Urology Coding Alert

Don’t worry: You aren’t required to follow a certain form.

Forms and rule sets are an everyday part of coding and billing, but there’s one important area of practice checkpoints where your group can be original: assessing your compliance risk.

Surprised to learn that there aren’t specific guidelines or forms or templates you’re expected to follow? As strange as it might sound in the world of regulations, it’s true. The HHS Office for Civil Rights (OCR) has a template for many aspects of practice but does not have a set formula or outline for risk analysis documentation.

Here’s why: Your risk analysis process may look entirely different from another provider’s approach, but you’ll probably have some similarities if you plan on including all of the HIPAA Security Rule requirements in your protocols. Plus, if you want to stay in the OCR’s good graces, you’ll need to thoroughly document your risks — and how you plan to manage them.

“It’s very difficult to have a standardized, one-size-fits-all kind of approach,” says HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. “Every organization is different and has a different way of approaching [its] risk analysis.”

You must have procedures for reporting, processing, and responding to suspected or known information security risks and incidents, Sheldon-Dean stresses. These procedures are essential for investigating, mitigating, and documenting your current risks and possible future security incidents, so that you can appropriately report and promptly handle violations and breaches — and the more comprehensive your finalized documentation, the better.

Reminder: Though a specific format isn’t required, “the risk analysis documentation is a direct input to the risk management process,” OCR cautions in its Security Rule summary.