PRACTICE MANAGEMENT
HELPFUL INFORMATION FOR
PHYSICIANS AND PRACTICE
MANAGERS
By Diane K. Shaw, Esq., Shaw & Associates
HIPAA compliance remains an
ongoing issue. As such, the following
checklist is helpful to ensure
compliance. If there is anything
on this list that you and/or your
practice manager are not familiar with, please
look up the details by using the sites below or
your own source.
HIPAA Checklist for Security, Privacy
and Breach
1. Risk Assessment Documentation.
2. HIPAA Oversight and Training (must show
as ongoing).
3. System Access Protocols.
4. Business Associate Agreements and Confi -
dentiality Agreements.
5. Facility Access and Maintenance.
6. Breach – Risk Assessment, Sanctions,
Notifi cations.
7. Technical Access and Control: Encryption,
Integrity, Accessibility.
8. ePHI Encryption and Disposal.
9. Security Threat Assessment: Environment,
Human, Natural, Technology, Other.
10. Release of Information – Privacy Rule.
11. Patient Rights regarding Disclosures, Privacy,
Correction, Restriction and more.
12. Designation of Privacy/Security Offi cial.
A form for HIPAA compliance consent is
available as an example to minimize risk when
texts or emails are used. If the patient signs the
consent form, the patient also assumes the risk
of unexpected HIPAA breach due to the use of
technology.
Upon receipt of an audit letter, physicians
should contact their malpractice insurance
claims representative. Insurance companies
have med-pay limits for regulatory matters
that are typically $50,000.00 to $100,000.00.
Med-pay limits are also applicable to HIPAA
compliance issues discussed above, as well as
Texas Medical Board (TMB) issues discussed
below.
Checklist for audit responses
1. CPT Code/explanation.
2. CPT Assistant Publications, LCD, NCD,
educational material for each audit issue
that was denied.
3. Response/Appeal letter that cites page
number of each benefi ciary’s records,
which complies with elements of documentation/
information required in #2.
4. Each date of service challenged must
be addressed separately with comments
(1,2,3).
5. Physicians may need:
• Addendum (current dates)
• Affi davit (procedure, medical necessity,
documentation/information required
in #2)
• Signature compliance
6. CMS consulting opinion.
7. A separate response packet for each
benefi ciary is necessary, even though CMS
has a spreadsheet that has addressed all
issues.
• Exception: Agreement that a representative
sample (5-10% out of 500) is
acceptable.
• If using sample, make sure it is a thorough
representation with detailed
explanations on specifi cs of each.
Each insurance company has its own
language for coverage. It may provide a list
of attorneys that can help, or the physician
chooses the attorney and is reimbursed at an
agreed-upon rate.
The Texas Medical Board is required to investigate
any and every complaint. The original/
fi rst response must be aggressive to show why
the complaint should be dismissed. An aggressive
response equates dismissal 95 percent of
the time.
Checklist for Board Complaint
Response Packet
1. Letter of representation to the Board.
2. Business Associate Agreement/HIPAA
compliance Agreement.
3. A retainer letter to the doctor, which protects
the doctor.
4. Calendar deadlines with reminders.
5. Obtain documents from physician: medical,
billing, phone, texts, email records and
patient portal notes.
6. Obtain a narrative from physician.
7. If others are involved, obtain their statements.
Statements from business partners
are helpful as well.
8. Bates stamp records and prepare medical
chronology.
9. Any standard of care complaints must be
reviewed by an expert.
10. Medical literature is required if it’s out there
(medical illustration should be considered
if it’s helpful for reviewers by non-physicians
at the Board).
11. Attorney response letter citing to page
numbers and all exhibits.
Understand, the fi rst level of review will not
or may not be by physician(s), NP(s), etc. So, we
make it as simple to understand “why we win”
as possible.
The Texas Medical Board is using Texas
Administrative Code Title 22 Part 9 Chapter
165.1 “Medical Records,” to attempt to set a
STANDARD OF CARE. BEWARE. Please review
Chapter 165.1 and note the list of 13 categories
and multiple subcategories for “adequate”
medical records. Category 13 states that the
board acknowledges that documentation may
vary due to type of service, place of service
and the patient status. Traditionally, documentation
does not treat patients and this
SHOULD NOT be a standard of care issue. (See
TX.A.Code 165.1)
For links to all checklists mentioned, tune in
to the DCMS YouTube Chanel on Thursday, April
21, at 7pm for the next DCMS Connect Virtual
Speaker Series featuring a Legal Roundtable.
You can also contact Shaw & Associates at
www.dkshaw.com/ directly for more information
on the information and checklists in this
article. DMJ
20 | DALLAS MEDICAL JOURNAL • April 2022