Although the 2016 HHS Office for Civil Rights (OCR) audit protocol covers more of the HIPAA regulations than the prior protocols, risk management is certainly a big focus.
In the 2012 audit protocol, OCR didn’t even have an audit inquiry for risk management — but the 2016 protocol now does, according to an April 11 blog posting by Bob Chaput, CEO and founder of Clearwater Compliance LLC. “Not only will the auditors be looking for policies and procedures for a risk management process, but also the details of how risk will be managed, by whom, how often, and documentation of management’s acceptable level of risk.”
Auditors will also want evidence that you’ve implemented security measures as a result of your risk analysis, and that those measures are sufficient to mitigate or remediate identified risks to an acceptable level according to the risk rating, Chaput said.
Another new audit inquiry for 2016 is assessing “criticality” of specific applications and data with respect to other components of your contingency plan, Chaput stated. Auditors will specifically review your policies and procedures for assessing application and data criticality, and then review the list of critical electronic protected health information (ePHI) applications and the criticality levels you assigned to them.
The protocol provides that the auditors must ensure that the assigned criticality levels “should have been categorized based on importance to business needs or patient care, in order to prioritize for data backup, disaster recovery, and emergency operations plans.”
Beware: Overall, the audit processes related to risk management “have become significantly more comprehensive,” Chaput warned. “Now, in addition to looking for the who, what and how in the policies and procedures, audits will be requesting evidence of management’s involvement in determining an acceptable level of risk, risk-rating registers, and a determination of the sufficiency of security measures put in place for mitigating or remediating identified risks.”
Related Articles
Pediatric Coding Alert
- Benchmarking:
Compare Your Pediatric Coding Trends to These National Averages
Crunch these numbers to find out where you stand among other pediatricians. Most pediatricians know [...] - E/M Services:
Transitional Care Management Income Could Be Moving Faster Into Your Accounts
You no longer need to wait 30 days to submit transitional care management claims, new [...] - You Be the Coder:
Pediatricians Will Rarely Report 99177
Question: Is 99177 valid for 2016? What’s the difference between this code and 99174? Codify Subscriber [...] - Reader Question:
Know the Acceptable Documentation Formats
Question: Our pediatrician circled 99213 on his chart, but the only note in the records is [...] - Reader Question:
Ask for Medical Policy
Question: I contacted my insurer and asked how they prefer me to submit codes for a [...] - Reader Question:
Will HIPAA Audits Focus on Risk Management?
Question: We read your article on the upcoming HIPAA audits with great interest, but we have [...]
