The final Omnibus Rule of 2013 requires all covered entities and business associates perform a HIPAA Risk Analysis/Assessment and implement written policies and procedures.
HIPAA Privacy Rule – 164.530(i) - implement policies and procedures regarding PHI that are designed to comply with the Privacy Rule
HIPAA Security Rule 164.316(a) - Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements
HIPAA Security Rule 164.316(b)(1) - Maintain the policies and procedures implemented to comply with the HIPAA Security Rule
The OIG (Office of Inspector General) list risk areas affecting physician practices: (a) coding and billing; (b) reasonable and necessary services; (c) documentation. An audit of 10 randomly selected medical records per year should be reviewed to ensure that the coding and documentation was performed accurately.