CMA: Using PrivaPlan as an Auditing Tool

Disclaimer: CMA/PrivaPlan PrivaGuide: Using PrivaPlan as a HIPAA Auditing Tool.

The information provided in this document does not constitute, and is no substitute for, legal or other professional advice. Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns.

PrivaGuide: Using PrivaPlan as a HIPAA Auditing Tool—Physicians and Other Health Care Providers
By David Ginsberg and Leia Ginsberg, RN, BSN, ANP, DNP



Although many providers have attempted to meet the HIPAA Privacy requirements by the April 14, 2003 deadline, it can be difficult to determine whether or not you have met all the regulations.  In addition, just as with all federal regulations, HIPAA is an ongoing process that requires work long after the initial compliance date.


Specifically, you need to ensure that you have all of the required forms, policies and procedures, and appropriate staff training in place to make certain that you are prepared to handle any situation relating to HIPAA in your organization.  Many health care providers think that simply completing and posting a Notice of Privacy Practices satisfies the privacy regulation. In fact, there are specific requirements for policies and procedures, training, and regulatory updates (among other items) that must be accomplished. Even completing a Notice of Privacy Practice requires a reasonable assessment of the uses and disclosures of protected health information for each covered entity, and cannot be satisfied simply by placing your contact information on a template document! Use this PrivaGuide to assist you in auditing your practice or organization’s HIPAA compliance plan and by using the PrivaPlan Stat methodology.


How to do this:

In this section we document some practical suggestions to assure that you are meeting the core HIPAA privacy requirements. The steps in this PrivaGuide will help you audit your compliance project in your own organization and, if any gaps are found, to put in place a corrective step.  In addition, you will be able to use these tools to perform ongoing audits that will allow you to maintain compliance in the future.

Implementation Procedure – Which steps HAVE you accomplished?

You should start by reviewing the “Road Map checklist” below. This is a compilation of forms, policies and procedures, and training suggestions created using the PrivaPlan Resource Kit. Generally, you should have a customized version of each of these forms, (they do not need to be the PrivaPlan specific versions but should be similar), as well as completed policies and procedures that meet each of the requirements of Privacy compliance.  Indicate on the checklist whether or not these have been completed, or “don’t know” if you are unsure.  Once you have completed this checklist, you can quickly assess what the next steps will be, if any.

HIPAA Compliance Road Map: Assess your completion using PrivaPlan Stat

Use this document to assess your completion.  Each document is referenced to a Specific Stat step.  Once you have completed your assessment, you will easily be able to return to Stat to fix the gaps.  Please print it and check the “Done” boxes for each task that you have completed in your organization, or “don’t know” if you are unsure.  If you need to view the document to compare it to your own, simply click on the link to go directly to that document.


Now that you have completed your formal audit using the PrivaPlan Stat methodology, you can quickly determine what areas of your compliance program need to be undertaken.


Maintenance Procedure–Initial Audit


After you have completed the Road Map, you should have a good idea of the areas that need to be addressed. You should then:


Go to the PrivaPlan Stat step indicated in the road map and read through the contents of that step. Then, link to the appropriate PrivaGuide for instructions on how to complete the required elements of the Stat step. Each Stat step will create a form and customize a part of your policies and procedures.
Review the Quick Reference HIPAA Compliance Checklist (Audit Checklist) to identify any areas that might require further attention.

Maintenance Procedure–Ongoing Audits

Use the Quick Reference HIPAA Compliance Checklist (Audit Checklist) on a periodic basis to assess operational changes and other circumstances that often require an update to your privacy policy and to your compliance plan.  It is a good practice to schedule a routine audit to assess your compliance, as well as to review any new regulations that have been published.  You can check your PrivaPlan updates at this time to review any new information that relates to your practice.


About the Authors

David Ginsberg

Mr. Ginsberg is President and co-founder of PrivaPlan Associates, Inc.  He is a healthcare consultant with over 25 years of experience. Most recently he organized and is Executive Director of the Colorado Physician Network, a statewide network of 2500 physicians. Mr. Ginsberg was also Vice President of Intellectron/Medcobill a large regional physician practice management and billing company providing services to over 1000 physicians in California. During his time with Intellectron/Medcobill he implemented the second Medicare electronic claims transmission program of its kind and pioneered an EDI solution for Medicaid.

Mr. Ginsberg has expertise in managed care operations, IPA development, and physician-hospital strategic planning, practice management consulting, and compliance issues.


Mr. Ginsberg can be contacted at David A. Ginsberg Consulting, 3 Monte Alto Way, Santa Fe, NM 87508.  Telephone:  877-218-7707.

Leia Ginsberg, RN, BSN, ANP, DNP

Leia Ginsberg is the Director of Product Support and Development for PrivaPlan Associates, Inc.  She has expertise in customer service as well as a first-hand understanding of the medical industry holding a doctorate as an Adult Nurse Practitioner.  In addition, she has managed a medical practice and coordinated clinical research for a small practice, during which time she came head-to-head with the challenges facing the industry, from insurance contracts and finances to growing patient dissatisfaction in an increasingly regulated and misunderstood trade.  She has also worked with both the Internet and insurance industries, helping to create a .com service that would communicate insurance benefits to a wide audience with little or no familiarity.

.  Or, you may email her anytime at

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates