HIPAA Authorizations

HIPAA Authorizations

Does your office disclose patient information properly?  The following list can be used to determine if a records request meets HIPAA’s requirements for a valid authorization.

Does the authorization contain:

  •        Patient’s name
  •        Type of information to be disclosed
  •        Name of the provider from whom the information is being requested
  •        Name of the recipient of the information
  •        Purpose for the disclosure
  •        Signature of patient (or legal representative and their relationship)
  •        Date of signature
  •        Effective date and expiration date or event
  •        Statement informing the patient of their right to revoke the authorization
  •        Statement that the patient may inspect or copy the information disclosed
  •        Statement regarding any assessment of fees for providing the copy


This list may not be all-inclusive.  There may be additional elements required by state law. 


HIPAA requires that the authorization contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.  Examples provided by the Department of Health and Human Services include “one year from the date the Authorization is signed”; “upon the minor’s age of majority”.


An Authorization remains in effect until its expiration date, expiration event or until the individual revokes it in writing. 


Be aware of both incoming records requests and the forms that your office uses to request records! 


Chiropractic CBR

According to Safeguard Services, all providers who received the original 2010 CBR are being sent a new, updated report.  This new report shows the original 2009 data and compares in to the providers 2011 data.  It is being used to contrast and compare where you were - to where you are.

The CBR contains the same graphs as the original; Average Number of Services per Beneficiary by CPT andNumber of Beneficiaries by Three Categories of Distinct Diagnoses.  It compares your 2011 data to the whole of the State and National providers.  The differences - and the value - lie in the tables supporting the graphs.

These tables show a comparison of your 2009 services to your 2011 services.  If you received a CBR in 2010, you did so because your practice was statistically different from that of your state and national peers.  This new report gives those providers a glimpse into how their practice has changed since that original report.  You can view an example of the original CBR here.

If your utilization remains substantially higher than that of your state and national peers, it may be an indication of an area of concern.  It may warrant some additional steps.

Consider a Chart Audit to review your billing and coding patterns.  Using published guidelines, a Certified Professional Coder and Medical Compliance Specialist (with Chiropractic Proficiency) will review your notes.  You will receive a detailed, written review of your documentation with areas for improvement clearly identified.  For more information about the process and cost, send a note to terry@cstonemedical.com.



OIG Reveals HIPAA Audit Results

The Office of Civil Rights has completed the first 20 HIPAA audits.  In this first round of audits were 8 health plans, 10 provider offices and 2 clearinghouses.  As you might expect, smaller entities had more issues than larger entities and providers are the group lagging farthest behind. 

In an effort to learn from those who were lucky enough to experience the first 20 audits, lets look at what OIG discovered about HIPAA compliance.


Healthcare provider offices had 81% of the deficiencies noted and contained both privacy and security violations.  The majority of issues identify by the audits related to the security rule.  The most common security issues identified include the lack of:

  • User activity monitoring
  • Contingency planning
  • Risk Assessment
  • Encryption


Some common privacy issues include:

  • Missing review process when patients are denied access to records
  • Failing to provide patients appropriate access to records
  • Missing policies and procedures
  • Incorrect use and disclosure of deceased individuals information
  • Missing or invalid business associate agreements
  • Problems with the Notice of Privacy Practice


OIG has stated that those entities audited in the first round will not have sanctions imposed.  There are an additional 75 audits planned in 2012 and those selected entities will be given 15 days to respond to the OIG’s request for information.


What can you do in your office to prepare? 


First step is to conduct a comprehensive review and risk assessment of your environment.  This includes an asset inventory and mapping the movement of protected health information within your organization and to external sources.  This risk analysis should be done “periodically” or at least annually.


If you have an existing HIPAA manual, review it and make sure it’s updated with the changes from HITECH.  Make sure that your manual addresses the administrative, physical and technical controls required by HIPAA.


If you are without a HIPAA manual, consider purchasing or hiring a consultant to audit your office and prepare a custom manual for you.


Train your staff on HIPAA regulations, as well as your internal policies and procedures.


For those offices participating in the Medicare EHR Incentive program, part of your attestation includes attesting to having conducted a “security risk analysis in accordance with requirements under 45 CRF 164.308(a)(1)…”.  If your office hasn’t performed a full risk analysis, your attestation may be invalid and your incentive money at risk.


Check out our archived articles for more information on HIPAA related regulations.  For assistance with any compliance related need, contact us.  We’re happy to help.

1 2 3 4 5